Working together to handle personal data safely, respectfully and lawfully
The Royal College of Obstetricians and Gynaecologists (the College) is a Data Controller for much of the personal information we collect and use. This includes current, past and prospective membership, employees, officers/committee and board members, suppliers, clients, customers, and others with whom we have business, or with whom we communicate.
We are a small organisation with less than 250 employees so we do not have a Data Protection Officer. This function is shared between the Senior Information Risk Officer (SIRO) and the Deputy SIRO. Our address is in the footer below and our email address is: dataprotection@rcog.org.uk.
We consider the lawful and correct treatment of personal information essential to the efficient and successful conduct of our business. We recognise it is crucial to fostering and maintaining the confidence of our main stakeholders and the wider public.
We are committed to handling personal information lawfully and correctly, and recognise the safeguards enshrined in data protection law. The following privacy policy statement tells you what, how and when we collect, process, share and destroy (or erase) the personal data collected for our business.
Please see our latest Data Protection Policy for further details on our commitment to data protection, including definitions of key terms used here, and how we protect your personal data.
RCOG ICO Registration
The Information Commissioner’s Office (ICO) is the UK's independent body set up to uphold information rights. Find out more about their organisation and structure on their website: https://ico.org.uk/about-the-ico/
Reference number: Z6382904
Tier: Tier 1
Start date: 30 January 2024
End date: 29 January 2025.
Our purposes for processing personal information
The purposes we collect, process, share and store your personal information are:
- To provide you with training, education, support, research and library services throughout the Parts 1, 2 and 3 MRCOG and DRCOG examinations, sub-speciality expertise, continual professional development and performance monitoring, Advanced Training Skill Modules, and Advanced Professional Modules, in partnership with statutory education bodies where appropriate
- To quality assure education and training programmes
- To manage and deliver the Parts 1, 2 and 3 MRCOG and DRCOG examinations
- To deliver your Membership Ceremonies
- To manage and administer your membership with the College as a Trainee, Associate, Affiliate, Fellow, and Member, including College elections, doctor support, complaints and feedback, in line with Medical Workforce Race Equality standards
- To manage and administer the College’s committees and operations
- To develop O&G healthcare through dedicated research projects
- To develop and publish public information leaflets, clinical guidelines and journals
- To cascade O&G knowledge, learning and expertise globally
- To deliver meetings and events held at the College
- To process, aggregate, and share anonymised Membership ethnic diversity and inclusion data as part of the Medical Workforce Race Equality Standard (MWRES)
- To raise money for the College through dedicated activities and fundraising
- To manage your registration on the College website, making regular checks with you and the Customer Relationship Management system to ensure your details and preferences are correct
- To keep you informed of O&G related events and activities either run by, commissioned or supported by the College
- To enable the digitisation and delivery of online services using IT and collaboration platforms – e.g. Microsoft Teams
- To provide you with an Archive and Museum service so you can access and use our Heritage Collections
- To recruit, manage, administer, performance monitor and professionally develop our staff and volunteers including direct employees, workers, honorary contractors and freelancers
- To manage and deliver the essential administrative, security (including CCTV) and audit functions of the College, including the handling of all Individual Rights Requests.
The RCOG is not responsible for Third Party Privacy Notices but these are checked as part of completing contractual due diligence with them – you are advised to check them too.
Our lawful bases for processing personal information
All personal data must have a lawful basis for processing. The College must select the relevant lawful basis from the following, as listed in Articles 6 and 9 in the UK GDPR:
- Persona data processing (Article 6):
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data, which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)
- Special category data processing (Article 9):
- the data subject has given explicit consent
- processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- processing is carried out in the course of its legitimate activities with appropriate safeguards by specific organisations, on condition that the processing relates solely to the members or to former members of that organisation
- processing relates to personal data made public by the data subject
- processing is necessary for the establishment, exercise or defence of legal claims
- processing is necessary for reasons of substantial public interest
- processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services
- processing is necessary for reasons of public interest in the area of public health
- processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical.
As the College is a charitable, membership organisation, not all of the bases listed may be relevant for the purpose of the personal data processing.
Special category College Membership data is processed under Article 9(g) substantial Public Interest. It is only shared where explicit consent is obtained or where it has been fully anonymised and does not identify the individuals concerned.
Please see our Data Protection Policy for a glossary of terms and definitions.
The recipients of the personal information we process
The College only shares personal information where we have a lawful basis to do so. The recipients of such information include:
- College employees
- trainees, fellows and members, including associates and affiliates
- RCOG officers/council/committee and board of trustee members
- contracted suppliers and partners
- international and national professional partners, such as other O&G and specialist societies
- NHS Trusts and hospitals
- Regional NHS commissioning boards, including NHS England
- private healthcare providers.
Sharing information with partners
When the College has a lawful basis for sharing personal data with external third party individuals, contractors, suppliers, partner organisations, Data Processors or Data Controllers, the sharing is governed by:
- EITHER, a UK GDPR compliant contract/service agreement – e.g. written, current and containing the RCOG Data Protection Schedule;
- OR, a UK GDPR compliant information sharing agreement based on NHS Digital standards.
Please see the Records Management and Data Protection Policies and Procedures for details.
Our international transfers of personal information
The College is an international organisation so we process and transfer personal information with the EU/EEA and across the World.
We ensure adequate safeguards are in place to process and transfer your personal information securely.
