At St John we take your privacy very seriously and are committed to protecting the security of your personal information.
This Policy explains how we, The Commandery of the Bailiwick of Guernsey of the Most Venerable Order of the Hospital of St John of Jerusalem (“we” or “The Commandery”), and our affiliated companies, St John Guernsey LBG (SJG), St John Ambulance and Rescue Service (SJARS) (trading as St John Emergency Ambulance Service) (SJEAS) , St John Commercial Services(SJCS) (trading as St John Training Services and St John Healthcare Shop) and St John Property Services may collect, use and retain the information you give us, the conditions under which we may disclose it to others and how we keep it secure.
We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. We recognise the rights you have over your data. We respect those rights and are committed to safeguarding your privacy. By using our website, you agree to be bound by this Policy.
- WHO WE ARE
The Commandery of St John is a registered charity in the Bailiwick of Guernsey (charity number CH469). We are also a company limited by guarantee (company number 55251) and have wholly-owned trading subsidiaries, St John Guernsey, a registered charity in the Bailiwick of Guernsey (charity number CH121). St John Guernsey is also a company limited by guarantee (company number 55259). St John Commercial Services (company number 46097), which is known as Training Services and Healthcare Shop. St John Property, which is a company limited by guarantee (company number 64391). St John Ambulance & Rescue Service, a registered charity in the Bailiwick of Guernsey (Charity number CH227) and whose company number is 35886 (also trading as St John Emergency Ambulance Service). All companies act as data controllers however St John Guernsey processes data on behalf of The Commandery, St John Commercial Services and for the Emergency Ambulance Service.
The St John Emergency Ambulance Service processes data on behalf of St John Ambulance & Rescue Service and for St John Guernsey.
- WHAT TYPE OF PERSONAL INFORMATION IS COLLECTED FROM YOU
The personal information we collect from you is limited to what is necessary to enable us to carry out the purposes for which it is collected. The type of personal information we collect depends on the context of your interactions with St John and the choices you make, including your privacy settings.
The data we may collect, store and use can include the following:
- If one of our First Aiders, Community First Responders or SJEAS ambulance clinicians attends to you within Guernsey or the other islands within the Bailiwick, we will collect information about you to help us identify and treat you. This will be recorded on a Patient Report Form or other form of patient clinical record along with details of your symptoms and condition and any treatment we give you.
- SJEAS provides a Non-Emergency Patient Transport Service within the Island of Guernsey. We collect information about you and keep records about the service we provide, for example where we will be transporting you to and some details about your circumstances.
- Name and contact information. We may collect your first and last name, title, job title and company name, email address, postal address, phone number and other similar contact data.
- Passwords, password hints and similar security information for authentication and account access.
- Payment information. We collect data necessary to process your payment if you purchase one of our goods or services or make a donation, such as your payment instrument number (such as a credit card number or bank account number) and the security code associated with your payment instrument.
- Any personal information which you choose to provide us with in correspondence with you.
- Photographs, videography and CCTV footage.
- Your I.P. address (or Internet Protocol Address). This is a unique address that computing devices such as personal computers, tablets, and smartphones use to identify itself. An I.P. address is analogous to a street address or telephone number and could therefore be used to identify you.
- We may collect other online identifiers including cookies information (for more information please see section 11), the internet browser and devices you are using and the pages you visited on our website and how long you visited us for.
You have choices about some of the personal information we collect. When you are asked to provide personal information, you may decline. Please note that if you choose not to provide personal information that is necessary to enable us to carry out your request (e.g. to donate to St John; for information about St John; to purchase one of our products or services) we may not be able to fulfil that request.
We may provide links via St John websites to other websites or you might independently visit the website of a third party who provides services on our behalf. The privacy practices of these third-party websites are outside of our control and in these cases, you should check the privacy notices of any third-party websites before disclosing any personal information.
- HOW WE COLLECT YOUR PERSONAL INFORMATION
There are various ways you might share your personal information with St John, depending on how you interact with us. At present we offer the following channels of communication (though not all may be available to you and will depend on the reason for your contact with us):
- Patient contact
- Websites- online forms
- Paper forms
- Face to face
For instance, if you are attended to by any of our First Aiders, Community First Responders or professional Ambulance clinicians, we will obtain information about you which will help us identify and treat you. We will record details of this contact on a Patient Report Form or other patient clinical record along with details of your symptoms, condition and any treatment given.
The above information is also used to determine the level and cost of the service rendered to you and to what extent you are liable for those costs. Information provided by persons who subscribe to our annual membership scheme is only used by the Service to establish a person’s entitlement or otherwise to free services under that scheme.
