Privacy Policy


The National Association for Healthcare Security (NAHS) is a voluntary membership-based organisation for Healthcare Security professionals and those involved in the delivery of Healthcare Security and Security Services to the sector.

As a professional organisation, we fully appreciate the trust you place in us when sharing your personal data. The security of that data is very important to us. In this document, we explain how we collect, use and protect your personal data. We will also explain what rights you have with regards to your personal data and how you can exercise those rights. If you have questions about how we process personal data or would like to exercise your data
subject rights, please email us at

To ensure we process and handle all personal data correctly, NAHS is registered with the Information Commissioner’s Office (ICO) and we have appointed John Currie as our Data Protection Officer who will lead in the area. Our registration certificate is available on the website and our unique registration number is ZA545763 and was issued on 31st August 2019.

Collection of personal data

Under the Data Protection Act 2018 (GDPR), NAHS has to inform you as to why they need to collect your personal data.

We collect personal information from you for any one or more of the following reasons:

  1. To process Association membership
  2. To provide you with information that you have requested or which we think maybe
    relevant to a subject in which you have demonstrated an interest
  3. To manage any communication between you and us
  4. To fulfil a contract that we have entered into with you or with the organisation that you
  5. To ensure the security and safe operation of our website and Association database
    and infrastructure

Storage of personal data

NAHS is a UK organisation however, we do not occupy or have a registered office address as our Executive Board and management team are all volunteers who work for the NHS full time. We have appointed a Webmaster and our Executive Director responsible for Press, Social Media and Information Technology oversees and manage all our systems and processes. NAHS can confirm that all of your data is processed and stored on dedicated and protected servers in the UK and is not Cloud-based.

Our payment processors and banking arrangements are based in the UK. We operate a data retention policy in respect of all data, whether paper-based or digital and those aspects of it which relate to personal data are reviewed on a regular basis and retained only for the period of use as defined above under the section entitled Collection of Personal Data.

Security measures

We have what we believe are appropriate security controls in place to protect personal data including risk assessment to the rights and freedoms of data subjects.

All of your data is processed and stored on dedicated and firewall-protected servers in the UK and is not Cloud-based.

All personal data is processed in a central system with processes to ensure that only those members of staff who are authorised have access to your information.

Your rights

Under the Data Protection Act 2018 data subjects whose personal information we hold, you have certain rights.

If you wish to exercise any of these rights, please email or use the information supplied in the ‘Contact us’ section of the website. In order to process your request, we will ask you to provide two valid forms of identification for verification purposes.

Your rights are as follows:

  • The right to be informed
    As a data controller, we are obliged to provide clear and transparent information about our data processing activities. This is provided by this privacy policy and any related communications we may send you.
  • The right of access
    You may request a copy of the personal data we hold about you free of charge. Once we have verified your identity and, if relevant, the authority of any third-party requestor, we will provide access to the personal data we hold about you as well as the following information:

a) The purposes of the processing
b) The categories of personal data concerned
c) The recipients to whom the personal data has been disclosed
d) The retention period or envisioned retention period for that personal data

Contact us

Any comments or questions about this privacy policy or our handling of your personal data should be emailed to marked for the attention of the Data Protection Officer.


Should you wish to discuss a complaint, please feel free to contact

Please note that all complaints are handled confidentially, however, should you feel at all dissatisfied with how we handle or manage your data, you are entitled to escalate your complaint to the Information Commissioner’s Office. The ICO is contactable at

You can download a copy of this Privacy Policy HERE.