The General Data Protection Regulation (GDPR) and your personal data

In May 2018 the rules governing how we manage data are due to change and become more rigorous. Data protection affects every single RCoA member, and the following article explains what you can expect from the College.

What is data protection?
The RCoA collects and processes a range of data from its members; from the level of medical training you have completed to the educational courses you have attended.

Data protection legislation sets out the requirements for how the College, as a data controller, processes personal data. Personal data is defined as any data that identifies or is likely to identify a living individual, including facts and opinions.

The College is fully committed to the principles of data protection, as set out in the Data Protection Act 1998.  We process and maintain personal data about you so that we can manage your membership, provide you with appropriate products, services and share information with you about RCoA activities.

In accordance with the Data Protection Act, we have a legal duty to protect any information we collect from you.  So for example, we will only use your information for the purpose as described. We do not pass on your details to third parties unless you have given us permission to do so or there is a legal obligation or statutory requirement to do so.  You also have the right to ask for a copy of the information we hold about you and to have any inaccuracies in your information corrected.

What’s changing?
On 25 May 2018, the EU General Data Protection Regulation (GDPR) will replace the current Data Protection Act. Despite Brexit, the Government has confirmed its intention to bring the EU GDPR into UK law, ensuring the country’s data protection framework is suitable for the digital age and allows data subjects better control of their data.

The eight principles of the existing data protection act still apply but the new regulation means there will be greater transparency around areas such as consent, privacy notices, reporting of breaches and transfer of data outside the EU.

We have been working over the last 12 months to ensure our already comprehensive policies meet the requirements of the new and more rigorous legislation. This has included reviewing our processes and procedures around key areas such as security and retention of data, subject access requests and data breaches, and bringing our policies up to date.

We have also conducted an internal audit of our current practices to highlight any potential areas of weakness in GDPR compliance, so that we are able to focus on the key changes we need to make in preparation for the change in legislation in 2018.

How will this affect members?
The College will continue to respect and protect the personal data we collect about you.

We will be adding to/amending our data protection disclaimers in light of the GDPR, so you might notice changes to our application forms.  It is important that you understand what we are doing with your data.  We will enhance our privacy notices on the website and on any new systems you register for, to inform you, at the point that we collect your data, about why we are collecting it, how we will use it and how we keep it safe.

The majority of personal data we collect about you is necessary and for the legitimate purposes of the organisation e.g. maintaining your training records or informing you of educational opportunities. 

At times we may need you to provide explicit consent for your data to be used by positively opting in e.g. if personal data needs to be shared with a third party.   We will notify you if this is the case.

If you would like to request a copy of the personal data we hold about you (known as a subject access request), the waiting time for a response will be reduced to one month and will be free of charge from May 2018 in most cases – this applies to all organisations, including the RCoA.

Further information
If you’d like to find out more about the GDPR changes, please see the Information Commisstioner's Office website. If you have any specific questions about the RCoA’s data protection policy and how GDPR affects you, please contact our Data Protection Officer, Sharon Drake at