Information Policy

The Academy of Medical Royal Colleges (the Academy) takes your privacy seriously. We are committed to protecting your personal information and being open and transparent about how it is used. This policy describes how and why we obtain, store and process data about you.

This privacy policy was updated in February 2024 to meet the requirements of the General Data Protection Regulation (GDPR). We will update this Privacy Policy whenever we change the type of processing we carry out. Please regularly come back to this page and check this policy for any changes.

The Academy was established in 1996. It speaks on standards of care and medical education across the UK. By bringing together the expertise of the medical royal colleges and faculties it drives improvement in health and patient care through education, training and quality standards.

Our address and telephone number can be found on the Contact us page of our website. The Academy is the data controller for your information.

Queries about the use of your data by the Academy should be directed to the Executive Director.

We can only process your personal information if we have a lawful basis to do this. The legal bases which can be used to process your information are:

Consent

This is the basis we use when you agree to us using your information to send you reports or other products or communications that you would be interested in by providing us with your name and email address.

Contract

This is the basis we use when it is necessary for us to take specific steps before entering into a contract with you to supply you with a service or vice versa. An example of this would be the information we hold on our staff for employment purposes and on our suppliers.

Legal obligation

This is the basis we use when it is necessary for us to comply with the law (not including contractual obligations).

Vital interests

This basis is used to protect someone’s life. This is unlikely to be relevant to the Academy.

Public task

This basis is used if we need to perform a task in the public interest or for our official functions and that task or function has a clear basis in law. Our work as the National Sponsor of MTI applications would be an example of this.

Legitimate interests

This basis is used where processing is necessary to carry out our legitimate interests. This would apply to contact details for members nominated to join our Committees.

• Your name
• Your contact details
• Your job role and your organisation
• Information from other publicly available sources (such as social media)
• For MTI applicants your passport details, salary, residential and work addresses
• If you apply for a job with us we will collect your CV, containing details such as your employment history, qualifications and references.
• If you work for us we will collect and use additional personal information, such as health details and financial details.
• Bank details for people or organisations we make payments to
• If you fill in any questionnaires, surveys or feedback forms we will collect your experiences, opinions and any health information you are happy to share with us.
• If you interact with our website we may collect certain technical information, such as your browsing activity across our website and your IP address. An IP address provides the location of the server you are contacting us from. We only use this information to:
• Ensure website security
• Undertake management reporting (based on country of access)
• For Committee members, equality and diversity data, such as age, ethnicity, disability, gender, sexual orientation, and religion or belief.

• For sending you information relating to your identified areas of interest e.g. Council, Stakeholder interest etc.
• If you are an MTI applicant, we require some sensitive data for processing the application and issuing a Certificate of Sponsorship to enable you to obtain a visa and process Immigration
• Health Surcharge refunds (if applicable).
• Collecting your views, experiences and advice in surveys or feedback sessions to inform of reports and policy positions.
• For processing payments to individuals or organisations.
• If you apply for a job or work for us your information will be used for recruitment and human resources processes.
• For identifying trends in the diversity of our committee membership with the overall aim of improving equality and diversity at the Academy. This special category data is gathered voluntarily, and you can choose not to complete it. Data we gather is kept confidentially and anonymously and only made available to those directly involved in analysing it.

Your personal data may be shared within the Academy and, if required with our third-party suppliers and partners. For example, survey data may be shared with members of the relevant policy committee(s).

MTI participants’ information is shared with UKVI to obtain your CoS and with NHS Business Services Authority to process Immigration Health Surcharge refunds (if applicable). Some of this data may also be shared with your employing NHS Trust and/or sponsoring royal college, to ensure all information is correct before processing a Certificate of Sponsorship. The NHS Business Services Authority may share your data with UKVI and/or DHSC in order to process your Immigration Health Surcharge refund. Find out how NHSBSA process your information by visiting their privacy notice.

For these third parties:

• We provide only the information they need to perform their specific services, in relation to the purposes described above.
• If we stop using their services, any of your data held by them to support that service will be deleted or rendered anonymous.

We will only keep information for as long as it is required. This will vary according to the category of information.

We know your personal information is important to you. Therefore, we securely store the personal information we receive and use appropriate security features to prevent any unauthorised access. We have internal policies which set out and guide our data security. All staff adhere to this approach and are regularly trained in data protection.

Access to your personal data is password-protected and the Academy’s IT supplier regularly monitors our system for possible vulnerabilities and attacks. Our systems meet the standards of the Government’s Cyber Essentials assurance programme. Our IT and website providers carry out regular penetration testing to identify ways to further strengthen security.

You have the right to:

• See the information we hold on you, and confirm what data we are processing about you.
• Ask us to correct any inaccurate, out of date or incomplete personal data.
• Request that we erase the personal information we hold on you. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
• Request that we restrict or limit the way that we use your personal data.
• Request a copy of your information
• Object to the processing of your information.

You can ask for any of the above, by contacting us. We will make requested changes within one calendar month. This will be carried out free of charge in most cases. If we choose not to action your request, we will explain to you the reasons for our refusal.

You can find out more about your rights in relation to how we have used your data with the Information Commissioner’s Office.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House. Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113