RCoA Privacy Notice

1. What is this Notice?

The Royal College of Anaesthetists (“RCoA”, “we”, “our” and “us”) is a registered charity in England and Wales (1013887) and in Scotland (SCO37737).

This Privacy Notice relates to our website (www.rcoa.ac.uk) (the “Website”).

The RCoA may collect personal information about users of the Website (“you”). When we mention “personal information” in this Notice, we mean any information that relates to an identifiable natural person (also known as “personal data”). Your name, address, date of birth and contact details are all examples of your personal information, if they identify you.  Where we talk about where we “process” your personal information (and “processing” and “processed”) we mean any activity relating to personal information, including, by way of example, collection, storage, use, consultation and transmission.

The RCoA takes the lawful and correct treatment of personal information very seriously. The RCoA is fully committed to treating your personal information in accordance with the principles of data protection, as set out in the General Data Protection Regulation (EU) 2016/679 (the “GDPR”).

This Privacy Notice describes why and how we collect and use personal information and provides information about your rights.  It applies to all the personal information you provide to us.  We may use personal information provided to us for any of the purposes described in this Privacy Notice or as otherwise stated at the point of collection.

You should read this Notice, so that you know what we are doing with your personal information. Please also read any other privacy notices that we give you, that might apply to our use of your personal information in specific circumstances in the future.

Please note that this Privacy Notice covers our Website only. Other websites linked to or from this Website are not covered by this Notice. Such other sites may also make use of their own cookies and will have their own privacy policies. You should carefully review the privacy policies and practices of other sites, as we cannot control or be responsible for their privacy practices. We do not accept any liability for the privacy practices of third party websites and your use of such websites is at your own risk.

2. What information do we collect about you and how do we use this?

Under the GDPR, RCoA is a ‘data controller’, which means that we make decisions about how and why we process your personal information and, because of this, we are responsible for making sure it is used in accordance with data protection laws.

We collect many different types of personal information about you for lots of reasons. We cannot administer your membership without your personal information. Where we don’t need your personal information, we will make this clear, for instance we will explain if any data fields in our application forms or member surveys are optional and can be left blank.

We collect the following personal information from you, for example, when you visit our Website, apply for and obtain membership, create an account, correspond with us and purchase merchandise. We also obtain it from college tutors, regional advisers and heads of school, members of ACTACC, trainees and examination candidates, and local hospitals (we may also create some of this personal information ourselves e.g. generating your College Reference Number):

Category of personal information Examples of your personal information 
Contact information Name, title, address, e-mail address, telephone number, social media handle
Personal information Gender/sex, date of birth, national residency information, NHS number
Equal opportunities information Health conditions (in some cases), religion or belief, sexual orientation and ethnic origin
Membership/CCT information College Reference Number, subscription/membership records, application form, curriculum vitae, qualifications, skills, experience, employment history, professional development records, copies of examination certificates, information relating to training post, current appointment information and registration type, fellow certification, copy of membership certificate, GMC Number, GMC restrictions. 
Financial information Bank details, direct debit information, membership payment records
Preference information Your account settings and communication preferences
Communication information Communications between you and us
Website usage information Please refer to Cookie Policy
Feedback information Information you provide us when you give us feedback on our Website
e-portfolio information Information submitted during the registration procedure and assessments
CPD information Information submitted during the registration procedure and CPD records
Account information Information held in relation to your account on the Website, including log in details

If any of the personal information you have given to us changes, such as your contact details, please inform us without delay by contacting membership@rcoa.ac.uk.

Where we collect information that you voluntarily provide when you complete membership surveys and feedback forms, the personal information you provide is anonymised, unless you choose to provide your contact information.

 

3. What do we do with your personal information?

We process your personal information for various purposes.

We are required by law to always have a permitted reason or justification (called a “lawful basis”) for processing your personal information. There are six such permitted lawful bases for processing personal information. The table below sets out the different purposes for which we process your personal information and the relevant lawful basis on which we rely for that processing. 

Lawful basis and purpose What categories of personal information do we use
(see 2 above)?

Legitimate interests

 

Administration of membership - management and administration of membership records; promotion of RCoA products and services; sharing information about RCoA activities.

