Data Protection and Patient Privacy Policy – Patient Information

Indigo Medical employs more than 40 staff and operates from three sites:

Indigo House, 2-8 Oxford Road, St Helier, Jersey JE1 4HB

Little Grove Clinic, La Rue de Haut, St Lawrence, Jersey JE3 1JZ

Leodis Surgery, La Route des Quennevais, St Brelade, Jersey JE3 8LL

Our Practice is registered with the Jersey Office of the Information Commissioner (JOIC) to process personal and special category information under the Data Protection (Jersey) Law 2018 and our registration number is 68565.

Indigo Medical LLP, referred to as “we”, “us” or “our”, is committed to protecting the privacy, confidentiality and security of your personal information.

This Privacy Notice describes how we collect, use and protect your personal data during and after your relationship with us, in accordance with the Data Protection (Jersey) Law 2018 (“DPJL”).
Indigo Medical LLP is a Data Controller, which means we are responsible for deciding how we hold and use your personal information. We are registered with the Jersey Office of the Information Commissioner (JOIC) under registration number 68565.
We will comply with the Data Protection (Jersey) Law 2018 and its principles, which require that personal information we hold about you is:
Used lawfully, fairly and transparently.
Collected only for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes.
Adequate, relevant and limited to what is necessary for the purposes for which it is processed.
Accurate and, where necessary, kept up to date.
Kept only for as long as necessary for the purposes for which it was collected.
Processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Indigo Medical LLP is required to demonstrate compliance with the Data Protection (Jersey) Law 2018 to both patients and the Jersey Office of the Information Commissioner.

We have appointed a DPM to oversee compliance with the DPJL and this Privacy Notice. Our DPM is Alexandra Dorey, from Propelfwd.
If you have any questions about this Privacy Notice or how we handle your personal customer /supporter information, contact the DPM at indigomedical@indigo.gpnet.je

Personal data (or personal information) means any information about an individual from which that person can be identified. It does not include information where the identity has been removed (anonymous data).

As a healthcare provider, we collect and process both personal data and special category data, including information relating to your physical and mental health.

The types of information we may hold about you include:
• Name (including former names and preferred names)
• Address and contact details (telephone number and email address)
• Date of birth and unique identifiers (e.g. Social Security number)
• Next of kin or emergency contact details
• Bank account details (where applicable for fees or charges)
The kind of special category data we hold about you.
• Medical history, diagnoses, treatment plans and clinical notes
• Test results, investigation reports and observation records
• Correspondence and communications (including emails, letters and call records)
• Family, lifestyle and social circumstances where relevant to care
• Safeguarding information (only when needed)
• Information relating to racial or ethnic origin, religious or similar beliefs, sexual life, and gender identity, (where relevant to your care)

We only collect and use information that is necessary to provide you with safe, effective and appropriate healthcare.

Where services require the collection or use of additional information, we will provide further details at the point of collection.

We collect personal information about you in a few ways.

This may include information:
Provided directly by you when you register with the Practice or attend appointments
Provided by your authorised representative (for example, a parent, guardian or person holding power of attorney)
Received through referrals from other healthcare professionals or organisations
Shared with us by hospitals, specialists, community services or other health and social care providers
Generated during your care (for example, consultation notes, test results, diagnoses and treatment plans)
Obtained through communications with you, including telephone calls, emails, online forms or written correspondence
Some information may also be collected through electronic systems used to manage appointments, prescriptions, test results and other aspects of your care.

We collect and record information to ensure we have a complete and accurate understanding of your health needs, enabling us to provide safe, effective and coordinated care.

Indigo Medical LLP processes and shares patient information in accordance with the Caldicott Principles, which provide a framework to ensure that confidential information is used ethically, lawfully and only when necessary.

When making decisions about the use or sharing of information, we ensure that:
There is a clear and justified purpose
Only the minimum necessary information is used
Access is limited to those who need to know
Confidentiality obligations are understood and respected
The duty to share information for care is balanced with the duty to protect confidentiality
This strengthens your governance posture.

To support safe and effective care, relevant information from your GP record may be made available to authorised healthcare professionals involved in your treatment through shared care systems, including the Summary Care Record.

The Summary Care Record typically contains limited key information such as:
• Your current medications
• Known allergies
• Basic demographic details
Access to this information:
• Is restricted to authorised healthcare professionals who have a legitimate relationship with you.
• Is used only for the purpose of providing direct care.
• Is logged and subject to audit and monitoring.

The purpose of this sharing is to ensure healthcare professionals have access to essential information when making clinical decisions, particularly in urgent or emergencies.

We may communicate with you by telephone, email, SMS text message or other electronic methods where you have provided your contact details.

While we take reasonable steps to protect personal information once it is received, please be aware that electronic communications (particularly email and SMS) are not always secure in transit.
By choosing to communicate with us using these methods, you acknowledge this potential risk. If you have concerns about electronic communications, please inform us, and we can discuss alternative arrangements where possible.

We may use secure automated searches and data extraction tools within our clinical systems to identify patients who are eligible for screening tests, vaccination programmes or preventative healthcare initiatives.

Where appropriate, relevant demographic information may be shared with Health and Community Services to support the administration of these programmes.

