GoodSAM Data and Privacy Policy

Welcome to GoodSAM's privacy policy. Governance and Security are at the core of GoodSAM and we are committed to respecting your privacy and protecting your personal data.


1. Introduction:


This privacy policy tells you how the GoodSAM Ltd group of organisations use your personal data - when you contact us, sign up to our newsletter, use the GoodSAM Alerter or Responder apps, act as an organisation on the GoodSAM platform or are an organisation making a referral through the GoodSAM platform.

We think this is really important and hence have written this as clearly and openly as possible to minimise legalise. Please read it so you are fully aware of how and why we use your data. This policy (together with our Terms and Conditions) sets out the basis on which any personal data we collect from you, that you provide to us, or which we hold about you, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we treat it.

This latest version of our privacy policy was updated on 20th May 2020. It will be regularly updated as new features requiring explanation are added and as further clarity is required.

If you have any questions from it, please email us at: info@goodsamapp.org


2. GoodSAM as the data controller and data processor:


GoodSAM Ltd provides technical services to organisations to facilitate emergency response, crowdsourcing of care and an ability to remotely triage patients. GoodSAM's registered office is at:

GoodSAM Ltd, 1 Curtain Rd, London EC2A 3JX GoodSAM is the data controller responsible for the website and apps and the processing of data within them.

GoodSAM acts as the data processor for the NHS Volunteer Programme, GoodSAM Cardiac and GoodSAM Video technology, where our partner organisations control information governance (they determine how the data is stored, processed, shared or retained).


3. Personal data we collect about you:


Personal data recorded depends on your method of interacting with us. Where you have requested that we provide a specific service (as detailed below), we will process your personal data in order to perform that service or meet your request:

Friends of GoodSAM: If you sign up to the GoodSAM Newsletter, you have given consent for us to intermittently contact you with news from GoodSAM. Every subscriber has opted into this - we do not obtain email addresses from other sources and do not use pre-checked 'keep me informed' boxes. At the bottom of every email is an 'Unsubscribe' button. We don't email much but if you do want to withdraw consent, simply click that and we'll go away!

GoodSAM Alerter: If you register as an Alerter, we record some basic data. If you use single sign on, this comprises some very basic identifier data passed from Google/Facebook/LinkedIn. If you register manually, we store basic identifiers, your phone number and additional information that you can consent

to provide if you wish. This includes some Special Category Data. This is health related data such as past medical conditions, current medication and allergies. The lawful basis of using this data is that in addition to your consent it has vital interests if you are unwell (may convey useful life saving information). You can always remove / modify this health data; though we would encourage you to keep it as up to date as possible. This data may be passed to responders attending scene (so they can provide more appropriate help) and to the emergency services of the region if you have triggered an alert. The lawful basis of passing this information is that it is in vital interest to save life (yours!) and by providing the additional information you have consented to this.

We do not process any location data when using the GoodSAM Alerter App unless you trigger an alert. Knowledge of your location is critical to system function and that data may be passed to the local emergency services and local GoodSAM Responders. This is a vital interest to life. The data is stored as a legitimate interest for future analysis / audit.

GoodSAM Responder user (GoodSAM Cardiac Alerter, NHS Volunteer or other Responder using the GoodSAM Responder app): As a GoodSAM Responder we are required to hold certain data about you. This includes basic identifier information and evidence of identity/training. This is a legal obligation through contracts with emergency and other services we work with and essential to robust governance of the platform.

If you are an NHS Volunteer Responder, we ask for certain information from you so that you can be connected to patients and end users to support the NHS. This includes the name, telephone and email address, postal address, which service you would like to volunteer for, confirmation that you meet the eligibility criteria, profile data and any form of ID submitted. This data will remain on the platform while you are active as a Responder.

For GoodSAM to be able to alert Responders close to an emergency or an NHS referral, the system needs to know your location. The system therefore receives regular updates of your location. No historical location data is stored. If you are activated and accept an alert or NHS referral, certain data is recorded for this event only for governance reasons. Specifically, location data when you were alerted/tasked, time on scene with the patient and any report forms which you may complete. This data will remain on the platform while active as a responder.

Additionally, there are is a range of additional data that you can add through your account profile. This includes additional images, whether you have an AED on you or a profile photo, etc. This additional data is voluntary and given by consent but is processed as a legitimate interest to ensure the essential and optimal running of the GoodSAM platform.

By being a Responder or NHS Volunteer, you consent that GoodSAM and your Verifying Organisation will also contact you from time to time to ensure that you receive information about the GoodSAM platform (for necessary service updates and to ensure ongoing governance of the system).

