This policy sets out how the College handles personal information about people in line with data protection legislation and guidance.
The Data Protection Policy (the Policy) ensures the Royal College of Obstetricians and Gynaecologists (the College) complies with Data Protection Law, namely the EU General Data Protection Regulation 2016/679 (GDPR) and the Data Protection Act (DPA) 2018. These set out the framework for how the UK processes personal data:
- GDPR, enforceable in all EU member states from 25 May 2018, covers most of the legal obligations for processing personal data in the UK
- DPA enacts GDPR and replaces the DPA 1998. It sets out:
- how other information rights legislation (e.g. Freedom of Information Act 2000) interact with the new DPA and GDPR
- how personal data must be processed in the UK where it doesn't fall within EU law, e.g. immigration or national security matters
- local rules for the UK that complement GDPR, e.g. additional measures required for the processing of special category personal data
- the Information Commissioner’s Office’s (ICO) role, functions and powers.
The Policy applies to:
- all staff (employed and contracted), officers, trainees, members, College representatives and suppliers who handle and use our information (where we’re the 'Controller' for the personal data being processed), whether we hold it on our systems (manual and automated) or if others hold it on their systems for us
- all personal data processing we carry out for others (where we’re the 'Processor' for the personal data being processed)
- all formats, e.g. printed and digital information, text and images, documents and records, data and audio recordings.
In order to conduct its normal business, the College collects and uses certain types of personal information about living individuals. These include current, past and prospective trainees, members, staff, College representatives, suppliers, clients, customers, and others with whom it has business, or with whom it communicates.
The College considers the lawful and correct treatment of such personal information as essential to the efficient and successful conduct of its business. It also recognises that it is crucial to fostering and maintaining the confidence of its main stakeholders and the wider public in the College and its operations.
The College is committed to ensuring that it treats personal information lawfully and correctly, and recognises that there are safeguards to ensure this in data protection law.
The Policy’s objectives are to:
- comply with Data Protection Law, e.g. data protection impact assessments
- meet our data protection standards, e.g. information sharing arrangements
- protect the rights of our staff, officers, trainees, members, College representatives, suppliers, clients, customers and public users, e.g. procedures to govern Individual Rights’ request handling
- protect the College from the risks of a data protection breach and related reputational, financial and legal damage, e.g. encrypt special category personal data.
“Personal Data” is all information that relates to an identifiable living person (or “Data Subject”) and thatcan be used to identify the person directly, or indirectly when used with other information. It includes:
- a person's name
- job title
- postal or email address
- IP address, e.g. online identifier
- vehicle registration number
- bank details
- plus any other information that relates to them, e.g. a pseudonym.
There are “Special Categories” of personal data and these include data revealing:
- race or ethnicity
- religious or philosophical beliefs
- trade union membership
- a person’s health
- sex life or sexual orientation
- genetic or biometric data.
“Processing” relates to all actions or handling of personal data by manual or automated means, e.g. data collection, erasure and destruction plus everything in between including recording, use, disclosure, sharing and storage.
Much of the information we process includes personal data about, e.g.:
- trainees and members of the College
- visitors to the College
- users of College services, e.g. the website and library
- staff and officers working for the College
- contractors and suppliers of the College
- partners with the College, e.g. specialist societies.
Roles and responsibilities
The data protection laws have clearly defined roles and responsibilities.
A “Data Controller” is an individual or organisation who:
- decides to collect or process personal data
- decides what the purpose or outcome of processing is to be
- decides what personal data should be collected
- decides which individuals to collect personal data about
- obtains a commercial gain or other benefit from the processing, except for any payment for services from another controller
- processes personal data as a result of a contract between us and the data subject
- whose data subjects are the employees
- makes decisions about the individuals concerned as part of or as a result of the processing
- exercises professional judgement in the processing of the personal data
- has a direct relationship with the data subjects
- has complete autonomy as to how the personal data is processed
- has appointed processors to process the personal data on our behalf.
“Joint Data Controllers” are two or more individuals or organisations who:
- ha a common objective with others regarding the processing
- processes the personal data for the same purpose as another controller
- use the same set of personal data (e.g. one database) for this processing as another controller
- designs the processing with another controller
- ha common information management rules with another controller.
A “Data Processor” is an individual or organisation who:
- follows instructions from someone else regarding the processing of personal data
- is given the personal data by a customer or similar third party, or told what data to collect
- does not decide whether to collect personal data from individuals
- does not decide what personal data should be collected from individuals
- does not decide the lawful basis for the use of that data
- does not decide what purpose or purposes the data will be used for
- does not decide whether to disclose the data, or to whom
- does not decide how long to retain the data
- make some decisions on how data is processed, but implements these decisions under a contract with someone else
- is not interested in the end result of the processing.
The College is predominantly a “data controller” when processing personal data, e.g. when we procure a service from a supplier under contract and the supplier is the “data processor”. Sometimes we are a “joint data controller”, e.g. many of our clinical quality projects and reviews involve sharing the “data controller” responsibilities with our NHS partners.
A “Data Subject” is the identified or identifiable living individual to whom personal data relates.
The Policy defines the College’s data protection roles and responsibilities:
- Staff must:
- understand, keep up-to-date with, and comply with the Policy
- complete their mandatory Data Security Awareness training every year, and within four weeks of joining the College – completion of the training is monitored and reported to Executive Director and Directors
- Line managers and Officers must
- apply the Policy across their team(s)
- cascade data protection awareness communications to their team(s)
- make sure their staff comply with the Policy
- make sure their staff complete the mandatory Data Security Awareness training within given timescales
- monitor suppliers and partners' compliance with the Policy through routine procurement and contract management activities, e.g. use appropriate contractual clauses and supporting information sharing agreements.
- Information Asset Ownership across the College has been delegated to Directors and some Information Governance Leads who must
This includes making decisions about how information is processed e.g. what’s collected, how it’s used, who it’s shared with, when it’s deleted, and whether information risks are mitigated further or accepted by us.
- understand what information assets their team(s) process(es)
- understand its value to the College and the related approach, appetite and capacity for risks and opportunities in conjunction with the College’s risk management standards
- make sure the information is managed according to the Policy.
- Information Governance (IG) Leads are staff who have been nominated by the Information Asset Owners and must
- champion IG, including data protection, within their departments
- be the first point of contact on all IG related matters, including data protection, within their departments
- raise and monitor awareness of good IG practice within their departments, especially the processing of personal data
- facilitate an annual assessment across their departments for the Data Security and Protection Toolkit.
- The Information Governance Management Group is responsible for overseeing all aspects of Information Governance (IG) at the College, including data protection. They must
- ensure College compliance with statutory and regulatory requirements, e.g. GDPR and DPA
- report to the Audit and Risk Committee.
- The Senior Information Risk Officer (SIRO) is responsible for implementing and leading on IG risk assessment and management processes with the College and must
- Advise the Executive Team and Chief Executive Officer on the effectiveness of information risk management
- lead on the management of security incidents and data protection breaches
- Chair the IGMG.
- The Caldecott Guardian is primarily responsible for the protection of confidential, personal information and ensure it is used in line with the Caldecott Principles.
- The Information Governance Officer is part of the Research and Information Services Team and must
- provide day to day management of IG and data protection compliance across the College
- provides advice and support to the IG Leads, Information Asset Owners and the wider organisation
- act as Administrator for the Toolkit
- implement records management best practice
- investigate security incidents and breaches
- coordinate Individual Rights requests, e.g. Subject Access Requests (SARs).
- The Head of Information and Governance is responsible for the delivery of IG best practice and must
- report to the SIRO
- lead on data protection matters, including this Policy
- be the named contact for external authorities, e.g. the ICO and NHS Digital.
- Trainees, members, College representatives and suppliers must follow all the data protection requirements in their respective role descriptions, contracts, terms and conditions and/or Code of Conduct.
The College commits to processing all personal data in compliance with the data protection principles (unless a data protection law exemption applies).
Personal data must:
- Be processed lawfully, fairly and in a transparent manner (Lawful, fair and transparent)
- Be obtained only for specific, lawful purposes (Purpose limitation)
- Be adequate, relevant and limited to what is necessary (Data minimisation)
- Be accurate and, where necessary, kept up to date (Accuracy)
- Not be held for any longer than necessary (Storage limitation)
- Be protected in appropriate ways (Integrity and confidentiality/Security)
The College must demonstrate how we comply with the above principles (a) - (f) (Accountability), therefore the Policy governs or is integral to the following policies and procedures:
- Privacy Notice - principles (a) and (b)
- Data Protection Impact Assessment and Guidance – principle (c) and (f)
- Guidance on Handling Personal Data – principles (a), (b) and (c)
- Information Asset Register – all the principles
- Records Management policy and procedures, e.g. Retention Schedule (PDF) - principles (d) and (e)
- Security Incident and Reporting Policy - principle (f)
- Remote Access and Information Security Policy - principle (f)
- Individual Rights Requests Guidance - all the principles.
