health foundry

Health Foundry Data Protection Policy &
Data Capture Overview

The following document provides an overview the Health Foundry data protection policy as well as an overview of all the data that is captured and/or held by Health Foundry and how it can be accessed.

It will be made public as a read-only google doc on the website www.healthfoundry.org/privacy
This link will be added to the Members’ Handbook, provided to all members.

This document was last updated: 10 January 2019 by Tim Ahrensbach and Alice Fung


Data Protection Policy: MEMBERS


Data holders
Health Foundry is managed by Architecture 00 (00),the data processor, on behalf of Guy’s at St Thomas’ Charity (GSST). Hence all data captured by “Health Foundry” is held and managed by staff of 00 and can be accessed by GSST upon request.

Digital Protection Leads
The dedicated Data Protection Officer is Alice Fung, who can be reached at alice@project00.cc 
Alternatively, you can also contact the Health Foundry team at hello@healthfoundry.org 

How we use your personal data
Under the GDPR, we must always have a lawful basis for using personal data. This may be because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, or because it is in our legitimate business interests to use it. Your personal data will be used for the following purposes:

We will always work to fully protect your rights and comply with our obligations under the GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out in any correspondence we send.

Access, modify or delete your data
If you want to access, modify or delete any data held by Health Foundry, please contact Alice Fung. 
We aim to deal with your request within 5 working days, but during busy times this can take up to 30 days.

Data breach
In case of a data breach, we aim to inform members either individually via email, or collectively via Mailchimp (depending on the scope of the breach), as quickly as possible, but always within 30 days.

Retention periods
In order to evaluate the impact of Health Foundry on our members, unless specified in the data capture overview below, the data we capture has no expiration date, unless requested by the member.

Concerns or complaints
If you are unhappy with or have concerns about how we have managed or processed your data request, please contact us directly, or alternatively Rob Parker from GSTTC at Rob.Parker@gsttcharity.org.uk. You also have the right to complain to the Information Commissioner’s Office (ICO) https://ico.org.uk/ if you believe there is a problem with the way we are handling your data.

Data Protection Policy: STAFF

All staff data is managed by Architecture 00. For further details, please contact Practice Manager Carmen Moore at carmen@project00.cc or info@project00.cc 

DATA COLLECTED

Member Sign-Up Data

Held on:                         Office RnD and Nexudus (internal and external site)
Submitted:                By members through a sign-up form
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Ability to contact members
                        Issuing and monitoring of invoices
                        Understanding member needs
                        Evaluation of impact on members
Data gathered:                Contact details (as submitted by members)
                        Membership details (as submitted by members)
                        Company information (as submitted by member)
                        Invoices issued/paid
                        Meeting room bookings
Privacy policy:                
https://www.officernd.com/privacy/ and http://docs.nexudus.com:8090/display/NSKE/Privacy+Policy

Member Directory

Held on:                         Office RnD and Nexudus (internal and external site)
Submitted:                By members through interactive portal
Who has access:         Health Foundry and members themselves
Retention period:        No expiration unless deleted by the members themselves or requested
Purpose:                Member-to-member communication
                        Profile on the member directory
Data gathered:                Contact details (as submitted by members)
                        Company description (as submitted by members)
Privacy policy:                
http://docs.nexudus.com:8090/display/NSKE/Privacy+Policyand https://officernd.com/privacy/ 
                        

Direct Debit information

Held on:                         GoCardless (3rd party site)
Submitted:                By members on GoCardless website
Who has access:         GoCardless only
Retention period:        Health Foundry does not have access to this information
Purpose:                Payment of Health Foundry issued invoices
Data gathered:                Payment details
Privacy policy:                 
https://gocardless.com/legal/privacy/ 

Credit card payments

Held on:                        Stripe (3rd party site)
Data submitted by:           Health Foundry team via Nexudus (data provided by member)
Accessed by:                    Health Foundry team
Main uses:                        Processing of one-off payments
Privacy Policy:                  
https://stripe.com/gb/privacy


Membership (+Pipeline management)

Held on:                         Office RnD + back-up downloaded to Google Drive.
Submitted:                By Health Foundry team
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Management of members + pipeline
Data gathered:                
Company name and size
                        Lead contact name and email
                        Membership package

                        General membership details (non-financial/person)

Feedback (general)

Held on:                         Office RnD (internal site)
Submitted:                By Health Foundry team - received from members via email, Twitter etc.
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Evaluation of feedback
Data gathered:                Company name
                        Member name
                        Feedback

Exit Survey

Held on:                 Podio.com (internal site)
Submitted:                By members via form
Who has access:         Health Foundry
Retention period:        No expiration unless requested
Purpose:                Evaluation of impact on members
Data gathered:                Company and member name
                        Turn-over, funding received and size of company at time of exit
                        General feedback

1-to-1 surgery questionnaires (x3)

Held on:                         Office RnD  (internal site)
Submitted:                By members via form
Who has access:         Health Foundry + email copy is sent to 1-to-1 consultant
Retention period:                No expiration unless requested
Purpose:                Understanding of member’s needs prior to 1-to-1 surgery
Data gathered:                Company and member name
                        Description of company and challenges faced                

Activity metrics

Held on:                         Office RnD (internal site)
Submitted:                By members via form
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Understanding of impact of activities on members
Data gathered:                Member name
                        General feedback

Overdue invoices

Held on:                         Google Drive
Submitted:                By Health Foundry team
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Management of overdue invoices
Data gathered:                Organisation name
                        Contact email
                        Invoice details (amount, date, payment date etc.)

Slack profile

Held on:                         Slack channel (shared)
Submitted:                By members through interactive portal
Who has access:         Health Foundry staff and members
Retention period:                No expiration unless deleted by the members themselves or requested
Purpose:                Communication between members
Data gathered:                Individual profile names
                        Other information members wish to share

Membership profiles (displayed in coworking space)

Held on:                         Dropbox (in pages format)
Submitted:                By Health Foundry - received from members via email
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Display printed member profiles in the space
Data gathered:                Company and member names
                        Short company description

Annual member survey

Held on:                         SurveyMonkey
Submitted:                By members via form
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Evaluate impact of Health Foundry on members
Data gathered:                General feedback
NOTE:                        This survey is anonymous unless members provide their email

Mailing lists - general

Held on:                         MailChimp
Submitted:                By anyone interested via online form (double opt-in function)
Who has access:         Health Foundry
and the individuals themselves (via “subscription preferences”)
Retention period:                No expiration unless requested or the individuals unsubscribe themselves
Purpose:                Send newsletters to individuals
Data gathered:                Name and email address

Mailing lists - members

Held on:                         MailChimp
Submitted:                By Health Foundry team
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Send emails and newsletters to members
Data gathered:                Name and email address

Membership scrum

Held on:                         Google Drive
Submitted:                By Health Foundry team
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Send relevant information to member
                        Facilitate member-to-member collaboration
Data gathered:                Contact details (as submitted by members)
                        Membership details (as submitted by members)
                        Company information (as submitted by member)
                        Additional information from member 1-2-1

Membership 1-2-1 questionnaire

Held on:                         Google Drive
Submitted:                By Health Foundry team
Who has access:         Health Foundry
Retention period:                No expiration unless requested
Purpose:                Send relevant information to member
                        Facilitate member-to-member collaboration
Data gathered:                Company and name
                        What support they want
                        What they can contribute to the community
                        Additional information from member 1-2-1