Information you voluntarily provide when you contact us: If you contact us by phone or email, we may keep a record of that correspondence in case we need to contact you in relation to the issue for which you contacted us or operational performance improvement. If you report a problem to us, we may keep a record of that information in case we need to contact you in relation to the issue for which you contacted us. The information which you give may include your name, email address and details regarding your Responder or Alerter account. If you are a business, when you contact us, the information which we collect may include: your name, email address and telephone number; the name of your business and your business title and your business address.

We do not store any financial or transaction data for GoodSAM Alerters or Responders

Referrers (to the NHS Volunteer Programme): We ask for basic information in order for referring services to make referrals to the NHS Volunteer Programme. Basic information includes information in order for the Referring Service to create an account (Name, email address) as well as information regarding the Volunteer task. Patient details relevant to the task are stored in line with NHS requirements (ie including patient name, email address, contact number, address, type of help, frequency and whether the patient is/has suspected COVID-19). Referral requests are shared with the Royal Voluntary Service who are co-ordinating the volunteer programme and will be deleted at the request of NHSE.

4. Cookies


You may be aware that some organisations use cookies / information from 3rd parties to track browsing habits and target advertising specifically to your interests. GoodSAM does not use cookies at all for these purposes.

Similarly, we do not provide cookies to third parties.

We do, however, use cookies to remember your preferences within the GoodSAM website and from third parties as part of single sign on.


5. Disclosure of personal data


The GoodSAM platform works with multiple organisations (for example London Ambulance Service, Ambulance Victoria, East Midlands Ambulance Service, St John New Zealand). For NHS Volunteer Responders, information is shared with the Royal Volunteer Service (RVS) who are responsible for the governance of the system - approval and mobilisation of volunteers and co-ordination of NHS Referrals. RVS acts as the Verifying Organisation for NHS Volunteer Responders and as such data on Responders and NHS Referrals is shared with them.

All Verifying Organisations on the platform have access to personal data of staff / Responders who register under their specific organisation on the platform. In registering and selecting that organisation as their Verifying Organisation or completing the NHS Responder Form, the individual is giving consent to this, however the overarching lawful basis is the legitimate interest in this being vital for the system to function.

We will only share your information with other partner organisations, where we have your permission to do so or where we believe it is necessary for a legitimate reason connected with the app or our services. We only share your information with these third parties who have equivalent security and privacy terms as us. GoodSAM does not pass on any other data to non-partner organisations without specific consent or unless required to by law.


6. AED (Automated External Defibrillator) data


GoodSAM records AED data uploaded by the community, including location, images, availability times, access codes etc. We also store personal data affiliated to the AED, for example, identity and contact details of the guardian (if known) and / or the individual who uploaded the AED data. Most of the guardians are companies / organisations that for example have AEDs on their premises. The lawful basis for storing this data is the legitimate interest in that the data is required to be able to inform people of AED locations and their availability.

GoodSAM does not sell AEDs and has no vested interest in AED data. We provide AED data at no cost to partner ambulance services and agree to share data. We display data within the Apps in an open but location-controlled manner - you can only see AEDs close to your current location.


7. Audio / Messaging Data


Within the Apps it is possible to transmit messaging data (text and audio). This data is encrypted and only viewable / audible to the intended recipient. The lawful basis for processing this data is the legitimate interest to enable the function of the platform to work. It may also have vital interests when the message being transmitted pertains to a life-threatening emergency.


8. Video Data


Video data can be transmitted in 2 ways. Firstly, from within the Apps. This video (and audio) data passes directly to ambulance control or a receiving Organisation. The Responder initiates video stream by actively selecting the video on the home page of the app. The emergency service or other Organisation has control over whether this data is recorded or not (none is stored on the callers mobile phone). This data can be viewed by Verifying Organisation administrations on the platform. Video data can be viewed, downloaded or shared by the receiving organisation.

Secondly, video can be transmitted independent of Apps. This is achieved through a text message link that opens a URL that opens the camera. The caller shares their mobile number and a text message is sent. The text message contains a link and when pressed on, the caller is asked to agree to share video / audio and location data (via a pop-up message before any information is transmitted). Once confirmed

by the caller, video, audio and location data is shared. Again, the service has complete control as to who is able to see this footage within their organisation. Each user under a service has their own log in - permissions are tailored by the service to allow certain users to perform certain actions (e.g view, download, share video stream).

If the service chooses to store video / audio data (in the same way a 999 call is recorded) that data is stored encrypted and for the length of time determined the Service or Organisation. The lawful basis for storage of this data is the legitimate interest in keeping notes as evidence in a similar manner to good record keeping for medical purposes, police or volunteering purposes.