We have a legal duty to keep your information confidential, accurate and secure at all times, in line with data protection legislation. Our staff are trained to handle your information correctly and protect your privacy. We aim to maintain high standards, adopt best practice for record keeping and regularly check and report on how we are doing. Your information is never collected for direct marketing purposes and is not sold to any other third party.
If you make a complaint or an enquiry about the service we have provided or have contact with us about another matter, we will keep a record of all the relevant details in a file for case management purposes. In some cases, we may need to obtain information from the hospital or destination we conveyed you to in order to investigate a complaint or deal with an enquiry.
You might provide personal information when donating to us through our website, by text, by telephone or by completing a direct debit form which you send to us by post.
You might send us an e-mail requesting support with a product or service, and personal information might be collected by us to enable us to deal with your enquiry.
When you call us via one of our publicised contact telephone numbers, the phone call will start with a message that you may be recorded. As the caller you will be able to terminate the call if you do not give your consent to this. If you were to contact us via an ex-directory number, which normally only the Emergency Services would have access to, we will endeavour to let you know it is a recorded line at the start of the phone call in all none emergency related situations.
Some of our premises and vehicles are monitored by CCTV and footage may be captured for security and safety purposes.
- First Aiders, medical persons or other such people who may provide initial patient treatment or care prior to the arrival of St John personnel or ambulance clinicians who will continue your treatment or care.
- Someone who may have nominated you for an award.
- Someone who may post a photograph or information relating to you to our social media platforms.
- Partners with which we offer co-branded services or engage in joint marketing activities.
- Publicly-available information such as newspaper or online media items; public posts on LinkedIn or social media; open government databases such as the Guernsey Registry; databases of grant-funding opportunities and other data in the public domain.
- HOW WE USE YOUR PERSONAL INFORMATION
There are various ways in which we may use or process your personal information. We list these below and the legal basis we rely on in each case.
Where you have provided your consent, we may use and process your personal information to:
- Provide you with a medical diagnosis and treatment.
- Contact you from time to time about our campaigns, activities, ways you can support St John (such as volunteering opportunities and fundraising appeals), events, products, services, youth programmes or information and know-how which we reasonably think may be of interest to you. Please be assured that we will not spam you and such communications will be aligned to the consent you have given us.
- Promote St John campaigns, activities, ways to support St John (such as volunteering opportunities and fundraising appeals), events, products, services, youth programmes or information and know-how, using a review you have written, a case study about you, photograph or video footage featuring you (or a child aged under 13). These may be featured in social media, printed and digital media, television and radio communications.
- Set up and administer a membership for our Cadets or Badgers programmes in relation to a person aged under 18.
You can withdraw your consent at any time by contacting us using the details provided within section 13 below using guidelines as set out in section 5 ‘Your Right to Withdraw Consent to Processing of Personal Information’.
We may use and process your personal information to perform a contract with you (or a contract made with someone else which requires us to provide goods or services to you, such as a training course) and to fulfil and complete your orders for goods, services, venue hire, and other transactions entered into with us.
We may use and process your personal information where it is necessary for us to carry out activities which are in our legitimate interests as a charity. The main legitimate interests we rely on are:
- to fulfil the charitable purposes of St John by fundraising through donations, events, sales of supplies and training courses and by sustaining and raising the profile of our organization through careful marketing and other activities.
- to operate lawfully and effectively and to administer all aspects of our business as a charity.
- to offer and provide First Aid and medical support, including treatment and diagnosis, either as part of our business of providing such support at various events that we are requested to attend or as a result of one of our Community First Responders responding to an emergency.
- to provide an Emergency Ambulance Service.
- to provide a Non-Emergency Patient Transport Service.
Processing donations and legacies
We will process your personal information to fulfil your request to make either a one-off or regular donation to us and to carry out reasonable administration of your donation, which could include thanking you and confirming your direct debit details with you. We will also process personal information where reasonably required to administer a legacy that has been left to St John.
Processing membership subscriptions
We will process your personal information to fulfil your request to pay for a membership of our Cadet or Badger programmes relating to a child under 18 and to carry out reasonable administration of their membership, including communicating with you about activities, camps and training.
We will process your personal information to fulfil your request to pay for the SJEAS ambulance subscription scheme that can be renewed annually.
Supporting customers and supporters with requests for information
We will process your information to fulfil your request for information about becoming a supporter (for example, a volunteer or donor), campaigns, activities, events, products, services, youth programmes or information and know-how.
Supporting customers with orders of first aid supplies, booking training courses and other enquiries
We will process your personal information to respond to any correspondence you send us and fulfil the requests you make to us, both before and after purchase. We will also process your personal information to carry out reasonable administration of your order or booking.
