Introduction
Under UK data protection law, you have certain rights in relation to the processing of your personal data. It is important that you understand your rights because a lot of things you do on a day to day basis will involve the processing of your personal data. For example, just being online and visiting websites might reveal some of your personal data to someone else.
One of your rights is the right to be informed about how and why your data is being processed. This is often provided in a 'privacy notice' or 'privacy policy'. The information provided below should help you to understand what to look for in a privacy notice; what the language used in privacy notices means; and what your rights are regarding your personal data.
Information
- What should a privacy notice tell you?
-
Whenever anyone collects your personal data, they should provide you with a privacy notice telling you:
- What personal data they are collecting
- If they are getting your personal data from anyone else other than you
- What they will be doing with the data
- The legal basis for collecting and processing your data
- Who they will be sharing the data with, and why
- How long they will hold onto your data
- Whether the data will be sent outside the UK and what protections they have when sending your data outside the UK
- Whether there will be any automated decision-making about you, based on your data
- What your rights to your data are and how to contact them or complain.
If there is no privacy notice, or it doesn't tell you everything listed above, you should be cautious about sharing your personal data with that person or organisation, as they aren't telling you everything that will happen to your data.
- Definitions
-
Some of the language used in privacy notices is needed as it conveys a specific meaning in law. The terms we use in our privacy notices are explained below:
Privacy Notice/Privacy Statement/Privacy Policy
As above, this document tells you what personal data is being collected and why; how your data will be protected, who it will be shared with, and how long it will be kept. Different organisations might use any of these names for the document, but they all mean the same thing.
UKGDPR - The General Data Protection Regulation
This is the law which governs the processing of personal data in the UK. Data Protection law in the UK is the UKGDPR in conjunction with the Data Protection Act 2018 but it is commonly referred to as 'UKGDPR'.
Personal data
This is information that could be used to identify you. This includes things like your name, address and birthday, and also your image in photographs. Even things like the name of the organisation you work for, or the school you attend, can become personal data if they are combined with other data and used to identify you. Cookies from websites may also collect personal data if they collect information that can be used to identify you, or to build a profile about you. This is why websites ask if you want to accept cookies before proceeding, if they are using non-essential cookies. It is always a good idea to check the number of other companies a website will share cookie data with, to make sure you are comfortable sharing your data with so many organisations.
Data Subject
This is the person whose data is being processed. If you are reading a privacy notice to see what an organisation does with your data, you are the data subject.
Data Controller
This is the organisation that decides what data will be collected and processed and how the data will be processed. It is their responsibility to ensure the data is stored securely and that anyone they share the data with will also look after your data properly. If two organisations are working together, they might be Joint Data Controllers. The Data Controller should be the one who provides a privacy notice.
Data Processor
This is an organisation that processes your data on the Data Controller's behalf. The data controller should tell you who their data processors are (if they have any) and how and why they are using your data.
Lawful basis or Legal basis
This is a legal term that tells you the legal reason the Data Controller has for processing your data. Article 6 of UKGDPR details the six different lawful bases for processing personal data. More information about the lawful bases is below.
Purpose
This tells you exactly what the Data Controller will be doing with your data. Each purpose should be listed in a privacy notice. For example, if someone has developed a survey and they want to collect your name and email address to produce a report but they also want to contact you afterwards with follow up from the survey, they have to tell you both things. Each purpose should have a lawful basis for the processing.
Artificial Intelligence (AI)
AI is software that learns as it is used, and responds to users in a human-like manner. AI can process lots of data at once and is useful for automating tasks.
Third-party providers/ subcontractors/ sub-processors
These are organisations other than the Data Controller and Data Processor with whom your data might be shared. They may also be suppliers of the data processor. This includes survey platforms like SurveyMonkey as well as booking systems, payment systems and any other platform the Data Controller uses to provide their service.
- Lawful bases
-
There are six lawful bases for processing personal data under UKGDPR:
Consent
This is where you have agreed to share your personal data. Consent must be fully informed, freely given, specific to purpose and show an indication of the person's wishes. If consent is withdrawn, it cannot be applied retrospectively. For example, if your data (including your image) is put on a public-facing website or in a publication and you decide to withdraw consent, the data controller can remove it from the website or any publication reprints going forward, but they cannot remove it from past publications or downloads that are already in the public domain and outside of their control.
