Privacy notice

IQAS, DCAP, IQILS, PRSAS and QPIDS privacy notice

This privacy notice explains how the Improving Quality in Allergy Services (IQAS), the Diabetes Care Accreditation Programme (DCAP), the Improving Quality in Liver Services (IQILS), the Pulmonary Rehabilitation Services Accreditation Scheme (PRSAS) and the Quality in Primary Immunodeficiency Services (QPIDS) at the Royal College of Physicians (RCP) collects, stores, manages and protects your personal data. It outlines the types of data that we hold an d how we use them. The RCP takes its responsibilities around the correct collection, use and destruction of the personal data of its various audiences and stakeholders very seriously and is committed to openness and fairness in the handling of personal data.

What information do we collect about you?

If you are a service lead and want to work with us as part of the accreditation process, then we will collect and process the following personal data:

  • name, job title
  • contact details including work email and phone number
  • name and email address of finance contact, CEO, and medical director of the organisation.

If you are a professional that is, or wants to be, part of our assessment team, we will collect and process the following data:

  • name, address, personal email address and telephone number
  • current employment information including name and contact details of your existing employer
  • professional registration information employment history and relevant qualifications
  • employer’s declaration of support
  • referee information, including name and contact details
  • evidence of right to work in the UK
  • bank account details, where relevant.

As part of the accreditation process, we will collect and process the following personal data:

  • we use Eventbrite to manage certain events and therefore your data will be collected on this service
  • as part of the evidence gathering process for accreditation, we collect details of staff performance.


How will we use your information?

We use the information you give us to:

  • send you publications, newsletters and updates that are relevant to the programme
  • provide you with the services you registered for and information about our activities and events, including training events
  • administer user accounts we set up for you
  • send you details and updates about terms and conditions and subscription fees
  • communicate with you on progress of the status of your accreditation status or if you are one of our assessors provide appropriate feedback on working with you
  • conduct surveys and process your response to any survey you participate in for research, evaluation, and statistical purposes
  • analyse and improve the programme website to provide you with the most user-friendly navigation experience
  • keep your data up-to-date and maintain an internal record of your relationship with us
  • fulfil contracts you have entered if you are part of our assessment team including payment processes if applicable.

Patient/ sensitive personal data

As part of the accreditation process, we do not require access to any patient identifiable data. There are occasions where some identifiable data relating to employees of your organisation are required for the assessment process; for example, details of the CEO who will receive the assessment report and names of individuals and job titles of staff members contained within policy documents. As your organisation is recognised as the data controller for any patient and employee data you hold under GDPR legislation, it is your responsibility to ensure you process the data accordingly.

How we collect the data

The majority of our information is obtained directly from you as part of our registration and accreditation process which is completed online.

If you are an assessor that has expressed an interest in being part of our assessment team, we may also capture your data via email.

We may also obtain your information when we use cookies on our websites (see below).

We use cookies to ensure you get the best experience on the website. If you wish to, you may change your browser settings at any time. Go to www.aboutcookies.org for information on how to do this.

What are Cookies

Cookies are small information files placed on your device and are used to improve services for you by:

  • enabling the service to recognise your device so you do not need to give the same information repeatedly
  • recognising when you have already given a username and password so that you do not need to do so for every subsequent web page you visit
  • measuring how many people are using the services we provide, so we can make them easier and faster to use
  • analysing data, anonymously, to help us understand how people interact with our services.

When we provide services, we want to make them easy, useful, and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your computer, mobile phone, or whatever device you are using to access the internet. This information is held in cookies. 

Cookies cannot be used to identify you personally.

For more information about how to remove cookies from your device, or how to block individual cookies from being received, please see the instructions and guidance at www.aboutcookies.org.

See below for further details about cookies you may encounter while visiting the website. These details include what information is being held, how long you can expect it to be stored, and how your experience of our website will change if you block individual cookies from being sent to your device.

Cookie: Google Analytics
Names:  _gat, _ga, _gid, __utma, __utmb, __utmc, __utmt, __utmz
Lifespan: Up to 2 years
Purpose: Usage monitoring, these cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site.

The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from, the pages they visited and the technology they were using (browser, device information).