Processing necessary for us to understand and respond to customers’ and supporters’ needs
We may process personal information to analyse, evaluate and improve your customer/supporter experience of our services and web-site and to improve our products and services (we will generally use data amalgamated from many people so that it doesn’t identify you personally).
You may choose to give us feedback on any of your experiences with St John and your feedback together with any personal information you provide will enable us to analyse, evaluate and improve your customer/supporter experience and to respond to you as appropriate.
We may undertake market analysis and research (including contacting you with customer / supporter surveys) so that we can better understand you as a customer / supporter and provide tailored information, products and services that we think you will be interested in. We will only send marketing communications to you if you have provided your consent for us to do so or in certain cases, if we have a legitimate interest in doing so.
Processing necessary for us to promote our business, products and services and measure the reach and effectiveness of our campaigns
We may send you marketing information from time to time after you have purchased a product or service from us or made a purchasing enquiry, closed your browser with items in your shopping basket or requested other information of interest in a business context. We will only contact you with information about our own products, services and any other information we believe may be of interest to you (and in ways the law allows), which we hope you will like. You have the right to object to us sending you this information at any time. Please see section 10 for information on how to do this: ‘Your Rights in Connection with Personal Information’.
We may also contact you from time to time with marketing information (unless you object) if you are acting on behalf of a business or where we have obtained your business contact details via a public business directory. In relation to any such information we send by email or SMS, we will include an option allowing you to object to receiving future messages by unsubscribing.
We may contact you with targeted advertising delivered online through social media and other platforms operated by other companies, unless you object. You may receive advertising based on information about you that we have provided to the platform or because, at our request, the platform has identified you as having similar attributes to the individuals whose details it has received from us. To find out more, please refer to the information provided in the help pages of the platforms on which you receive advertising from us.
We may process your personal information to administer competitions, promotions, lotteries or raffles that you enter with us from time to time and to distribute prizes.
We may use photographs or video footage which feature you, but which do not identify you by name, to promote St John.
Processing necessary for us to operate the administrative and technical aspects of our business efficiently and effectively
We may have to share your personal information with third parties, as described in section 6 ‘Data Sharing’.
We may have to verify the accuracy of information that we hold about you and create a better understanding of you as a customer/supporter.
We may process your personal information for network and information security purposes, for example, for us to take steps to protect your information against loss, damage, theft or unauthorised access.
We may process your personal information to comply with a request from you in connection with exercising your rights. For example, where you have asked us not to contact you for marketing purposes.
We may process your personal information to inform you of updates to our terms and conditions and policies.
Processing necessary to protect our premises, property and people
We may process personal information for crime prevention and detection purposes and to keep our people safe. For example, some of our premises have CCTV cameras and CCTV is also installed on certain vehicles including some ambulances.
We may process your personal information to comply with our legal requirements (for example, to contact you if there is an urgent safety or product recall notice and we need to tell you about it).
Other grounds for processing
Sometimes we will need to process your personal information if, for example, there is an urgent safety or product recall notice and we or the manufacturer of the product needs to tell you about it. Sometimes we will need to process your personal information for life saving medical diagnosis and treatment purposes.
Processing necessary to assist with clinical treatment and care planning
The St John Emergency Ambulance Service may use photography/video of injuries, clinical signs or environments to assist with clinical treatment and care planning. St John Emergency Ambulance Service also shares clinical parameters and recordings via telemetry with other health care professionals.
Change of purpose
We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal information without your knowledge or consent, in accordance with this Policy, where this is required or permitted by law.
- YOUR RIGHT TO WITHDRAW CONSENT TO PROCESSING OF PERSONAL INFORMATION
If you have consented to the collection, processing and transfer of your personal information for a specific purpose(s), you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact the Data Protection Officer as set out in section 13.
As quickly as possible and in any event within 30 days of receiving notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to (unless we have another legitimate basis for doing so in law).
The withdrawal of your consent will not affect the lawfulness of our processing based on your consent before you withdrew your consent.
- DATA SHARING
We will not sell or rent your information to third parties.
We may have to share your data with third parties, as described below. If we do, you can expect a similar degree of protection in respect of your personal information to that provided by us. We require third parties to respect the security of your data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions.
Your personal details and health information may be given to other people who need to know relevant information about your health e.g an individual or organisation involved with the continuation of your care as part of your treatment such as ambulance personnel, another healthcare professional such as a Doctor or Nurse, or a Carer, a Home Help, or a Social Worker. In some circumstances we may also recommend passing your details on to a hospital falls team or a Diabetic Nurse Specialist to assess whether they can offer you support that may help to prevent a similar situation arising again. In such circumstances we will only share your information with your prior written consent.
