Data Protection Act/GDPR Compliance

Personal data shall be processed lawfully, fairly and in a transparent manner.

medCrowd satisfies this principle by:

• having legitimate grounds for collecting and using personal data in that the personal data of a medCrowd user is required only to provide the medCrowd service and for no other purpose;
• if a medCrowd user chooses to provide the personal data of any third party then they are required to do so in accordance with our terms of use and privacy policy which requires that they be clearly authorised to do so;
• not using personal data in any way that can have unjustified adverse effects on a medCrowd user;
• being transparent about how we intend to use personal data, and giving medCrowd users a privacy policy;
• handling personal data only in ways that would be fair and reasonably expected; and
• Not doing anything unlawful with the personal data.

Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

medCrowd satisfies this principle by:

• providing a privacy policy which is clear from the outset about why we are collecting personal data of a person wishing to join medCrowd and what we intend to do with it;
• complying with the Act's fair processing requirements;
• being registered as a data controller with the Information Commissioner's Office; and
• ensuring that if we wish to use or disclose the personal data of any medCrowd user for any purpose that is additional to or different from the originally specified purpose, the new use or disclosure is fair and compatible with the original purpose.

Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

medCrowd satisfies this principle by:

• only holding personal data about a medCrowd user that is sufficient for the purpose we are holding it for in relation to that user; and;
• not holding any more information than we need for that purpose.

Personal data shall be accurate and, where necessary, kept up to date.

medCrowd satisfies this principle by:

• allowing a medCrowd user to amend any information we hold about them at any time;
• ensuring the source of any personal data provided by a third party is clear;
• considering any challenges to the accuracy of information; and
• considering whether it is necessary to update the information.

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

medCrowd satisfies this principle by:

• allowing a medCrowd a user to delete their account at any time¹;
• reviewing the length of time we keep personal data;
• considering the purpose or purposes we hold the information for in deciding whether (and for how long) to retain it;
• securely deleting information that is no longer needed for this purpose or these purposes; and
• updating, archiving or securely deleting information if it goes out of date.

¹ A medCrowd user who deletes their account can no longer be identified on medCrowd. However, their personal data will still be available to auditors for six years to comply with healthcare legislation (e.g. HIPAA)

Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss, or destruction of, or damage to, personal data.

medCrowd satisfies this principle by:

• designing and organising a comprehensive Information Security Management System appropriate for the nature of the personal data we hold and the harm that may result from a security breach;
• being clear about who in our organisation is responsible for ensuring information security;
• making sure we have the right physical, operational, network and encryption standards, backed up by robust policies and procedures and reliable, well-trained staff; and
• being ready to respond to any breach of security swiftly and effectively.

Personal data shall be processed in accordance with the rights of data subjects under this Act.

medCrowd satisfies this principle by providing medCrowd users a comprehensive Privacy Policy which details the rights, by providing tools within the medCrowd platform for users to exercise those rights and where this isn't possible, providing a contact point within our organisation for those rights to be respected and actioned.

Personal data shall not be transferred to a country or territory unless that country or territory has an adequacy decision from the European Commission or the United Kingdom or appropriate safeguards are in place.

medCrowd satisfies this principle by:

• hosting the medCrowd application, servers, and databases in the United Kingdom.
• ensuring that suppliers receiving personal data are based in the UK, EEA, or the USA.
• ensuring that any suppliers receiving personal data based in the USA have in place appropriate safeguards as determined by the UK GDPR to protect individuals' rights and freedoms in respect of their personal data.

The accountability principle requires us to take responsibility for what we do with personal data and showing how we comply with the other principles.

medCrowd satisfies this principle by:

• designing and organising a comprehensive Information Security Management System containing technical and organisational measures to protect data, the need for taking a data protection by design and default approach, having contracts in place with organisations, employees and contractors that contain data protection requirements and an incident reporting and management procedure for dealing with breaches.