9. Data Sharing and Storage


GoodSAM does not provide data to organisations other than those that use data for the lifesaving and volunteering benefits intended as outlined above. These organisations themselves agree that this data is not passed outside their organisation and used exclusively for the purposes of agreed with us. Clearly, the lawful reason to share data is the vital interest of saving lives or supporting volunteers by enabling the service to work. In utilising our Service, users consent to the processing of their personal data in the way outlined above.

The data which we collect from you may, on occasion, be transferred to countries outside the European Economic Area (EEA). This is for the legitimate purpose of ensuring the GoodSAM platform is available globally and able to facilitate live saving intervention worldwide. This includes, for example, the locations of Responders and Alerters and where Responders accept alerts outside of the EEA or where Alerters generate an alert outside of the UK. Where a Responder accepts an alert outside of the EEA, the Emergency Service of that reason (where we are integrated with them) may receive details of the Responder (acceptance of alert, time to scene, basic identifiers - ie. email). Countries outside of the EEA may not have laws which provide the same level of protection to your personal data as laws within the EEA. Where this is the case, we will put in place appropriate safeguards to ensure that such transfers comply with applicable data protection laws.


10. Keeping your Information Secure:


Security is central to GoodSAM and we take the security of our users very seriously Unfortunately, the transmission of information via the internet is never completely secure. Whilst we cannot guarantee the security of your data transmitted to our site, and any transmission is at your own risk, we use highly strict procedures and security features to prevent unauthorised access. For example, our system are hosted on Amazon infrastructure and we follow strict policies as to our handling of personal data and conduct regular reviews of our infrastructure and server security. All staff are trained in the proper handling of personal data and observe our data handling policies. All staff actions on our system are auditable and staff are only provided with access to areas of our system, according to their role.


11. How long we keep your information


We will retain your personal data for as long as you wish to be communicated with from us or use our Apps and for a reasonable period of time since you ceased using the Apps. The length of time we keep the personal data will vary dependent on how long we need the personal data to deliver, maintain or improve our services and whether we require the information as part of a dispute or to comply with a legal obligation (including responding to a regulatory or statutory Emergency Service). Please note that we may also be required to retain certain information by law.


12. Privacy Notices for the NHS Volunteer Responder Programme


GoodSAM is working with the Royal Voluntary Service to support NHS England deploy the NHS Volunteer Responders Scheme during COVID-19. The aim of the Scheme is to recruit and deploy a network of volunteers ('NHS Volunteers') throughout England who are willing and able to provide certain categories of support to individuals who are self-isolating for age or health related reasons or healthcare organisations, such as pharmacies, GP practices and hospitals. Where a 'Patient' requires support, they may self-refer into the Scheme or a third party (such as a family member, friend, GP practice, health care worker, hospital or pharmacy) may make a referral into the Scheme on their behalf - they act as 'Referrers'.

GoodSAM collects this information subject to our contractual obligations with the Royal Voluntary Service for the purpose of administering the scheme.

Privacy Notice for NHS Volunteers - types of information we will collect: Your full name; your address, email address and telephone number; information to enable us to check and verify your identity (e.g. a copy of your passport or driving licence); details of which volunteering roles you wish to opt for; and if you volunteer to provide support to Individuals with transport to hospital or other medical appointments or if you volunteer for our CRV+ role (i.e. an NHS Volunteer Responder who is cleared to work with vulnerable adults), a copy of an Enhanced DBS with Children's or Adults' Barred list (or both), dated within the last 12 months. GoodSAM monitors the location of NHS Volunteers in order to alert NHS Volunteers to local alerts. In these cases, we will keep a record of location data when you are alerted to an incident and other data about the volunteering tasks you accept, reject or perform. Only the Technical Team at GoodSAM has access to this information, for the purposes of administering technical elements of the scheme.

Privacy Notice for Referrers - types of information we will collect: Client/Patient Name, Client/ Patient Email address, Client/Patient Contact Number, patient safety letter, Client/Patient post code, address, type of support required, referrer name, referrer organisation, referrer email, contact number. If you are making a Request on behalf of a patient, you will also be asked to confirm that the Individual is aware that you are making a Request on their behalf and has given their permission to you doing so. Only the Technical Team at GoodSAM has access to this information, for the purposes of administering technical elements of the scheme.

Privacy Notice for Patients: If you self-refer into the Scheme or a Third Party Referrers makes a referral

on your behalf, we collect the following information: Your full name; your address; your email address; your telephone number; details of the category of support you require; details of how urgently and how frequently you require support; the name, contact details and email address of your GP; and confirmation of whether you have a cognitive impairment or other significant vulnerability we need to be aware of (this is to ensure that any volunteer we assign to you has the required level of DBS check). All patient information is shared and managed directly by Royal Voluntary Service. Only the Technical Team at GoodSAM has access to this information, for the purposes of administering technical elements of the scheme.