Adequate safeguards include:
- Countries either signing up to the requirements of UK GDPR, or equivalent, by obtaining an “adequacy” decision by the UK government
- The new Information Commissioner Office’s (ICO) approved processes for the international transfer of data, e.g. completing and signing the new International Data Transfer Agreement.
Our protection of personal information
The College is certified by Cyber Essentials Plus security accreditation, which is audited and renewed annually. We ensure all our partners processing personal information on our behalf meet the same or equivalent standards.
Our retention of personal information
The College has an established Retention Schedule developed in line with statutory requirements and the best practice outlined by The National Archives and the Information Commissioner’s Office.
All of our records, including those containing personal information, are managed according to this schedule. This ensures the College only retains personal information for the minimum amount of time necessary.
Individual’s rights to the personal information we process
Data Subjects have:
- the right to be informed - e.g. Fair processing/privacy notices
- the right of access - e.g. subject access requests (SARs)
- the right to rectification - e.g. have their data corrected
- the right to erasure – e.g. have their data deleted/removed
- the right to restrict processing – e.g. stop their data being used
- the right to data portability – e.g. transfer their data easily
- the right to object – e.g. challenge what we’re doing with their data
- rights in relation to automated decision making and profiling – e.g. safeguards to make sure we do not make potentially damaging decisions about them without human involvement.
Please see our Individual Rights Request guidance for further detail and our online form if you want to make a request.
National Data Opt Out Policy
All health and care organisations must comply with the national data opt-out policy by March 2020. This requirement is supported by Information Standard: DCB3058: Compliance with National Data Opt-outs.
To comply with the national data opt-out policy, we have put procedures in place to review uses or disclosures of confidential patient information against the operational policy guidance. For example, built the requirements into our Data Protection Impact Assessments, contract clauses and Information Sharing arrangements, as well as adopting technical solutions where appropriate.
Therefore, the College commits to only processing health/patient data where the Data Subjects have not opted out of their data to be used for secondary purposes such as research.
Our Privacy Policy “in practice”
The College applies the privacy policy into the following day-to-day practice:
- All personal data collection forms refer to this Policy and sometimes supplement it with further explanations using ICO derived checklists
- Where consent is the lawful basis for processing, we obtain specific, informed and explicit consent using ICO derived checklists
- Regular housekeeping of your personal data is undertaken to ensure compliance with the College Retention Schedule
- All changes to the Privacy Policy are shared with College members.
Supporting Privacy Notices from across the College
The College has developed detailed privacy policies for the following processing of personal data across the College:
- Chief Executive’s Office
- People and Organisational Development
- Recruitment
- Terms and Conditions of Employment
- People and Organisational Development
- Membership, Global and Governance
- Corporate Governance
- Officer Elections 2022
- Corporate Governance
Does the College use cookies?
The College may store information about you using cookies. Cookies are small files that are downloaded to your device as you visit websites. Some cookies are essential – the website will not function without them. Others are important as they provide us with information about how well the site is working, or how it is being used.
We do not store information that allows us to identify you without your permission, and we do not share cookies with third parties.
We use cookies to:
- Allow you to book courses, examinations and events
- Provide access to RCOG eLearning and the CPD ePortfolio
- Provide you with other Membership benefits, including access to online journals, TOG and BJOG
- Ensure the site is functioning correctly.
In addition, we use cookies to compile anonymous visitor statistics. For example:
- How many people have visited our website
- What type of system or device they are using (e.g. Mac/Windows, or tablet/phone, which helps us to identify when our site isn’t working as it should for those systems or devices)
- How long they spend on the site, what pages they look at, etc.
This helps us to improve our website, continuously.
These ‘analytics’ tools tell us, anonymously, how people reached this site (e.g. from a search engine) and whether they have been here before.
All of this information helps us:
- to put more money into developing services you need and use, and
- minimises use of Membership fees on services our analytics show you do not need or use.
This table provides more information about the cookies we use:
Essential
Name | Information |
.ASPXANONYMOUS | Anonymous Episerver CMS cookie |
ASP.NET_SessionId | Session cookie |
Important
Name | Information |
_ga | Google Analytics |
_gid | Google Analytics |
_gat | Google Analytics |
NID | Privacy Enhanced Mode allows you to embed YouTube videos without using cookies that track viewing behaviour. This means no activity is collected to personalize the viewing experience. Instead, video recommendations are contextual and related to the current video. Videos playing in Privacy Enhanced Mode will not influence the viewer's browsing experience on YouTube. |
In addition, the College site uses cookies from New Relic, which collects telemetry data to monitor site performance. Some booking payments are processed through a microsite that uses Microsoft Azure Application Insights, which performs a similar function.
Turning cookies off
The RCOG website offers a control panel, accessible from an icon in the bottom right of every page, which allows you to decide if you will permit us to collect ‘important’ cookies. This control does not allow you to switch off cookies that are essential to the site function.
In addition, on your device, you can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies. However, doing so will limit the functionality of a large proportion of the world’s websites, including this one, as cookies are a standard part of most websites.
For more information about blocking cookies in your browser, click the relevant link below:
PC or Mac browsers
- Chrome
- Firefox
- Internet Explorer
- Safari OSX
- Opera
Mobile browsers
- Safari iOS
- Android
To manage your preferences on Google Analytics, please click here.
For further advice concerning any aspect of this policy, please contact the Information Governance (IG) Team by email or call +44 20 7772 6309.