Working together to handle personal data safely, respectfully and lawfully.
The Royal College of Obstetricians and Gynaecologists (the College) is a Data Controller for much of the personal information we collect and use. This includes current, past and prospective membership, staff, suppliers, clients, customers, and others with whom we have business, or with whom we communicate.
We are a small organisation with less than 250 employees so we do not have a Data Protection Officer. This function is shared between the Senior Information Risk Officer (SIRO) and the Deputy SIRO. Our address is in the footer below and our email address is: firstname.lastname@example.org.
We consider the lawful and correct treatment of personal information as essential to the efficient and successful conduct of our business. We recognise that it is crucial to fostering and maintaining the confidence of our main stakeholders and the wider public.
Please see our latest Data Protection Policy for further details on our commitment to data protection, including definitions of key terms used here, and how we protect your personal data.
Our purposes for processing personal information
The purposes for which we collect, process, share and store your personal information are:
- To provide you with training, education, support: research and library services throughout the Parts 1, 2 and 3 MRCOG and DRCOG examinations, sub-speciality expertise, continual professional development and performance monitoring, Advanced Training Skill Modules, and Advanced Professional Modules, in partnership with statutory education bodies where appropriate
- To quality assure education and training programmes
- To manage and deliver the Parts 1, 2 and 3 MRCOG and DRCOG examinations
- To deliver your Membership Ceremonies
- To manage and administer your membership with the College as a Trainee, Associate, Affiliate, Fellow, and Member, including doctor support, complaints and feedback
- To manage and administer the College’s committees and operations
- To assist NHS Trusts with independent reviews into their obstetric and gynaecological (O&G) services
- To develop O&G healthcare through dedicated research projects
- To develop and publish public information leaflets, clinical guidelines and journals
- To cascade O&G knowledge, learning and expertise globally
- To deliver meetings and events held at the College
- To raise money for the College through dedicated activities and fundraising
- To manage your registration on the College website
- To enable the digitisation and delivery of online services using IT and collaboration platforms – e.g. Microsoft Teams
- To keep you informed of O&G related events and activities either run by, commissioned or supported by the College
- To provide you with an Archive and Museum service so you can access and use our Heritage Collections
- To recruit, manage, administer, performance monitor and professionally develop our staff and volunteers including direct employees, workers, honorary contractors and freelancers.
Our lawful bases for processing personal information
Personal data processing must have a lawful basis for processing which are listed in our Data Protection Policy. The College uses these three lawful bases most:
- Legitimate interests – where the processing of personal data is necessary to meet the legitimate (including administrative) interests of us as a Data Controller or another third party, we will:
- check that legitimate interests is the most appropriate basis
- understand our responsibility to protect individual’s interests
- conduct a legitimate interests assessment (LIA) either separately or as part of a data protection impact assessment, to ensure the decision can be justified
- identify the relevant legitimate interests
- check the processing is necessary and there is no less intrusive way to achieve the same result
- complete a balancing test to be confident that the individual’s interests do not override our legitimate interests
- only use individuals’ data in ways you would reasonably expect, unless there’s a very good reason
- not use your data in ways you would find intrusive or which could cause you harm, unless there’s a very good reason
- consider safeguards to reduce any impact where possible
- consider whether we can offer an opt out
- if the LIA identifies a significant privacy impact, consider a DPIA
- keep the LIA under review, and repeat it if circumstances change
- include information about our legitimate interests in our privacy information.
- Contract – where the processing of personal data is required to enter into or carry out a contract with the individual(s), i.e. if we need to process someone’s personal data:
- to fulfil your contractual obligations to them; or
- because they have asked us to do something before entering into a contract (e.g. provide a quote)
- the processing must be necessary - if we can reasonably do what we want without processing your personal data, this basis will not apply
- document our decision to rely on this lawful basis and ensure that we can justify our reasoning
- where the processing is necessary for a contract with the individual, we do not need separate consent
- where the processing of special category data is necessary for the contract, we will identify a separate condition for processing this data
- we will document the decision that processing is necessary for the contract, and include information about our purposes and lawful basis in this privacy notice.
- Consent – where the individual provides informed consent to the processing of their data. When using consent, we will:
- check that consent is appropriate
- make the request for consent prominent and separate from terms and conditions
- ask people to “opt in”
- don’t use pre-ticked boxes
- use clear, plain language that is easy to understand
- specify why we want the data and what we’re going to do with it
- make separate requests for consent for all differing purposes and types of processing
- name our organisation and any third party controllers who are relying on the consent
- tell people they can withdraw their consent and refuse to consent without detriment
- avoid making consent a precondition of a service.
