Blog: Changes to how the College manages personal data

In May 2018 the rules governing how we manage data are due to change and become more rigorous, so you may notice differences in how we collect and manage your information. Data protection affects every single RCPCH member, so we’ve created a short guide to the changes and what you can expect from the College.

The RCPCH collects a range of data about its members, from your mailing preferences to the level of medical training completed. We have Data Protection principles embedded at the core of everything we do through a comprehensive Information Governance framework, ensuring that as an organisation we treat individuals’ data with the respect it deserves.

What is data protection?

Data protection legislation sets out requirements for how we, as a data controller, process personal data. Personal data is defined as any data which identifies or is likely to identify a living individual, including facts and opinions. We collect personal data so that we can identify you and manage your membership, provide you with services, and share information with you about RCPCH activities. We may share information with other third parties where there is a statutory requirement or legal obligation to do so, or share information with appropriate third parties to improve clinical practice or medical training.

How do we keep your data secure?

As with all organisations, we are required to follow data protection laws to protect the personal information we hold.  Data protection principles are embedded at the core of everything we do through an information governance framework and, as a result of this, members and partners trust us to handle their data securely and compliantly.

As part of this we have a full time permanent member of staff overseeing data protection, and host an Information Governance Group which meets every six months with representatives from across the College. In addition, each member of staff at the RCPCH receives mandatory data protection training to ensure the core principles are embedded across the organisation and everyone is aware of their responsibilities. 

What’s changing?

In May 2018 the General Data Protection Regulation (GDPR) will be replacing the current Data Protection Act, and data protection legislation will become more rigorous, so the College will be working over the next year to ensure our already comprehensive policies meet the requirements of the new rules. This will include reviewing our processes and procedures around key areas such as subject access requests and security breaches, and bringing policies up to date. We’ll also establish a Data Protection Committee to replace the current Information Governance Group which will oversee the GDPR work and continue to govern our ongoing data protection compliance. In order to prioritise resources and manage this process effectively, we recently invited an external company to audit our current practices and highlight any potential areas of weakness in GDPR compliance, so that we are able to focus on any key changes we need to make. 

There will also be significant changes to the way we handle children’s data, and for the first time legal requirements will be introduced to manage this. One of the key changes is that if we are processing the data of a child or young person under the age of 13 (or it could be as high as 16 depending on UK law adoption), it will be a legal requirement to have parental consent. 

How will this affect members?

Members can be even more confident that the College will protect any personal data we may collect about you. You might also notice changes to your application form, or the privacy notices around the website and other forms and systems. For example, privacy notices are displayed on the website and on the e-Portfolio. Privacy notices enable us to tell you at the point that we collect your data about why we are collecting it, how we will use it and who we may share it with if we need to. By being open and transparent with you at the beginning you are fully informed about how your data will be used. We are currently reviewing our privacy notices to provide even clearer and more detailed information to you. 

The new regulation means there will be greater transparency around using personal data for marketing purposes, and members will need to provide fully informed and freely given consent for their data to be used in this matter. We are therefore reviewing the current opt in mailing preference options on your website account, further communication about this will be sent out later this year.

If individuals would like to request a copy of the personal data we hold about them (known as a subject access request), the waiting time for a response will be reduced to one month and will be free of charge from May next year in most cases – this applies to all organisations, including the RCPCH.

Further information 

If you’d like to find out more about the GDPR changes which will be taking place, please see the ICO website. If you have any specific questions about the RCPCH’s data protection policy please contact