Purple Alert Privacy Notice

Introduction 

When we say we are committed to protecting your privacy, it’s not a throwaway line, we really do mean it. 
We only ask for personal information that will help us deliver the best possible service to you and nothing else; we store your information securely at all times; we delete any pieces of information as soon as they are no longer relevant; we will never sell your data to anyone; your data is only shared with providers who are directly involved in the delivery of this service and no one else; you can delete your account and all the data we hold about you at any time.  

Who are we? 

Alzheimer Scotland is the main controller for the provision of the service called Purple Alert. 
Add Jam Limited is a private company that has been provisioned by Alzheimer Scotland to develop the Purple Alert app. Add Jam is subject to the same restrictions on privacy, data processing and information security as per comparable internally-provided services for Alzheimer Scotland. In providing this service Add Jam does not have any access whatsoever to the information stored on other systems within Alzheimer Scotland for your benefit. 
We deliver Purple Alert services in close relationship with Police Scotland. 
Police Scotland is subject to the same restrictions on privacy, data processing and information security as per comparable internally-provided services for Alzheimer Scotland. In working closely with this service Police Scotland does not have any access whatsoever to the information stored on other systems within Alzheimer Scotland for your benefit. 
 
Why do we collect data?

Purple Alert is a community minded app and each user is asked to allow notifications, access to camera and photos and to enable location services:

1.    Notifications - The scope of the app is to notify you if someone with dementia is missing in your area. 
2.    Camera and Photos – Each user must create a profile to be a visible and legitimate community member. 
3.    Location Services - The app must use your location to notify you about missing people in your area and to suggest relevant content depending on your location. 

What is our legal basis for processing your data?

We hold and process “personal data” and “special category data” so that we can deliver Purple Alert services. We are allowed to do this under the Data Protection Act 2018 if certain conditions are met. The conditions are set out in the Data Protection Act in a series of numbered Schedules and paragraphs.
We reasonably believe that these conditions for processing your data are met: 
•    Schedule 9 paragraph 4 (to protect the vital interests of you or of another individual) and 
•    Schedule 10 paragraphs 3 and 4 (vital interests of a person, and safeguarding of an individual at risk). 
When you use the Purple Alert service, you also confirm that have the explicit consent of a person with dementia to the use of their data, or you are in a position to give that explicit consent on their behalf. You may be in that position because you have clear authority granted by them, or you may have authority granted by a relevant court having jurisdiction over them.

What data do we store? 

Community Members
If you are a Purple Alert community member and you don’t create a profile for a person with dementia, we store the following details:

Your Name and Surname
Your email
Your password
Your profile picture
Your postcode
Your mobile phone number


Carers
If you create a profile for someone with dementia, we store 

Your Name and Surname
Your email
Your password
Your profile picture
Your postcode
Your mobile phone number
The Person With Dementia Name and Surname 
The Person With Dementia Profile Picture
The Person With Dementia’s Gender, Year of Birth, Ethnicity, Complexion, Eye colour, Hair colour, Height, Weight, Visible Marks, Places of interest, Habits and Routines, Medical Information (if any), Other Information (if any), Bus Pass (If any)
The Herbert Protocol (if uploaded). 

If the Person with Dementia is missing we also store

The Person With Dementia last seen date, time and location, what they were wearing and any other additional comments or information you give. 

If the Person with Dementia is found we also store

The Person With Dementia found date, time and location, any other additional comments or information you give. 

 
What do we do with the information you provide ? 

First and foremost, we use this information to help finding a person with dementia if they’re missing. 
Thanks to the data you input in the app, we are able to visualise how many community members there are in a specific area or postcode, giving an indication of how safe that area is for someone who might go missing. This data is anonymised. 
If we feel that your safety and the safety of the missing person will benefit from the involvement of Police Scotland, we might share some or all of your data with Police Scotland.
If we have to communicate any major upgrade of the app and/or the service, Alzheimer Scotland reserves the right to use the details you provide to notify you. This type of communication is not a marketing or promotional message but an essential update in relation to Purple Alert. 

Any misuse or abuse of the service will not be tolerated and Alzheimer Scotland reserves the right to use and share some or all of your data with Police Scotland. 
Any misuse or abuse of the service will be handled accordingly using some or all the data you provide by Alzheimer Scotland and Police Scotland. 


