1. Introduction

New Alliance Medical Suite (NAMS) is committed to ensuring the privacy and confidentiality of the personal data it collects, stores, and processes in accordance with the **Data Protection (Jersey) Law 2018** and other applicable data protection legislation. This policy outlines how NAMS ensures compliance with data protection laws in Jersey, and how it safeguards the personal data of patients, staff, and other stakeholders.

  1. Purpose

The purpose of this policy is to:

  • Ensure compliance with the Data Protection (Jersey) Law 2018.
  • Protect the rights of patients, staff, and other individuals whose personal data is processed by NAMS.
  • Set out the principles by which NAMS processes personal data.
  • Provide guidance to staff on the secure and responsible handling of personal data.
  • Ensure that data breaches are prevented, identified, and managed appropriately.
  1. Scope

This policy applies to:

  • All personal data processed by NAMS, including patient data, staff records, and other stakeholder information.
  • All staff, including clinical and non-clinical personnel, contractors, and any third parties who process personal data on behalf of NAMS.
  • All data processing activities, including the collection, storage, use, sharing, and disposal of personal data.
  1. Definitions

4.1. Personal Data

Personal data refers to any information that can directly or indirectly identify an individual, including names, contact details, medical records, financial information, and employment details.

4.2. Special Category Data

Special category data includes sensitive information such as health records, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, and genetic or biometric data. This type of data requires a higher level of protection.

4.3. Data Controller

NAMS is the data controller, meaning it determines the purpose and means of processing personal data.

4.4. Data Processor

A data processor is an individual or organisation that processes personal data on behalf of NAMS.

4.5. processing

Processing refers to any operation performed on personal data, including collecting, recording, organising, storing, using, disclosing, or erasing data.

  1. Data Protection Principles

NAMS is committed to adhering to the following data protection principles set out by the Data Protection (Jersey) Law 2018:

5.1. Lawfulness, Fairness, and Transparency

Personal data must be processed lawfully, fairly, and transparently. Individuals must be informed about how their data is collected, used, and shared, and the lawful basis for processing it must be clear.

5.2. Purpose Limitation

Personal data must be collected for specified, explicit, and legitimate purposes, and not further processed in ways incompatible with those purposes.

5.3. Data Minimisation

Personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.

5.4. Accuracy

Personal data must be accurate and kept up to date. Any inaccurate data should be corrected or erased without delay.

5.5. Storage Limitation

Personal data must not be kept longer than necessary for the purposes for which it was collected. When data is no longer required, it should be securely deleted or anonymised.

5.6. Integrity and Confidentiality

Personal data must be processed in a way that ensures its security, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

5.7. Accountability

NAMS must be able to demonstrate compliance with the data protection principles and ensure that all appropriate measures are in place to safeguard personal data.

  1. Categories of data held

NAMS holds the following personal information on file for patients who have undergone procedures at the Suite: 

  • Full name 
  • Date of Birth 
  • Sex/Gender Preference 
  • Full address 
  • Telephone number(s) 
  • Email address 
  • Insurance details (company, membership number and authorisation code)
  • Name and OCS code of any procedures undertaken on that patient


NAMS does not hold any detailed medical or special category information on patients. Such information is held by the individual practitioners who undertake consultations or procedures at the Suite and it is via those practitioners that the Suite obtains its information on patients. 

NAMS does not hold any banking or financial information on patients.
NAMS does not hold any passwords or login credentials relating to patients 

  1. Purpose of holding information

NAMS holds and processes patient information purely for the purpose of invoicing patients or their health insurance company for consultations or procedures undertaken at the Suite. It is not used for any other purpose and will never be used for marketing.

  1. Third party information sharing

NAMS will only pass on patient information to third parties when:

  1. legally required to do so, or
  2. when it is requested by the patient’s health insurance companies for the purpose of verifying claims.
  1. Consent

Where consent is required to process personal data, NAMS will ensure that:

  • Consent is freely given, specific, informed, and unambiguous.
  • Individuals are fully informed of the reasons for data collection and how their data will be used.
  • Consent can be withdrawn at any time, and individuals are informed of how to do this.
  • Records of consent are maintained.
  1. Rights of Individuals

Under the Data Protection (Jersey) Law 2018, individuals have the following rights regarding their personal data:

8.1. Right to be Informed

Individuals have the right to be informed about how their personal data is collected, used, and shared. NAMS will provide clear and transparent privacy notices explaining these processes.

