1. Introduction

The Academy of Medical Royal Colleges (AoMRC) takes your privacy seriously. We are committed to protecting your personal information and being open and transparent about how it is used. This policy describes how and why we obtain, store and process data about you.

This privacy policy was updated in May 2018 to meet the requirements of the General Data Protection Regulation (GDPR). We will update this Privacy Policy whenever we change the type of processing we carry out. Please regularly come back to this page and check this policy for any changes.

2. About the Academy of Medical Royal Colleges

The AoMRC was established in 1996. It speaks on standards of care and medical education across the UK. By bringing together the expertise of the medical Royal Colleges and Faculties it drives improvement in health and patient care through education, training and quality standards.

Our address and telephone number are available via the contact us link on our website. The Academy is the data controller for your information.

Queries about the use of your data by the Academy should be directed to the Chief Executive, Alastair.henderson@aomrc.org.uk

3. The lawful bases we use to process your information

We can only process your personal information if we have a lawful basis to do this.  The legal bases which can be used to process your information are:

  • Consent

This is the basis we use when you agree to us using your information to send you reports or other products or communications that you would be interested in by providing us with your name and email address.

  • Contract

This is the basis we use when it is necessary for us to take specific steps before entering into a contract with you to supply you a service or vice versa. An example of this would be the information we hold on our staff for employment purposes and on our suppliers.

  • Legal obligation

This is the basis we use when it is necessary for us to comply with the law (not including contractual obligations)

  • Vital interests

This basis is used to protect someone’s life. This is unlikely to be relevant to the Academy.

  • Public task

This basis is used if we need to perform a task in the public interest or for our official functions and that task or function has a clear basis in law. Our work as the National Sponsor of MTI applications would be an example of this.

  • Legitimate interests

This basis is used to the where processing is necessary for to carry out our legitimate interests. This would apply to contact details for members nominated to join our Committees.

4. What personal data we may collect
  • Your name
  • Your contact details
  • Your job role and your organisation
  • Information from other publicly available sources (such as social media)
  • For MTI applicants your passport details, salary, residential and work addresses
  • If you apply for a job with us we will collect your CV, containing details such as your employment history, qualifications and references.
  • If you work for us we will collect and use additional personal information, such as health details and financial details.
  • Bank details for people or organisations we make payments to
  • If you fill in any questionnaires, surveys or feedback forms we will collect your experiences, opinions and any health information you are happy to share with us.
  • If you interact with our website we may collect certain technical information, such as your browsing activity across our website and your IP address. An IP address provides the location of server you are contacting us from. We only use this information to:
  • Ensure website security
  • Undertake management reporting (based on country of access)
  • For Committee members, equality and diversity data, such as age, ethnicity, disability, gender, sexual orientation, and religion or belief.
5. How we use your personal information

We use your information in the following ways:

  • For sending you information relating to your identified areas of interest e.g. Council, Educations issues, Brexit etc.
  • If you are an MTI applicant, we require some sensitive data for processing the application and issuing a Certificate of Sponsorship to enable you to obtain a visa and process Immigration Health Surcharge refunds (if applicable).
  • Collecting your views, experiences and advice in surveys or feedback sessions to inform of reports and policy positions.
  • For processing payments to individuals or organisations
  • If you apply for a job or work for us your information will be used for recruitment and human resources processes.
  • For identifying trends in the diversity of our committee membership with the overall aim of improving equality and diversity at the Academy. This special category data is gathered voluntarily, and you can choose not to complete it. Data we gather is kept confidentially and anonymously and only made available to those directly involved in analysing it.
6. Who we share your personal details with

Your personal data may be shared within the Academy and, if required with our third-party suppliers and partners.

MTI participants’ information is shared with UKVI to obtain your CoS and with NHS Business Services Authority to process Immigration Health Surcharge refunds (if applicable). Some of this data may also be shared with your employing NHS Trust and/or sponsoring Royal College, to ensure all information is correct before processing a Certificate of Sponsorship. The NHS Business Services Authority may share your data with UKVI and/or DHSC in order to process your Immigration Health Surcharge refund. Find out how NHSBSA process your information by visiting their privacy notice.

For these third parties

  • We provide only the information they need to perform their specific services, in relation to the purposes described above.
  • If we stop using their services, any of your data held by them to support that service will be deleted or rendered anonymous.
7. How long we will keep your information?

We will only keep information for as long as it is required. This will vary according to the category of information

Type of dataPeriod for which data is retained
MTI applications and the data held within:
Email address
Residential address
Passport number
Applicants income
Sensitive personal data
24 months or the length of the visa, whichever is the later; you may have extensions
Committee/member details
Email addresses
Telephone numbers
Will only be kept for the period that membership is live
However, we do retain members’ names and contact details to form an historic record of who has served on the committee. Members can opt out of this.
Senior committee members
Email addresses
Personal address/telephone numbers
Will only be kept for the period that membership is live.
However, we do retain members’ names and contact details to form an historic record of who has served on the committee. Members can opt out of this.
Employees of AOMRC
Basic personal information and contact details (including name, address, date of birth, gender, telephone number, email address and next of kin/ emergency contact details)
Existing employees: throughout their employment
Unsuccessful applicants: Six (6) months

Former employees: Six (6) years
Recruitment records (including CVs, application forms, interview notes, test results, proof of right to work in UK (such as passports and visas), driving licence, evidence of skills and qualifications, and references)Existing employees: throughout their employment

Unsuccessful applicants: Six (6) months

Former employees: Six (6) years
Offer letters, contracts of employment, written statements of terms and related correspondence, Disciplinary/GrievanceExisting employees: throughout their employment

Former employees: Six (6) years
Financial and tax information (including pay and benefit entitlements, bank details and national insurance numbers)Existing employees: throughout their employment

Former employees: Seven (7) years
Equality and diversity dataFor up to 5 years
8. How we protect your personal data

We know your personal information is important to you.  Therefore, we securely store the personal information we receive and use appropriate security features to prevent any unauthorised access.  We have internal policies which set out and guide our data security. All staff adhere to this approach and are regularly trained in data protection.

Access to your personal data is password-protected and the Academy’s IT supplier regularly monitors our system for possible vulnerabilities and attacks. Our systems meet the standards of the Governments Cyber Essentials assurance programme. Our IT and website providers carry out regular penetration testing to identify ways to further strengthen security.

9. Your rights

You have the right to:

  • See the information we hold on you, and confirm what data we are processing about you.
  • Ask us to correct any inaccurate, out of date or incomplete personal data.
  • Request that we erase the personal information we hold on you. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.
  • Request that we restrict or limit the way that we use your personal data.
  • Request a copy of your information
  • Object to the processing of your information.

You can ask for any of the above, in writing by emailing dataprotection@aomrc.org.uk  calling us on 020 7490 6810. If you prefer you can write to us at the address above. We will make requested changes within one calendar month. This will be carried out free of charge in most cases.

If we choose not to action your request, we will explain to you the reasons for our refusal.

10. If you are not happy with how your data is being handled by the Academy

If you are not satisfied, by the way your data is being handled by the Academy or the way a concern has been dealt with and wish to make a complaint to the Information Commissioner’s Office (ICO) you can visit their website for information on how to make a data protection complaint https://ico.org.uk/concerns/