The recipients of the personal information we process
The College will only share personal information where we have a lawful basis to do so. The recipients of such information include:
- College staff
- trainees, fellows and members
- contracted suppliers and partners
- international and national professional partners, such as other O&G and specialist societies
- NHS Trusts and hospitals
- private healthcare providers.
Our international transfers of personal information
The College is an international organisation. We therefore process and transfer personal information with the EU/EEA and across the World.
We will ensure that adequate safeguards are in place to process and transfer your personal information securely.
Adequate safeguards include:
- Countries either signing up to the requirements of UK GDPR, or equivalent, by obtaining an “adequacy” decision by the UK government
- Standard Statutory Clauses (SSC) in service agreements and contracts with international suppliers and partners without an adequacy decision.
As a Data Controller based outside of the EEA, the College must appoint an EU Representative to ensure compliance with the EU GDPR with respect to our processing of personal data of EEA citizens.
We have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any queries in relation to your rights or general privacy matters, please email our Representative at email@example.com Please ensure to include our organisation’s name in any correspondence you send to our Representative:
By email: firstname.lastname@example.org
By post: IT Governance Europe Ltd, Third Floor, The Boyne Tower, Bull Ring, Lagavooren, Drogheda, Co. Louth, A92 F682.
Our protection of personal information
The College is certified by the Cyber Essentials Plus security accreditation which is audited every year. We will ensure that all our partners processing personal information on our behalf meet the same or equivalent standards.
Our retention of personal information
The College has an established Retention Schedule developed in line with statutory requirements and the best practice outlined by The National Archives Office.
All of our records, including those containing personal information, are managed according to this schedule to ensure that the College only retains personal information for the minimum amount of time necessary.
Individual’s rights to the personal information we process
Data Subjects have:
- the right to be informed - e.g. Fair processing/privacy notices
- the right of access - e.g. subject access requests (SARs)
- the right to rectification - e.g. have their data corrected
- the right to erasure – e.g. have their data deleted/removed
- the right to restrict processing – e.g. stop their data being used
- the right to data portability – e.g. transfer their data easily
- the right to object – e.g. challenge what we’re doing with their data
- rights in relation to automated decision making and profiling – e.g. safeguards to make sure we don’t make potentially damaging decisions about them without human involvement.
Please see our Individual Rights Request guidance for further detail and our online form if you want to make a request.
National Data Opt Out Policy
All health and care organisations must comply with the national data opt-out policy by March 2020. This requirement is supported by Information Standard: DCB3058: Compliance with National Data Opt-outs.
To comply with the national data opt-out policy, we have put procedures in place to review uses or disclosures of confidential patient information against the operational policy guidance. For example, built the requirements into our Data Protection Impact Assessments, contract clauses and Information Sharing arrangements, as well as adopting technical solutions where appropriate.
Therefore, the College commits to only processing health/patient data where the Data Subjects have not opted out of their data to be used for secondary purposes such as research.
- All personal data collection forms refer to this Policy and sometimes supplement it with further explanations using ICO derived checklists
- Where consent is the lawful basis for processing, these will be added too using ICO derived checklists
- Regular housekeeping of your personal data is undertaken to ensure compliance with the College Retention Schedule
The Crown Initiative
The CROWN Initiative obtains information about you when you register to receive our email newsletters. We collect your name, position and email address to allow us to send you relevant communications. Some administration for the CROWN Initiative is currently performed at QMUL and your information may be shared with individuals from this institution.
You have the right to withdraw your consent and unsubscribe from CROWN Initiative email communications at any time by contacting us by email (email@example.com).
The College may store information about you using cookies. Cookies are small files that are downloaded to your device as you visit websites. Some cookies are essential – the website will not function without them. Others are important as they provide us with information about how well the site is working, or how it is being used.
We do not store information that allows us to identify you without your permission, and we do not share cookies with third parties.
- Allow you to book examinations and events
- Provide access to RCOG eLearning and the CPD ePortfolio
- Determine if you are logged in or not
- Provide you with other membership benefits, including access to online journals, TOG and BJOG
- Ensure the site is functioning correctly
This table provides more information about the cookies we use:
Anonymous Episerver CMS cookie
Privacy Enhanced Mode allows you to embed YouTube videos without using cookies that track viewing behaviour. This means no activity is collected to personalize the viewing experience. Instead, video recommendations are contextual and related to the current video. Videos playing in Privacy Enhanced Mode won’t influence the viewer's browsing experience on YouTube.
Turning cookies off
You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies. However, doing so will limit the functionality of a large proportion of the world’s websites, including this one, as cookies are a standard part of most websites.
For more information about blocking cookies in your browser, click the relevant link below:
PC or Mac browsers
To manage your preferences on Google Analytics, please click here.
For further advice concerning any aspect of this policy, please contact the Information Governance (IG) Team by email or call +44 20 7772 6309.