Fulfilment of a contract / contractual obligation
This is where the Data Controller needs your personal data to enter into or fulfil a contract with you. This could be a contract of employment, to enable registration with a membership organisation or to engage you as a volunteer. If the Data Controller cannot engage or contract with you without collecting your personal data, this is the lawful basis.
Legal obligation
This is where the Data Controller has to process personal data to comply with the law. This covers things like employers sharing your personal data with HMRC for the purposes of paying tax and national insurance, or if a court orders that your personal data is processed.
Vital interest
This is where the Data Controller has to process personal data to protect someone's life. For example, if you are unconscious and someone shares your name and age with paramedics. The need to ensure someone survives outweighs their need for privacy and data protection.
Public task
This is where the Data Controller processes personal data to carry out a task in the public interest. For example, your water company might contact you to let you know that works will be carried out in your area and may affect you. The RCPCH clinical audits rely on the public task basis, as their work aims to improve healthcare for all children and young people.
Legitimate interest
This is when a Data Controller needs to process personal data to carry out a specific task and have undertaken a balancing test, balancing the legitimate interest of doing the task against your right to privacy. This also takes into consideration any safeguards that can be put in place to protect your privacy (such as providing you with an option to opt out). An examples of this is where some personal data may be used to help improve services or processes.
For each of the legal bases, the processing must be necessary in order to fulfil the purpose. If the Data Controller could carry out their task without collecting and processing your personal data they must do it that way.
- Artificial Intelligence (AI)
-
The RCPCH uses AI (mainly Microsoft Copilot for M365) to support the automation and improvementof its business processes. This may include the processing of your personal data. Any personal data processed in this way will only be processed in line with the original purpose for which it was collected.
If AI is used to profile or make any decisions about you, we will inform you through the privacy notice which relates to the specific processing activity and we will ensure there is human oversight and review. The data processed in Copilot is not used to train any AI models. If the College does use any AI that trains models on user data, we will not use your personal data without informing you. If the College starts to develop and use AI in a different way, we will let individuals know, in advance, if this will affect their data.
- Your data rights
-
The right of access
You have the right to ask us for copies of your personal data. There are some exemptions which mean we might not be able to provide you with everything that you ask for, but we can explain this to you when you make a request.
The right of data portability
This only applies to information that you have given to us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you, in a standard format, where we are technically able to. This only applies where we are holding your information with consent or as part of a contract with you and the processing is automated.
The right of rectification
You have the right to request that we correct any of your personal data that you think is inaccurate. You can also ask us to complete information about you that you think is incomplete It is your responsibility to update us of any changes to the personal information you have provided.
If you have an RCPCH online account you can change and update your personal data in your online profile.
If you are an exam candidate, you can update your information in the exam booking system.
You can also contact us either via our contact form or contact the relevant team directly.
The right to erasure
Where practicable, you have the right to ask us to delete your personal data. This right is limited and only applies in certain circumstances. For example, we cannot delete exam results as we are required to keep a record of these. If you make a request, we will be able to explain any exemptions to you.
The right to restriction
You have the right to restrict the use of your data. You can request that we deactivate your RCPCH online account or that we only store your data but undertake no further processing. However, this only applies in certain circumstances.
The right to objection
You have the right to object to us processing your personal data under certain circumstances. Where we are processing your personal data for the purposes of direct marketing, this is an absolute right and we will cease processing for this purpose upon request.
Where you have consented to us using your personal data, you can withdraw consent at any time by emailing the relevant team or contacting information.governance@rcpch.ac.uk. See all RCPCH teams.
If any of your rights are limited by the type of data processing or purpose of processing, we will explain this to you when we respond to your request.
To find out more about your rights, visit the ICO website.
If you would like to make a request, please use the 'contact us' details below. We have one month to respond to your request.
Complaints
If you have any concerns about the way your personal data is handled, please contact the College in the first instance. If you are still unhappy you do also have the right to complain to the ICO by contacting casework@ico.org.uk.
Contact us
To make a rights request, or if you have any questions regarding the processing of your personal data, please contact us on the details below:
Data Protection Officer
RCPCH
5-11 Theobalds Road
London WC1X 8SH
Email: information.governance@rcpch.ac.uk
Telephone: 020 7092 6000
If you are in the European Economic Area or Switzerland, you can see these contact details.
If you have another enquiry, use our contact form or email the relevant team.