1.2 The Society is registered under the Industrial & Provident Societies Act 1965 - 1978 (Industrial & Provident Societies (Channel Islands) Order 1965 - 1978) and has its registered office at Co-operative House, 57 Don Street, St Helier, Jersey JE2 4TR. The Society is registered with the Mutuals Section of the Financial Conduct Authority in the United Kingdom (Number 14672R). The Financial Conduct Authority acts as registrar for Industrial & Provident Societies (Co-operatives).
1.3 Our medical care services are delivered by our subsidiary Jersey Pharmacy Services Limited (“JPSL”), which has its registered office at Third Floor, 40 Esplanade, St Helier, Jersey JE4 9RJ, registered number 89296.
1.4 JPSL is registered as a data controller with the Office of the Information Commissioner in Jersey, and our registration number is 58834.
2. Data we may collect about you
2.1 We may collect and process personal data about you through various means, including:
- in the course of carrying out your medical treatment
- via our website
- by email
- by telephone
- by fax
- by operating security policies and procedures at our premises (e.g. by virtue of our access to CCTV footage recorded at our premises)
- otherwise through the provision of our medical care services
2.2 The personal data we will ask you to provide will include:
- your name and title
- contact information, including telephone number, postal address, e-mail address
- your previous home address (if you have bee at your current home address for less than three years
- your identification records (e.g. passport, driving licence and utility bill)
- your date of birth
- your emergency contact information, including telephone number, postal address and email address
- your private medical insurance details if applicable
- your employer
- your medical history and your family’s medical history
- your clinical information
- your previous and/or existing General Practitioner’s details
- your parent, or legal guardian’s identity and contact information where applicable
- any banking, payment or financial information, where applicable
- the content of any enquiry submitted over our website
2.3 Each time you visit our website, we may automatically collect the following information:
- Web usage information (e.g. IP address), your login information, browser type and version, time zone setting, operating system and platform
- Information about your visit, including the full Uniform Resource Locators (URLs) clickstream to, through and from our website (including date and time), time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs)
- Location, device and demographic information (Google Analytics provides age range and gender information and www.google.je provides more details about how Google collects demographic data).
2.4 We may ask you for information when you report a problem with our website.
2.5 If you contact us, we may keep a record of that correspondence.
4. How we will use your data
4.1 We will store and use the data you provide us or which we collect, in order to carry out the activities necessary to the provision of our medical care services. We will only do this to:
- respond to any query that you may submit to us
- manage our relationship with you, including by maintaining our database of patients and relevant third parties for administration, and accounting and relationship management purposes
- complete our contractual obligations to you
- ensure that our website’s content is presented in the most effective manner for you and your device
- administer our website for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey responses
- allow you to participate in interactive features on our website when you choose to do so
- support our efforts to keep our website safe and secure
- ensure we appropriately administer any attendance or visits to our premises
- comply with any other professional, legal and regulatory obligations which apply to us or policies that we have in place
- prevent illegal activity or to protect our legitimate interest
4.2 We will not use your personal data, including any special category data in any automated decision-making process without your consent.
5. Legal grounds for processing your information
5.1 We will rely on the following legal bases under the Data Protection Law for processing your personal data:
- Article 9 and Schedule 2 - Section 15 of the Data Protection Law
Article 9 and Schedule 2 - Section 15 of the Data Protection Law permit the processing of personal data and special category data for ‘medical purposes’, which includes the purposes of:
i. preventative medicine
ii. medical diagnosis
iii. medical research
iv. the provision of care and treatment
v. the management of healthcare services
vi. occupational healthcare
vii. the assessment of the working capacity of an employee
- Performance of, or entry into, a contract
The personal data that we are required to collect in order to comply with our contractual obligations must be provided to us in order for us to meet our contractual obligations to you.
- Compliance with a legal obligation to which we are subject
The personal data we are required to provide to regulatory bodies and Government agencies and officials including, but not limited to, the Health and Social Services Department.
- Legitimate interests in doing so as a medical services provider
Where our legitimate interests are not overridden by your, or the relevant individual’s, own interests or fundamental rights or freedoms. These legitimate interests will include our interests in managing our relationship with our clients, administering visits to our premises and ascertaining achievement of proper standards and compliance with policies, practices or procedures.
6. Marketing Communications
6.1 We will only send you brochures describing our services if you ask for them.
6.2 We will only send you marketing communications if you have consented to receive them by expressly consenting to receive such materials when completing your Patient Registration Form requesting our services. You do not have to agree to receive marketing communications from us in order to receive any of our services.
6.3 We will never sell or share your data with third parties for marketing purposes.
7. Who will have access to your data within the business?
7.2 We take your privacy seriously and have implemented appropriate physical, technical and organisational security measures designed to secure your personal data against accidental loss, destruction or damage and unauthorised access, use, alteration or disclosure.