You will be contacted directly if you are eligible. Participation in screening or vaccination programmes is voluntary, and you may decline when contacted.

These processes are carried out under lawful bases relating to medical purposes and public health.

Transferring to Another Practice

If you choose to register with another GP or healthcare provider, your medical records will be transferred securely to your new provider in accordance with established procedures.

This transfer ensures continuity of care and the safe management of your treatment.

We will only transfer records where we are satisfied that the request is legitimate and authorised.

Clinical Photography
In some circumstances, we may take clinical photographs or record video or audio as part of your medical record (for example, to document a condition, monitor treatment progress or seek specialist advice).

Where this is necessary for your care, the images or recordings will form part of your confidential medical record and will be stored securely in accordance with the Data Protection (Jersey) Law 2018.

If images are to be used for any purpose other than your direct care (for example, training, teaching or publication), we will seek your explicit consent before doing so.

We will only use your personal information where permitted by applicable law, including the Data Protection (Jersey) Law 2018.

Most commonly, we use your personal information in the following circumstances:

Where it is necessary for medical purposes. This includes using your information to provide healthcare services such as diagnosis, treatment, prescribing, referrals, testing, and ongoing care management. It also includes maintaining accurate medical records, communicating with you about your care, and coordinating with other healthcare professionals involved in your treatment.

Where we need to comply with a legal obligation. This may include circumstances where we are required by law to process or disclose information, for example, when reporting certain infectious diseases, safeguarding children or vulnerable adults, responding to court orders etc

If it is necessary for public health purposes. This may involve processing information to support vaccination programmes, screening initiatives, disease surveillance, and other public health activities in collaboration with Health and Community Services or other authorised bodies.

Where it is necessary for the performance of a task carried out in the public interest. As a primary care provider, we process personal data to deliver healthcare services that form part of the wider health system in Jersey.

We may also use your personal information in the following situations, which are likely to be less common:
Where you have given your explicit consent for us to use your information for a specific purpose. Examples may include participation in research, the use of anonymised case studies for teaching, patient testimonials, or certain non-essential communications.

Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out before the consent was withdrawn.

We will only use your personal information for the purposes for which it was originally collected, namely the provision and administration of your healthcare.

If we need to use your personal information for a purpose that is different but compatible with the original purpose (for example, clinical audit, service improvement, staff training, or regulatory review), we will ensure there is an appropriate legal basis for doing so and that your confidentiality is protected.

We do not sell your personal data, and we will not share your identifiable health information with third parties for marketing, sponsorship, or fundraising purposes.

We do not disclose your personal information without a lawful basis for doing so.

However, we may share your personal information where necessary for the provision of your healthcare, to comply with applicable laws and regulations, or in response to valid court orders, safeguarding requirements, or regulatory requests.

Where personal information is transferred outside Jersey, the United Kingdom, or the European Economic Area (EEA), we ensure that appropriate safeguards are in place to provide a level of protection equivalent to that required under Jersey data protection law.

We operate secure clinical IT systems, access controls, password protection, encryption where appropriate, and physical security measures at our premises to safeguard both electronic and paper records.

All personal information is processed in accordance with our documented policies and procedures and remains subject to a strict duty of medical confidentiality.

We have procedures in place to identify, assess and respond to suspected personal data breaches. Where required by law, we will notify the Jersey Office of the Information Commissioner (JOIC) and, where appropriate, affected individuals.

We retain personal information for as long as necessary to fulfil the purposes for which it was collected, including the provision of healthcare and to satisfy legal, regulatory, accounting and reporting requirements.

As a healthcare provider, we are required to retain medical records in accordance with recognised retention standards. Indigo Medical LLP follows the Information Governance Alliance Records Management Code of Practice for Health and Social Care as a matter of best practice in Jersey, in the absence of equivalent local retention guidance.

You may request further information about our retention periods from our Data Protection Officer.

You may have certain legal rights in respect of the Personal Information, which is processed by Indigo Medical LLP pursuant to DPJL, including.
• The rights of access.
• Right to have your data corrected, updated, rectified or erased.
• Right to data portability
• Right to object to the processing of or restrict the processing of your data.
• Right to withdraw your consent previously given to the processing of your data, and to
• Request the transfer of your data to another party.

Please note that the rights set out above are subject to certain exemptions and conditions. We may decline to comply with any request to access, correct, delete or restrict the use of your information if there is a specific legal ground or exemption.

You have the right to request access to the personal information we hold about you (commonly known as a Data Subject Access Request).

This entitles you to receive a copy of your personal data and to check that we are processing it lawfully. Access to medical records is further explained in our Patient Access to Medical Records Policy.

If you wish to exercise any of these rights, please contact our Data Protection Officer on this email address.

We want to resolve any complaints you have about how we process your information. You have the right to complain to the JOIC about how we have used your data.

Indigo Medical LLP
No. 2, 8 Oxford Road, St Helier, Jersey JE1 4HB Telephone +44 (0) 1534 730541 or email indigomedical@indigo.gpnet.je

Jersey Office of the Information Commissioner
2nd Floor, 5 Castle Street, St Helier, Jersey JE2 3BT
Telephone +44 (0) 1534 716530 or email enquiries@jerseyoic.org