8.2. Right of Access

Individuals have the right to request access to the personal data NAMS holds about them. NAMS will respond to subject access requests within one month and provide copies of the data, unless an exemption applies.

8.3. Right to Rectification

Individuals have the right to have inaccurate or incomplete personal data corrected or completed.

8.4. Right to Erasure

Individuals have the right to request the deletion of their personal data, where there is no lawful basis for NAMS to continue processing it (also known as the right to be forgotten).

8.5. Right to Restrict Processing

Individuals have the right to request the restriction of processing of their personal data in certain circumstances, such as when the accuracy of the data is disputed.

8.6. Right to Data Portability

Where applicable, individuals have the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another data controller.

8.7. Right to Object

Individuals have the right to object to the processing of their personal data for certain purposes, including direct marketing and processing based on legitimate interests.

  1. Data Security

NAMS will implement appropriate technical and organisational measures to protect personal data, including:

  • Secure storage of personal data, whether in electronic or paper form.
  • Access control measures to ensure that only authorised personnel have access to personal data.
  • Encryption of sensitive data where appropriate.


The personal information held by NAMS is stored on a commercial electronic patient record (EPR) held on the Cloud and accessed only by the two partners of the Suite, via a central computer with 2-factor authentication. Limited information is also carried on the patient invoices which are passed directly into, and stored on, the Suite’s book-keeping/accounting software (xero.com) i.e. name, date of birth, address, procedures undertaken and health insurance membership details. The business accountant will have access to that information but will not be required to process it. 

Detailed personal information may be processed within the Suite by individual practitioners, but the Suite will not have access to that more detailed information. It is the responsibility of the individual practitioners to ensure that any detailed patient information they hold is safe-guarded and data-protected whilst being accessed on site at the Suite. Where that information is processed by means of a hard copy (letters, reports, referrals etc), it is the responsibility of the individual practitioner to ensure that that hard copy is stored or disposed of appropriately. NAMS will provide a paper shredder for the purposes of destroying confidential waste.

  1. Data Breach Management

In the event of a personal data breach, NAMS will:

  • Investigate the breach and take immediate steps to contain and mitigate the impact.
  • Notify the Jersey Office of the Information Commissioner (JOIC) within 72 hours if the breach poses a risk to the rights and freedoms of individuals, using the JOIC Breach Report Tool.
  • Inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms.
  • Document all breaches, regardless of severity, including the facts relating to the breach, its effects, and remedial actions taken.
  1. Data Retention and Disposal

The information held on patients by NAMS will be retained indefinitely on the EPR system until: 

  1. a patient requests deletion of their data
  2. the Suite learns of the death of the patient 

The justification for retaining information indefinitely is that, by the nature of healthcare, patients frequently require multiple attendances and procedures over a long period of time and it is more efficient to retain and confirm/update the information at each re-attendance than to complete it de novo

Paper records will be shredded once scanned into the Electronic Patient Record.

  1. Training and Awareness

All healthcare staff at NAMS will have received training on data protection and information security through their primary institutions, ensuring that they are aware of their responsibilities under the Data Protection (Jersey) Law 2018. They will undertake regular refresher training to ensure their knowledge on the subject is kept up-to-date.

  1. Monitoring and Review

This policy will be reviewed tri-annually, or sooner if there are changes in data protection legislation or guidance from the Jersey Office of the Information Commissioner (JOIC).

  1. Conclusion

New Alliance Medical Suite is committed to protecting the personal data of its patients, staff, and stakeholders, ensuring that all data is processed lawfully, fairly, and securely. By adhering to the principles outlined in this policy, NAMS will maintain the highest standards of data protection in compliance with the Data Protection (Jersey) Law 2018.