This privacy notice explains how the Medical Care – driving change (MCDC) programme at the Royal College of Physicians (RCP) collects, stores, manages and protects your personal data. It outlines the types of data that we hold and how we use them. The RCP takes its responsibilities around the correct collection, use and destruction of the personal data of its various audiences and stakeholders very seriously and is committed to openness and fairness in the handling of personal data.
What information do we collect about you?
If you are a professional working within a service or organisation who wants to work with us by contributing to or featuring in the content on the MCDC site, we will collect and process the following personal data:
- name, job title
- contact details including work email and phone number
- name and email address of the CEO and/or medical director of the organisation
- bank account details, where relevant
How will we use your information?
We use the information you give us to:
- send you publications, newsletters and updates that are relevant to the programme
- communicate with you throughout the course of your involvement with MCDC/RCP
- keep your data up to date and maintain an internal record of your relationship with us
- provide you with information relevant to content creation and publishing
- administer user accounts we set up for you
- conduct surveys and process your response to any survey you participate in for research, evaluation, and statistical purposes
- analyse and improve the MCDC website to provide you with the most user-friendly navigation experience
Patient/sensitive personal data
There are occasions where some identifiable data relating to employees of an organisation are required for the purposes outlined in the previous section of this statement. For example, when we collaborate with an organisation, we will hold the names and email addresses of contacts with whom we work closely. This ensures that the MCDC programme can fulfil its purpose. This information will be kept on an RCP network drive. The small team who works on MCDC have exclusive access to this.
How we collect the data
Most of our information is obtained directly from you as part of your agreement to collaborate with RCP to contribute content for the MCDC website. If you have expressed an interest in collaborating, we may capture this information via email.
What are cookies?
Cookies are small text files that are placed on your computer, tablet or mobile phone when you browse websites.
Cookies help us to:
- keep the website working as you'd expect
- understand how many visitors our website has and personalise the content you see
- promote selected content in Google and on social media.
Cookies help you to:
- remain logged in to your MyRCP account between visits
- store settings in your account
- share links to our web pages on social media.
First party cookies
We use Google Analytics to collect anonymous information about how you move around our website. This provides us with numerical data (eg how many times a page is viewed) along with details about, for example, where our website traffic comes from (search engines, email, social media etc). These insights enable us to understand how well our website is performing, allowing us to identify areas for improvement and offer better content.
We use Facebook cookies to deliver targeted content if you have previously engaged with us through our website.
Hotjar is a website analytics service that records anonymous information about which links you click and how you move around our pages. It gives us a visual understanding of how our visitors engage with our website.
AddThis is a content-sharing and social insights platform. It enables you to share content from our website to your social media networks.
Disabling and deleting cookies
You can restrict or disable cookies within the settings for your browser:
Your browser will also offer a way for you to delete cookies from your computer.
How long we keep your data and why
The MCDC programme will keep data relating to the contributors to the project for the term of the agreement plus 6 years. Some non-personal data will be kept on file permanently to maintain accurate records of content. Any personal data can be deleted on request, so please make sure to contact us if you do not wish for us to have this information.
Your rights relating to your personal data
You have the right to:
- access information which identifies you as a living person held on RCP systems (Article 15)
- have data deleted (Article 17)
- restrict the use of your data (Article 18)
- have a copy in a standard format, where technically possible (Article 20)
- stop your data being used (Article 21)
For more information please contact the data protection officer.
Where do we keep your data
The RCP hosts your data upon servers located within the EU, in accordance with current recommended data governance practices in the UK.
How we protect your data
We ensure that there are appropriate and operational measures in place to protect your personal data, in alignment with the requirements of Cyber Essentials and the Data Security Protection Toolkit.
We have appropriate technical controls in place to protect your personal data including:
- The RCPs external network perimeter is protected via dual boundary firewalls.
- Anti-virus and malware software/solutions have been deployed to all networked computers.
- All networked systems use password-based authentication. Passwords must conform to a controlled standard.
- Networked systems are monitored externally via a managed SIEM solution, which provides real-time analysis of security alerts generated by applications and network hardware.
- Vulnerability scanning on all internal and external systems is carried out daily.
- Mobile and removable devices are encrypted in line with organisation policy. Mobile smart devices can be remotely wiped on demand.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and contractors. Unstructured data is monitored via a third-party solution designed for this express purpose and any changes to file permissions generate an alert.
We have a robust audit framework in place to ensure internal and external measures and obligations are in place and being maintained.
We have appropriate contractual measures in place to protect your personal data:
- Where we have contracted third parties to support us in the delivery of the accreditation programme, a contract is in place that sets out our expectations and requirements, especially regarding how they manage the personal data they process on our behalf or have access to.
- Third parties are asked to complete a bespoke data security framework toolkit as part of the procurement process, which checks that they have the capability to meet the required standards when handling or processing RCP owned data.
- Third parties invited to work on our systems are asked to complete a non-disclosure agreement, prior to accessing RCP information systems.
Who to contact at the RCP and how to complain
If you have any concerns about how your personal data is being collected and processed or wish to exercise any of your rights detailed in this Privacy Notice please contact:
The RCP Data Protection Officer
Tel: +44 (0)20 3075 1505
If you are not satisfied with how your information is managed by the RCP, you have the right to complain to the Information Commissioner's Office.
The ICO can be contacted at https://ico.org.uk/global/contact-us/
Concerns can also be logged via the ICO website https://ico.org.uk/concerns/
If our information practices change, we will update this statement to reflect that. Regularly reviewing this information ensures you remain aware of what data we hold and use.
This privacy notice was last updated on 26/1/23.