Community Members
As a community member, your identity will always be private until you actively engage in a conversation during a missing alert. 
As a community member, if you find the missing person and get in touch with the carer, your details might be used by the carer, Alzheimer Scotland or Police Scotland to get in touch with you within 7 working days from the missing occurrence. 

Carers
As a carer for a person with dementia, your identity and the one of the person you care for will always be private until you actively raise a missing alert. 
Following a missing alert, your details might be used by Alzheimer Scotland or Police Scotland to get in touch with you within 7 working days from the missing occurrence to provide additional support.  

Your rights

You have rights over your data. If you would like to exercise any of your rights, please contact us using the details below. If you exercise any of your rights we may ask for proof of identity so that we can locate your personal information. If we agree that we have to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge except in exceptional circumstances.
If you wish to raise a complaint in relation to our processing of your personal data, you can contact us at [email protected] or by writing to us at Alzheimer Scotland, 160 Dundee Street Edinburgh EH11 1DQ and marking your query for the attention of the Data Protection Officer. If you are not satisfied with our response or you believe that we are not processing your personal data in accordance with the law then you also have the right to lodge a complaint with the data protection regulator, the Information Commissioner’s Office. You can contact the Information Commissioner’s Office at: https://ico.org.uk/global/contact-us/ .
Your rights include:
•    A right to transparency over how we use your data and to make a subject access request (your right of access to your data that we hold);
•    A right to have your personal data updated and corrected (right of correction/rectification);
•    A right to ask us to delete your information (right to be forgotten);
•    A right to ask us to stop processing your information (right to restriction);
•    A right to object to processing of your information (right to object);
•    A right to receive a copy of your information, or have this sent to a third party (right to data portability); and
•    A right to claim compensation for material or non-material damage caused if we breach the data protection rules (right to compensation).
If you would like to find out more about your rights, you can visit the Information Commissioner’s Office website (https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr).

Where do we store your data? 

We store your data in DigitalOcean UK data centre. For more information about how DigitalOcean processes data, please see their privacy notices.
We do not expect to store your data outside the UK. If we have to do that at any time, we would first ensure that the storage would match the same secure conditions that would apply in the UK.
 
How long do we keep your data for ? 

We will keep your data safe until you decide to delete your account.
 
How can you change or delete the data we store on you ? 

You can change or delete the data at any time within the app, in ‘your details’ section or in the ‘Person with dementia profile’ section.  
 
Can I delete my account ? 

You can delete your account at any time. We’ll be sorry to see you go, but if you do want to close your account, we will delete all personally identifiable data from our production environment within 24 hours of receiving the request. For resilience purposes, we maintain backup copies of your data – for this reason, it may take up to 7 days before your data is fully wiped from all of our servers.  

Privacy Notice updates 

We will be updating our Privacy Notice occasionally. We will notify you by email if our policy changes, and you will also be notified when you next log in that the privacy statement has changed, so that you can review any changes made before proceeding. The current policy (version 0.1) is effective from 1 August 2020. 
  
Who will have access to your data 

Only authorised Alzheimer Scotland employees (the data controller) and Add Jam employees (the data processor) will have access to your personal data.  Add Jam employees only have access to your personal data to help make the Purple Alert app work.
Under exceptional circumstances (eg if an exceptional technical problem occurs with the system), authorised Add Jam employees who have undergone full Disclosure Scotland checks will have access to your data for a very limited period of time with the agreement of Alzheimer Scotland. 


Links to other websites 

Purple Alert app may contain links to other websites aimed at providing you with relevant information to you or your loved ones. We do not have any control over the content and management of external websites. Once you leave our app, we cannot be responsible for the protection and privacy of any information that you provide while visiting such sites (and are therefore not governed by this Privacy notice). If you do visit linked sites, we would strongly recommend that you exercise caution and look at any related Privacy Notes on the sites in question. 
  
 
What is a Privacy Notice ? 

A Privacy Notice (also known as a Fair Processing Notice) tells you about the information that we ask for and hold about you, what we do with it, how we look after this data, and who it is shared with. 
The Privacy Notice helps us be open and transparent about the way in which your information is processed in order to deliver the underpinning service.