 

 

Contact information

Personal information

Financial information

To provide you with appropriate products, services and member benefits eg. Bulletin.  To share information with you about RCoA activities

Contact information

Newsletters – President’s Newsletter, Devolved Nations Newsletter, Events Newsletter, International Newsletter

Contact information

Training - administration of CCT - management and administration of training records and e-portfolio to enable trainees to progress to CCT

Contact information

Personal information

Membership/CCT information

Education – administration of events – administration of specialist society

Contact information

Personal information

ACTACC –

Administration of membership – administration of specialist society

Contact information

Personal information

Financial information

Examinations –

Administration of examination - Administration of FRCA and associated College and faculty examinations

Contact information

Personal information

Processing and managing your membership of our organisation

Contact information

Personal information

Membership/CCT information

Financial information

CPD information

Account information

Administration of applications to College roles eg Examiners, AAC assessors, ACSA Reviewer

Contact information

Personal Information

Administration of grant/fellowship/bursary/award applications

Contact information

Personal information

Administration of ACCEA nominees

Contact information

Personal information

Administration of Honours nominees

Contact information

Personal information

To provide you with any information you request

Contact information

So that we can communicate with you as necessary

Contact information

Communication information

To carry out analysis about the use of our website

Website usage information

Feedback information

To carry out research and statistical analysis

Website usage information

Feedback information

Research –

Perioperative Quality Improvement Programme (PQIP) - to improve outcomes for patients having major surgery

Contact information

Sensitive Personal information

Research – SNAP 2 – EpICSS - to describe the epidemiology of perioperative risk and outcome, and critical care referral and admission after inpatient surgery in the UK. It also aims to examine whether planned postoperative critical care admission is effective as an intervention to reduce postoperative morbidity. Sensitive Personal information

Consent

BJA & BJA Education - for Elsevier to send you online access to BJA and BJA Education

 

Contact information

Personal Information

Preference information

Online CPD System – to provide you with online access to the system

Contact information

Personal information

Membership Engagement Panel – to receive membership surveys

Contact information

Feedback information

Contract

Invited Reviews – to undertake invited reviews commissioned by healthcare providers

 

Contact information

Personal information

Anaesthesia Clinical Services Accreditation (ACSA) – to undertake departmental accreditation commissioned by healthcare providers

Contact information

Personal information

We may also convert your personal information into statistical or aggregated form to better protect your privacy, or so that you are not identified or identifiable from it. Anonymised data cannot be linked back to you. We may use it to conduct research and analysis, including to produce statistical research and reports. For example, to help us understand the numbers within different categories of memberships at any given time. 

 

4. Special category personal information (including criminal information)

We are required by law to treat certain categories of personal information with even more care than usual. These are called sensitive or special categories of personal information and different lawful bases apply to them. The table below sets out the different purposes for which we process your special category personal information and the relevant lawful basis on which we rely for that processing. For some processing activities, we consider that more than one lawful basis may be relevant – depending on the circumstances.

Lawful basis and purpose What categories of personal information do we use
(see 2 above)?

It is necessary for reasons of substantial public interest

 

Managing and administering our equal opportunities reporting in relation to examinations, membership and CCT

Equal opportunities information

It is necessary to perform a task in the public interest or in our official authority

 

It is necessary for reasons of public interest in the area of public health

 

Research - National Emergency Laparotomy (NELA) - to enable the improvement of the quality of care for patients undergoing emergency laparotomy

Sensitive Personal information

 

5. Who do we share your personal information with?

Sometimes we need to share your personal information with other people.
From time to time we may ask third parties to carry out certain functions for us, such as payment processing or mailing. These third parties will process your personal information on our behalf (as our processor). We will disclose your personal information to these parties so that they can perform those functions. Before we disclose your personal information to other people, we will make sure that they have appropriate security standards in place to make sure your personal information is protected and we will enter into a written contract imposing appropriate security standards on them. Examples of these third party service providers include service providers and/or sub-contractors, such as third party payment processors, mailing houses and our IT systems software and maintenance, back up, and server hosting providers.

In certain circumstances, we will also disclose your personal information to third parties who will receive it as controllers of your personal information in their own right for the purposes set out above, in particular:

  • if we transfer, purchase, reorganise, merge or sell any part of our business or the business of a third party, and we disclose or transfer your personal information to the prospective seller, buyer or other third party involved in a business transfer, reorganisation or merger arrangement (and their advisors); and
  • if we need to disclose your personal information in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our employees, customers or others.

We have set out below a list of the categories of recipients with whom we are likely to share your personal information:

  • third party service providers (see above);
  • regional advisors and colleges (including their College Tutors, Postgraduate Deans and relevant Deanery staff);
  • consultants and professional advisors including legal advisors and auditors;
  • courts, court-appointed persons/entities, receivers and liquidators;
  • business partners and joint ventures;
  • trade associations and professional bodies;
  • insurers; and
  • governmental departments, statutory and regulatory bodies including the General Medical Council, Department for Work & Pensions, Information Commissioner’s Office, the police and Her Majesty’s Revenue and Customs.