8. Who else might we share your data with?
8.2 We may share your personal data with the following third parties who assist us with administering the provision of our services to you:
- your selected contacts
- medical practitioners
- the Jersey Ambulance Service
- the Health & Social Services Department
- the office of the Superintendent Registrar
- the Viscount’s Department
- the applicable Parish Office
- the Police
- our bank
- our insurers
- credit referencing agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you, or debt collection agencies, if necessary
- our debt collection agencies, if necessary
- companies or other bodies who provide services to us, for example, hospital, suppliers who support our information technology systems, or our auditor and professional advisor
- our website platform provider
- our data processors providing information security, email security, data governance, archiving and other IT and business support services analytics
- search engine providers that assist us in the improvement of our website
- any third party you ask us to share your data with
8.4 If a business transfer or change of business ownership takes place or is envisaged, we may transfer your personal data to the new owner or a prospective new owner. If this happens, we will inform you of this transfer.
8.5 We may transfer your personal data about you between Jersey and Guernsey. As Jersey and Guernsey are not within the European Economic Area (EEA) we may therefore transfer personal information about you outside the EEA. To ensure that your personal information receives an adequate level of protection we will put in place appropriate measures to ensure that your personal information is treated by those third parties in a way that is consistent with and which respects the Data Protection Laws in both jurisdictions.
8.6 We may share some broader statistics and customer profiling information with third parties and other entities owned by the Society, but all such data will be anonymised, so you would not be identifiable from that data. We will not rent or sell your details to any other organisation or individual.
9. How do we protect your data?
9.1 We take your privacy seriously and are committed to maintaining the privacy and security of the personal data you provide to us, and the choices you have regarding our collection and use of your personal data.
9.2 We follow strict security procedures as to how your personal data is stored and used, and who sees it, to help stop any unauthorised person getting hold of it. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access. Details of these measures are available upon request. The possible sharing of your “special category” medical, clinical and healthcare related personal data (see section 5.1 above) is protected by additional safeguards, as required by the Data Protection Law.
9.3 We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
9.4 Unfortunately, the transmission of your personal data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted to us over the internet and you acknowledge that any transmission is at your own risk.
9.5 Our website may, from time to time, contain links to and from the websites of advertisers and partners. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
10. How long do we keep your data?
10.1 We will keep your personal data for no longer than is necessary for the purposes we have set out above.
10.2 We will keep your personal data for ten (10) years after the year in which we have provided our services to you, or have last interacted with you.
10.3 If we are required by law to keep any of your personal data for longer, we will only keep such data for as long as the law says we must.
10.4 The third parties we engage to provide services on our behalf will keep your data no longer than the periods set out above. If we end our relationship with any third party providers, we will make sure they securely delete or return your personal data to us.
10.5 We may retain personal data about you for statistical purposes. Where data is retained for statistical purposes it will always be anonymised meaning that you will not be identifiable from that data. We may also retain basic information about you and the services provided for a further ten (10) years after we have provided our services to you, so that we can provide appropriate care and consideration to related persons who may contact us in the future.
11.What are your rights?
11.1 You have a number of rights in relation to your personal data under the Data Protection Law. There are circumstances in which your rights may not apply. You have the right to request that we:
- provide you with a copy of the information we hold about you
- update any of your personal information if it is inaccurate or out of date
- delete the personal data we hold about you, if we are providing services to you and you ask us to delete personal data we hold about you then we may be unable to continue providing those services to you
- restrict the way in which we process your personal data
- stop processing your personal data if you have valid objections to such processing
- transfer your personal data to a third party
11.2 We will ask you to provide proof of identity before we show you your personal information. This is so that we can prevent unauthorised access.
11.3 For more information on your rights and how to exercise them, or if you would like to make any of the requests set out above, please contact us using the contact details provided below. We will respond to all such requests within the time period required by Data Protection Law.
12. Who can you ask for more information?
We are data controllers because we collect personal data about you and determine how and why it will be used. If you have any questions or concerns about how we handle your personal data, you can contact us using any one (or more) of the following:
Data Protection Officer
The Channel Islands Co-operative Society
57 Don Street
Telephone: 01534 879822
Exercising my rights:
To exercise your rights under the Data Protection Law please go to our Enforcing your rights section of the website.
If you are unsatisfied with our response to any data protection issues you raise with us, you have the right to make a complaint to the Office of the Information Commissioner in Jersey or the Office of the Data Protection Commissioner in Guernsey.
You can contact them as follows:
Office of the Information Commissioner
Tel: 01534 716530
Date of Issue: 15th May 2018
Effective From: 25th May 2018