The St John Emergency Ambulance Service is contracted by the Committee for Health & Social Care (HSC) to provide ambulance services in the Bailiwick of Guernsey. Occasionally we are asked by HSC to provide anonymised information about incidents attended so that they can identify and provide more appropriate care pathways for patients and data is also shared for audit purposes. There are strict control measures in place to ensure that any information we share is only passed to the person who has a right to see it.
Occasionally we may undertake a patient experience survey. Survey forms may be sent with patient accounts and in the case of those who subscribe to our membership scheme we will write or email separately with a survey form.
Records of the treatment and services we provide are retained securely for reference and to enable us to monitor how effective we are at providing our various services.
We will not disclose your information to third parties except:
- when a serious crime has been committed;
- when there are serious risks to the public or other health care staff;
- to protect children or vulnerable adults who are unable to decide for themselves whether their information should be shared;
- where the law requires information to be passed on; for example: where a court order directs us to do so;
- as indicated above, where your personal details and health information may be given to other people who need to know relevant information about your health with your prior consent.
When we pass on any information we will ensure that the recipient is aware that it must be kept confidential and secure and in accordance with data protection legislation.
We may pass your personal information to our third-party service providers, including contractors and designated agents and other associated organisations for the purposes of completing tasks on our behalf (e.g. to process donations and payments, to fundraise, send you St John communications, to supply you with goods and services, to resolve product queries or issues and to assist us with marketing analysis). However, when we use third party service providers, we disclose only the personal information that is reasonably necessary to deliver the service.
We may share your personal information with our parent charity, The Priory of England and the Islands of the Most Venerable Order of the Hospital of St. John of Jerusalem whose registered office is St John’s Gate, St John’s Lane, London EC1M 4DA (charity number 1077265) as well as St John Ambulance in the UK, a company limited by guarantee (company number 3866129) whose registered office is at 27 St John’s Lane, London, EC1M 4BU (registered UK charity number 1077265-1) where reasonably necessary.
We pass certain performance related information to HSC as part of our contractual agreement with them, as commissioners of ambulance services. This enables them to monitor our contribution to the standard of care we provide in support of their mandate. We only supply information that is needed for these purposes and in most instances, it is statistical data.
We will sometimes be asked to share information with other organisations e.g. the Joint Emergency Services Control Centre. We will always ensure that a formal agreement is in place detailing what information will be used for and how it will be kept secure and confidential. These agreements are reviewed on an annual basis.
Data transfers to Non-Equivalent Countries
There may be some instances where your personal information is processed or stored outside of the EU. In those instances, we will ensure that appropriate safeguards are in place for that transfer and storage as required by applicable law.
St John also operates in the Bailiwick of Jersey and in the Isle of Man, each of which are outside of the EU. Personal information provided to St John may be given to our local offices in those territories and stored in data retrieval systems in the territory, but only when you request information or services relating to our operation in those territories. There is an adequacy decision by the European Commission for these countries, which means that they are deemed to provide an adequate level of protection for your personal information.
- HOW LONG WE KEEP YOUR PERSONAL INFORMATION FOR
We will only retain your personal information for as long as necessary for the purposes we collected it for, as set out in our Data Retention Schedule, including for the purposes of satisfying any legal, accounting or reporting requirements. To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your data, the potential risk of harm from unauthorised use or disclosure of your data, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.
For further information about the retention period in a particular case, please contact our Data Protection Officer, contact details are in section 13 of this document.
- HOW WE KEEP YOUR DATA SAFE
St John would like to reassure you that we use appropriate security measures to protect your personal information against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures may include, but are not limited to, a range of organisational safeguards such as staff training, duties of confidentiality and the following technical safeguards listed below. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach, where we are legally required to do so;
- Encryption is the process of converting data to an unrecognizable or “encrypted” form. This means that only the sender and intended recipient can view it in a meaningful way. If the encrypted data is stolen, it should not be possible to change it back to readable data.
- Pseudonymisation changes data that can be used to identify a person into data that can’t be used to identify a person. This is done by replacing the data that can be used to identify someone with other data, for example, changing someone’s date of birth to dd/mm/yyyy.
- Certification from third parties. We engage security experts to test or confirm that our systems meet relevant security standards.
- Secure log on/authentication. As well as requiring staff to enter usernames and passwords, our systems also check that a particular computer or program is authorised to access and manipulate data before allowing it to do so.
