To the institution asking you to use CamCOPS, and only to that institution.
CamCOPS is a tool for organizations (such as health care organizations or universities conducting research) to collect information from people that trust that organization.
When you install CamCOPS, you choose a server that you wish to use, by entering a URL. This server might belong, for example, to a health care organization or a university conducting research. We’ll call this organization the Data Controller, or Controller for short. “Data controller” is the legal term used within the UK 1 and the European Union 2.
You can use CamCOPS to enter data, as requested by the Controller. CamCOPS will then send the data to the Controller’s server.
CamCOPS only uses encrypted network links (HTTPS) to send data.
Before you enter a URL into CamCOPS, make sure you trust its owner. You choose which server to use. Data that you enter into CamCOPS will be sent to that server.
No data is sent anywhere else. There is no “CamCOPS base”. The team that develop CamCOPS don’t collect statistics from the app about how often it’s used, or who’s using it, or any other information. They don’t collect any data about you at all. They are not the Data Controller.
CamCOPS can collect data in several ways.
Clearly identifiable information.
You might enter your identity details, or the Controller might have set things up for you by pre-entering your details. In this situation, your details (e.g. your name) will be visible to you when you use CamCOPS.
Alternatively, the Controller might be asking you to supply “pseudonymised” data (where a code or pseudonym stands for your identity). If they are collecting pseudonymised data, but you told them your identity at some point, it’s possible that at least some people in the organization could look up your identity. Representatives of the Controller should explain this to you, and whether or not your data might be re-identified.
Some CamCOPS tasks are anonymous (marked with the symbol ). In CamCOPS, anonymous tasks are not attached to identity information in any way.
You will have a relationship with the Controller, who should explain to you how they will use your data. They should obtain your consent to the use of your data, such as for health research.
CamCOPS supports lots of types of task.
These include questionnaires and animated tasks. Questionnaires will collect the information that you supply. Animated tasks will collect information about your responses. All tasks record basic timing information, such as when you started and finished the task.
Some of the information might be sensitive. CamCOPS supports tasks that ask about health, including mental health.
Some tasks collect special types of information, if you choose, such as photos. (To take photos using CamCOPS, you will need to enable “camera permissions” in operating system that require this, such as Android.)
CamCOPS only collects data that you provide directly. In particular:
CamCOPS does NOT look for other installed apps.
CamCOPS does NOT access your device’s phone details, contacts, call logs, calendars, or any other such data.
CamCOPS does NOT access your device’s location.
CamCOPS does NOT capture your device’s screen.
CamCOPS does NOT track any other aspects of your usage of your device.
CamCOPS collects data onto your device. As soon as possible, it moves the data off your device and sends it to the Controller’s server. In the meantime, data that you have entered into CamCOPS (which might be identifiable and might be sensitive) is stored on your device.
CamCOPS encrypts all its stored data with the AES-256 encryption standard. You need to enter your CamCOPS password (which you set) to access the CamCOPS app.
However, the security of your device is also your responsibility. You should keep your device safe. You should also secure your device itself electronically, e.g. with a device password, PIN, or biometric security. For even more security, you could consider enabling whole-device encryption via your device’s operating system.
For more details, see Security design.
That is between you and the Controller, but the Controller will have to follow applicable laws (see below).
Many countries provide legal rights for you to see data that’s about you, check it’s accurate, withdraw your consent, and so on. It is the Controller’s job to respect these rights.
In the European Union (EU), the legislative framework is the EU’s General Data Protection Regulation 2.
In the UK, it’s the Data Protection Act (DPA) 1.
UK (2018). Data Protection Act 2018. http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted
European Union (2016). Regulation (EU) 2016/679 (General Data Protection Regulation). Official Journal of the European Union L119: 1-88. http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf