This policy sets out how the College handles personal information about people in line with the current data protection legislation and guidance.
The Royal College of Obstetricians and Gynaecologists (RCOG) is dedicated to the encouragement of the study and the advancement of the science and practice of obstetrics and gynaecology. It was incorporated by Royal Charter in 1947 and is a registered charity (No. 13280). The College is governed by a board of Trustees. It:
- Improves and maintains proper standards in the practice of obstetrics and gynaecology for the benefit of the public
- Educates medical practitioners in all aspects of obstetrics and gynaecology; promotes study and research into obstetrics and gynaecology and publishes the results
- Conducts examinations for doctors wishing to specialise
- Maintains a register of its Fellows and Members and those undertaking its continuing professional development programme
- Reviews the suitability of training programmes for membership, specialist registration and subspecialties
- Advises the government and other public bodies on matters of healthcare relating to the specialty
- Provides statements and publishes reports on issues of public importance relevant to obstetrics and gynaecology
- Organises scientific meetings, congresses and courses in the UK and overseas
- Maintains a library and historical collection of records
- Produces evidence-based guidelines for appropriate practice and procedures
- Publishes patient information.
The College reserves the right to modify this policy at any stage.
In order to conduct its normal business, the RCOG collects and uses certain types of personal information about living individuals. These include current, past and prospective membership, staff, suppliers, clients, customers, and others with whom it has business, or with whom it communicates.
The College considers the lawful and correct treatment of such personal information as essential to the efficient and successful conduct of its business. It also recognises that it is crucial to fostering and maintaining the confidence of its main stakeholders and the wider public in the College and its operations.
The College is committed to ensuring that it treats personal information lawfully and correctly, and recognises that there are safeguards to ensure this in the existing data protection legislation, i.e. Data Protection Act, as well as forthcoming legislation, i.e. General Data Protection Regulation (GDPR) and the proposed Data Protection Act 2018.
Data protection principles
The College fully endorses and adheres to the Data Protection principles, specifically:
- Personal information shall be processed fairly and lawfully and, in particular, shall not be processed unless specific conditions are met
- Personal information shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes
- Personal information shall be adequate, relevant and not excessive in relation to the purpose(s) for which it is processed
- Personal information shall not be kept for longer than is necessary for those purpose(s)
- Personal information shall be accurate and, where necessary, kept up-to-date
- Personal information shall be processed in accordance with the rights of data subjects
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
- Personal information shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Organisational and management controls
The RCOG has in place appropriate management and organisational controls in order to:
- Observe fully conditions regarding the fair collection and use of personal information
- Meet its legal obligations to specify the purposes for which such information is used
- Collect and process appropriate information, and only to the extent that it is needed to fulfil operational needs, or to comply with any legal requirements
- Ensure the quality of personal information used
- Apply strict checks to determine the length of time personal information is held
- Ensure that the rights of people about whom information is held can be fully exercised, including:
- The right to be informed that processing is being undertaken
- The right of access to one’s personal information
- The right to prevent processing in certain circumstances
- The right to correct, rectify, block or erase information held about them
- Take appropriate technical and other security measures to safeguard personal information
- Ensure that personal information is not transferred abroad without suitable safeguards
- Carry out regular assessments of compliance with the current Data Protection legislation.
Staff supervision, awareness and training
- Has a named individual in place with specific responsibility for data protection – the Senior Information Risk Owner (SIRO)
- Ensures that everyone managing and handling personal information understand that they are contractually responsible for following good data protection practice
- Describes clearly methods of handling personal information
- Arranges for appropriate training for everyone managing and handling personal information
- Supervises appropriately all staff who manage and handle personal information
- Ensures that staff deal with queries about personal information promptly and courteously
- Conducts a regular review and audit of the way personal information is managed
- Assesses and evaluates regularly methods of handling personal information.
Information governance management framework
The Senior Information Risk Owner (SIRO), Caldicott Guardian, Information Governance Manager, Information Governance Leads and Information Asset Owners are the senior IG roles within RCOG. Together they are accountable for:
- Ensuring effective management, accountability, compliance and assurance for all aspects of IG
- Ensuring there is top level awareness and support for IG
- Providing direction in formulating, establishing and promoting IG policies
- Ensuring assessments and audits for IG policies
- Reporting regularly to the Information Governance Management Group ensuring the approach to IG is communicated to all staff
- Ensuring appropriate training is made available to staff
- Ensuring compliance with law and national guidance
- Promoting risk assessment and mitigation of IG/IT risks, using a risk management processes and, where necessary, escalating to the Corporate Risk Register
- Providing advice to staff on using, maintaining, transferring and sharing sensitive information
- Acting as the ‘conscience’ of the organisation in relation to handling and sharing of patient identifiable information and advising on lawful and ethical processing of information.
The following policies are in place and regularly reviewed:
- Information governance policy
- Security incident reporting policy
- Remote access policy
Key governance bodies
- Information Governance Management Group
Key staff (responsibilities highlighted in job descriptions):
- Senior Information Risk Owner (SIRO)
- Caldicott Guardian
- Information Governance Manager
- Information Asset Owners/Information Governance Leads
To contact the College about any data protection issues, please email the Data Protection team.