- Access controls and role-based access controls. Staff are prevented from accessing our systems unless they enter their user name and password. In addition, we restrict whose personal data each user can access depending on their role at St John and individual data files are password protected. We also limit access to your personal information to those agents, contractors and other third parties who have a business need to know. Everyone with access to your personal information are subject to a duty of confidentiality and will only process your personal information on our instructions.
- Data back-up and restoration. We regularly back-up our systems and data which means that we can restore or recover the system and data from a back-up file.
We regularly review our procedures both internally and with our external I.T. support contractors and suppliers. As such we may update our security measures and as such this policy as well to inform you of these changes and the steps we take to keep your data secure.
All health-related organisations have a legal duty of confidence to their patients and the Data Protection (Bailiwick of Guernsey) Law, 2017 further defines how we can collect and handle personal information.
The National Health Service (NHS) also has an additional set of guidelines, known as the Caldicott principles, which apply to the use of patient information. All NHS organisations are required to appoint a Caldicott Guardian to ensure patient information is handled in accordance with legal and NHS regulations. In accordance with that recognised best practice, the St John Emergency Ambulance Service has an appointed Caldicott Guardian.
We will seek your consent before we release information that identifies you to any third party for any other reason than those set out in this guidance and the regulations. We will not pass information that identifies you to another person or organisation (including friends or relatives) without your knowledge or permission unless we have an overriding legal duty to do so.
Ambulance clinicians may need to copy patient report forms they have completed for their training but they will redact information that could identify you before they do this. Anonymised information from patient report forms is also used for internal audit purposes.
Our clinical practitioners have a duty to participate in clinical audits and to contribute to clinical outcome reviews. If such an audit is carried out by the clinician(s) that provided your care or those working to support them we will, wherever practical, seek to anonymise your information. When that is not practical, or would otherwise undermine the purpose of the disclosure, your personal information may be disclosed on the basis of implied consent but it is your right to object to your information being disclosed in this manner.
We retain patient clinical records for up to 25 years, depending on the age of the patient at the time of treatment. Other records that may contain information about you are kept for varying lengths of time, up to 10 years.
- CHANGES TO YOUR PERSONAL INFORMATION
Please let us know if your contact information changes so that we can ensure that our records are accurate and up to date. You can request that we change your contact details by contacting our Data Protection Officer whose contact details are in section 13 of this document.
- YOUR RIGHTS IN CONNECTION WITH PERSONAL INFORMATION
By law you have the right to:
- Request access to your personal information. This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it. Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. Request erasure of your personal information (this does not apply to medical records). This enables you to ask us to delete or remove personal information where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please send a written request to our Data Protection Officer whose contact details are in section 13 of this document.
We will ask you for information to confirm your identity and, where applicable, to help us search for your personal information. Except in rare cases, we will respond to you within 30 days after we have received any request (including any identification documents requested).
Our cookies don’t store sensitive information such as your name, address or payment details: they simply hold the ‘key’ that, once you’re signed in, is associated with this information.
You can restrict, block or delete cookies from St John at any time through your browser. Each browser is different, so check the ‘Help’ menu of your particular browser (or your mobile phone’s handset manual) to learn how to change your cookie preferences.
More information about cookies and how to control how they are set can be found at www.allaboutcookies.org
- COMPLAINTS AND ENQUIRIES
Files relating to complaints or enquiries will only be seen by the staff who are dealing with the matter. Instances may arise whereby we are asked for information about the service we provided to you by another organisation investigating a complaint or enquiry you have made to them, or if you are pursuing a legal claim against them.
- ORGANISATION CONTACT
If you would like to make an enquiry or complaint please submit your request in writing to the Data Protection Officer in the first instance. If you are then still unhappy with the outcome you do have the right to contact the Data Protection Authority, the Guernsey supervisory authority for data protection issues. The contact details for both the Data Protection Officer for St John Guernsey and for the Office of the Data Protection Authority (the data protection regulator in Guernsey) are below:
Data Protection Officer
By post: Data Protection Officer, St John Ambulance Guernsey, St John Headquarters, The Rohais, St Peter Port, Guernsey, GY1 1YN
By email: DataProtectionOfficer@stjohn.gg
By telephone: +44 (0) 1481 727129 (normal office hours only)
Office of Data Protection Authority
By post: Office of the Data Protection Authority, St Martin’s House, Le Bordage, St Peter Port, Guernsey, GY1 1BR
By email: email@example.com
By telephone: +44 (0)1481 742074
- CHANGES TO THIS PRIVACY NOTICE
SJAG may from time to time change this Privacy Notice. However, if this Privacy Notice is changed in a material way SJAG will post a notice advising of such change at the beginning of this Notice. We recommend that you re-visit this Privacy Notice from time to time to learn of any such changes.