Sharing, processing and retaining your data: We act as the data processor for the Royal Voluntary Service, who co-ordinate the coronavirus response. We will only share your personal data within our organisation, as necessary to administer the Scheme and with other organisations where necessary to comply with our statutory or regulatory obligations (specifically, the Royal Voluntary Service and NHS England). We will only share your personal data within our organisation, as necessary to administer the Scheme and with other organisations where necessary to comply with our statutory or regulatory obligations (specifically, the Royal Voluntary Service and NHS England). Your personal data will be stored within the GoodSAM Dashboard which is accessed by the Royal Voluntary Service. Our general retention policy will be to retain your personal data only for the duration of the Scheme. It is envisaged that the Scheme will run for a period of 6 months from the beginning of April 2020. However, it is possible that NHS England will extend the duration of the Scheme. If this happens, we will review our general retention and agreements with RVS. At the end of the scheme, by default, you will remain on the GoodSAM platform (name and email address) but can request removal at any time. Our general treatment of your data is subject to the following exceptions:

-We may need to retain your personal data for a longer period to enable us to deal with any complaints, grievances, investigations or legal claims or actions which arise. In this situation, we will retain such personal data as is necessary to deal with the relevant compliant, grievance, investigation or legal claim or action.

-In certain circumstances, we may need to retain your personal data for a longer period to enable us to comply with our statutory obligations or governance requirements set by the Royal Voluntary Service and NHS England.


13.Deletion


Once it is no longer necessary for us to retain your personal data, we will ensure that it is permanently and securely deleted or anonymised. We are happy to delete any personal information we store about our community. For requests, please email info@goodsamapp.org with the word 'Delete' in the Subject Field Title and our team will action your request.


14. Right to Know


We think it is important that you are able to control your personal information. You have the right to ask us not to process your personal information. The law also gives you the right to request a copy of the

personal information we hold about you. We will consider this a Subject Access Request and will action this within the appropriate time frame set out in the Data Protection Act. Any Subject Access Requests can be made by emailing info@goodsamapp.org. You can also exercise your right to prevent such processing at any time by contacting us.


15. Summary


This policy explains the lawful reasons for data usage and processing within GoodSAM and partners. It will be updated, so please do check it and contact us on info@goodsamapp.org if you have queries / questions / comments. We really do welcome any questions, comments and requests you may have regarding this Policy.

See below for our summary of which data we process and the basis for processing data.


16. ICO Registration:


GoodSAM Limited is registered as a data controller with the ICO:

Registration number: ZA094052

Date registered: 11 January 2015



 

 

Lawful basis for

Purpose / Activity

Type of Data

processing

 

 

 

Friend of GoodSAM

Identity

Consent (opt in only - you

newsletter or contacting

Contact

have to enter your email

GoodSAM to report

 

address to subscribe to

issues / business purposes

 

newsletter - no pre-ticked

 

 

consent boxes ever used)

 

 

 

GoodSAM Alerter

Identity

Legitimate interest

 

Contact

Legitimate Interest

 

Special Category (health)

Vital Interest to save life

 

data

 

 

Location data (in event of

Vital Interest to save life

 

emergency)

 

 

Any alerts triggered through

 

 

the app.

 

 

 

 

GoodSAM Responder

Identity - name

Legitimate interest

 

Contact - email, address,

 

 

telephone.

Legitimate Interest

 

Image of Evidence of

Legal requirement

 

training / ID

 

 

Profile Image

Consent

 

Special Category (health)

Vital Interest to save life

 

data

 

 

Location data

Vital Interest to save life

 

(continuous)

 

 

Task information - when

 

 

alerted to a task (accept/

 

 

reject), time with patient,

 

 

any report information

 

 

provided, location when

 

 

tasked.

 

 

Type of volunteer

Legitimate Interest

 

 

 

GoodSAM Partner

Location data

Legitimate interest to

 

Administrator/staff

 

Organisations

contact

centre maps on Head

 

data (same as alerter /

quarters / dispatch

 

responder)

control

 

Responders signed up

 

 

under the organisation.

 

 

 

 

AED Data

Location data

Vital Interest to save life

 

Availability hours

Vital Interest to save life

 

Image

Vital Interest to save life

 

Guardian

Legitimate Interest

 

 

 

Audio / Messaging Data

Text Data / Audio Data

Legitimate Interest and

 

 

sometimes Vital Interest

 

 

to save life (depending on

 

 

message data)

 

 

 

Video Data

Video /location/audio data

Legitimate Interest and

 

 

sometimes Vital Interest

 

 

to save life (depending on

 

 

message data)

 

 

 

 

Details of Referring

 

 

Organisation

 

 

Details of referral request

 

 

necessary for performance

 

Referral Organisation

of the task

Legitimate Interest