All personal data processing must have a lawful basis for processing from the following:
- the Data Subject consents to the processing of their personal data
- the processing is necessary:
- to enter into or carry out a contract with the Data Subject
- to comply with our (or another Controller’s) legal obligations
- to protect the vital interests of the Data Subject
- to exercise our (or another Controller’s) official authority or perform a public interest task
- to meet the legitimate interests of a Controller or another third party.
We must also meet additional conditions where we process special categories of personal data which are defined by GDPR with the DPA determining additional UK requirements:
- the data subject has given explicit consent
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- processing is carried out in the course of its legitimate activities with appropriate safeguards by specific organisations, on condition that the processing relates solely to the members or to former members of that organisation
- processing relates to personal data made public by the data subject
- processing is necessary for the establishment, exercise or defence of legal claims
- processing is necessary for reasons of substantial public interest
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
- processing is necessary for reasons of public interest in the area of public health
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical.
The College commits to the processing of all personal data in compliance with the Data Subjects’ Individual Rights (unless a data protection law exemption applies).
Data Subjects have:
- the right to be informed - e.g. Fair processing/privacy notices
- the right of access - e.g. subject access requests (SARs)
- the right to rectification - e.g. have their data corrected
- the right to erasure – e.g. have their data deleted/removed
- the right to restrict processing – e.g. stop their data being used
- the right to data portability – e.g. transfer their data easily
- the right to object – e.g. challenge what we’re doing with their data
- rights in relation to automated decision making and profiling – e.g. safeguards to make sure we don’t make potentially damaging decisions about them without human involvement.
As part of these rights, Data Subjects can complain to the ICO about data protection breaches and can bring court proceedings for compensation where a data protection breach has caused them damage (including distress).
The College commits to processing all personal data in compliance with all data protection obligations outlined above(unless a data protection law exemption applies) plus commiting to:
- maintaining a record of our processing activities (RoPA), e.g. the College’s Information Asset Register
- appointing a 'Data Protection Officer' (DPO) or equivalent – the College has less than 250 employees so does not require a DPO therefore the function is shared between the Head of Information and Governance and the SIRO
- adopting a 'Privacy by Design and Default' approach to personal data processing, including completing data protection impact assessments (DPIA) on all high-risk data processing, e.g. the College’s data protection impact assessment
- paying the ICO an annual data protection fee (DP Fee)
- notifying the ICO within 72 hours of information security incidents (IS Incidents) involving personal data, unless they don’t risk data subject’s rights and freedoms
- processing personal data within the EU and only transferring it outside the EU if appropriate safeguards are in place.
Data protection law exemptions are applied only once they’ve been considered with reference to the law, ICO issued guidance, the College’s other information management and information governance policies and, where appropriate, following guidance from the Research and Information Services Team.
Data Protection Regulator: the ICO
The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights. Find out more about their organisation and structure on their website: https://ico.org.uk/about-the-ico/
- All staff must receive training, appropriate to their role, to help them understand how to process personal data in line with the Policy - e.g. complete the annual, mandatory data security awareness training and other training as and when required
- All staff processing special category personal data or with a dedicated IG role to attend the Advanced Data Protection training course
- All staff must assess and manage the risks around how they process personal data to make sure it’s classified and handled appropriately using the appropriate College tool - e.g. complete a DPIA for all projects/initiatives/procurements involving personal data and follow the Guidance to Handling Personal Data
- All Trainees, members, College representatives and suppliers must follow all the data protection requirements in their respective role descriptions, contracts, terms and conditions and/or Code of Conduct
- All staff, officers, trainees, members and College representatives to inform the IG Officer of any Individual Rights Request received relating to the College
- All staff, officers, trainees, members and College representatives must promptly report potential or actual breaches of the Policy or data protection law to the IG Officer in the Research and Information Services Team, in line with the Security Incident and Reporting Policy
- All staff, officers, trainees, members, College representatives and suppliers must fully co-operate with any investigation, audit or enforcement activity undertaken by the ICO.
The College, or our suppliers, may log staff, officer, trainee, member or College representative activity to:
- monitor compliance with our policies to provide assurance on adherence to the Policy
- respond to incidents
- prevent, detect, or investigate crime.
We will take appropriate action against staff, officer, trainee, member, College representative or suppliers found breaching the Policy where appropriate to them. Such action may include but not be limited to disciplinary investigations, dismissal, civil or criminal proceedings and fines.
To contact the College about any data protection issues, please email the Data Protection team at firstname.lastname@example.org.