We may also share your personal information with third parties, as directed by you.

We will only disclose your personal information in accordance with applicable laws and regulations.

 

6. Where in the world is your personal information transferred to?

If any of our processing activities require your personal information to be transferred outside the European Economic Area, we will only make that transfer if:

  • the country to which the personal information is to be transferred ensures an adequate level of protection for personal information;
  • we have put in place appropriate safeguards to protect your personal information, such as an appropriate contract with the recipient.
  • the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
  • you explicitly consent to the transfer.

 

7. How do we protect your data?

RCoA takes the security of your personal information seriously. In order to prevent unauthorised access or disclosure and unlawful or unauthorised processing and accidental loss, destruction or damage, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. For example, we have adopted internal data protection procedures and trained our staff on them with a view to preventing breaches of security. 

We take all reasonable steps to protect any personal information you submit via the website. However, as our Website is grouped to the internet, which is inherently insecure, we cannot guarantee the information you supply will not be intercepted while being transmitted over the internet.  Accordingly, we have no responsibility or liability for the security of personal information transmitted via our Website.

 

8. For how long does the college keep data?

We hold your personal information only as long as necessary and in line with our Data Retention Policy, which can be viewed on request.

We will only retain your personal information for a limited period of time. This will depend on a number of factors, including:

  • any laws or regulations that we are required to follow;
  • whether we are in a legal or other type of dispute with each other or any third party;
  • the type of information that we hold about you; and
  • whether we are asked by you or a regulatory authority to keep your personal information for a valid reason.

 

9. Your rights

You have certain legal rights, which are briefly summarised in the table below, in relation to any personal information about you which we hold.
 

Your right What does it mean? Limitations and conditions of your right

Right of access

Subject to certain conditions, you are entitled to have access to your personal information (this is more commonly known as submitting a “data subject access request”).

If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations.

We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other staff.

Right to data portability

Subject to certain conditions, you are entitled to receive the personal information which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.

If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.

his right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal information that has been provided to us by you.

Rights in relation to inaccurate personal or incomplete data

You may challenge the accuracy or completeness of your personal information and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date.

We encourage you to notify us of any changes regarding your personal information as soon as they occur, including changes to your contact details and telephone number.

Please always check first whether there are any available self-help tools to correct the personal information we process about you.

This right only applies to your own personal information. When exercising this right, please be as specific as possible.

Right to object to or restrict our data processing Subject to certain conditions, you have the right to object to or ask us to restrict the processing of your personal information. This right applies where our processing of your personal information is necessary for our legitimate interests. You can also object to our processing of your personal information for direct marketing purposes.

Right to erasure

Subject to certain conditions, you are entitled to have your personal information erased (also known as the “right to be forgotten”), e.g. where your personal information is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.

We may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal or statutory obligation, or (ii) exercise or defend legal claims.

Right to withdrawal of consent Where our processing of your personal information is based on your consent you have the right to withdraw your consent at any time. If you withdraw your consent, this will only take effect for future processing.

Where our processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal information for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.

Where our processing of your personal information is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.

If you wish to exercise any of your rights please contact dpo@rcoa.ac.uk in the first instance.

 

10. Who can I contact about this Notice?

Questions, comments and the exercise of your rights regarding this Privacy Notice and your personal information are welcomed.  RCoA has a Data Protection Officer – Sharon Drake who can help you with any queries about the information in this Privacy Notice. She can be contacted at the following:

  • email address: dpo@rcoa.ac.uk;
  • telephone number: ; 020 7092 1501
  • address: Churchill House, 35 Red Lion Square, London WC1R 4SG

If you wish to make a complaint on how we have handled your personal information, you can contact our Data Protection Officer. If you are not satisfied with our response or believe we are processing your personal information in a way that is not in accordance with the law, you have the right to lodge a complaint with the supervisory authority in the UK responsible for the implementation and enforcement data protection law: the Information Commissioner’s Office (the “ICO”).  You can contact the ICO via their website – https://ico.org.uk/concerns/ - or by calling their helpline – 0303 123 1113. 

 

11. Changes to our Privacy Notice

We keep our Privacy Notice under regular review and we will always include the latest version of the Privacy Notice on this web page. We encourage you to check this notice on a regular basis.

 

This Privacy Notice was last updated in May 2018