Further information on the cookies used by Google Analytics can be found here

Name: ASP.NET_SessionId
Lifespan: Session
Purpose: Strictly Necessary, used to maintain an anonymised user session by the server.

Name:  ASPXAUTH
Lifespan: Session
Purpose: Strictly Necessary, you must accept this cookie to be able to login to the website and use the elements within the site. Without this cookie the website will not function as intended.

Name:  ASPROLES
Lifespan: Session
Purpose: Strictly Necessary, you must accept this cookie to be able to login to the website and use the elements within the site. Without this cookie the website will not function as intended.

Name: CookieCompliance
Lifespan: Unlimited
Purpose: Tracks confirmation of cookie acceptance for the site on this device 

Name: lang
Lifespan: Session
Purpose:  Functionality, used to store language preferences

Name: __cfduid
Lifespan: Session
Purpose:  Functionality, used to prevent a rate limiting of users accessing the FAQ support hosted on Zendesk in cases where there are multiple users sharing the same client IP address (for example multiple users accessing from the same institutional network).

Name: __AntiXsrfToken
Lifespan: Session
Purpose: Strictly necessary, used to protect against Cross-site request forgery (also known as XSRF or CSRF).

Who do we share your information with and why?

We may share your data with:

  • UK health systems in England, Wales, Scotland, and Northern Ireland, for reporting purposes
  • Governance group members for the programme, for reporting purposes.

How long we keep your data and why

We keep data relating to your service for as long as you are a registered service. If your service deregisters from the programme, then some non-personal data will need to be kept on file to maintain accurate records of historic services registered. Any user accounts will be deleted upon request from the individual or service, so please make sure to update us if a user or contact is leaving the organisation.

Please be advised that any service reports will be kept on file permanently so that a record of previous engagement and assessments can be maintained and progress over time can be reviewed. Any staff performance data collected as part of the evidence gathering process for accreditation will be kept on file as per our programme data retention policy.

If you are an assessor and your contract has ended, financial and contractual records will be retained in line with financial law and regulation for at least seven years after the end date. We will maintain some data such as your name and tenure on our assessor database for reference. Some personal data, such as your name and title, will continue to be available in historic assessment reports and historic comments on the website.

Your rights relating to your personal data

If we are holding your personal data, then you have the following rights:

  • access to your data (Article 15)
  • have a copy in a standard format (Article 20)
  • restrict the use of your data (Article 18)
  • stop your data being used (Article 21)
  • have data deleted (Article 17).

You have the right to access information which identifies you as a living person, held on RCP systems (Article 15). You also have the right to a copy of your data in a standard format, where technically possible (Article 20). For more information, please contact the data protection officer.

You have the right to ask us to restrict the use of your data (Article 18), stop your data being used (Article 21) or have your data deleted (Article 17). All requests will be judged on a case-by-case basis, we may refuse a request if it is incompatible with our requirements or if it will impact on our ability to deliver accreditation assessments. We will approve all requests that do not impact on our ability to deliver accreditation services.


Where we keep your data

The RCP hosts your data upon servers located within the EU, in accordance with current recommended data governance practices in the UK.

How we protect your data

We ensure that there are appropriate and operational measures in place to protect your personal data, in alignment with the requirements of Cyber Essentials and the Data Security Protection Toolkit.

We have appropriate technical controls in place to protect your personal data including:

  • the RCPs external network perimeter is protected via dual boundary firewalls
  • anti-virus and malware software/ solutions have been deployed to all networked computers
  • all networked systems use password-based authentication. Passwords must conform to a controlled standard
  • networked systems are monitored externally via a managed SIEM solution, which provides real-time analysis of security alerts generated by applications and network hardware
  • vulnerability scanning on all internal and external systems is carried out daily
  • mobile and removable devices are encrypted in line with organisation policy. Mobile smart devices can be remotely wiped on demand.

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and contractors. Unstructured data is monitored via a third-party solution designed for this express purpose and any changes to file permissions generates an alert.

We have a robust audit framework in place to ensure internal and external measures and obligations are in place and being maintained.

Who to contact at the RCP and how to complain

If you have any concerns about how your personal data is being collected and processed, or wish to exercise any of your rights detailed in this Privacy Notice please contact:

askiqas@rcp.ac.uk

The RCP Data Protection Officer

Email: dataprotection@rcp.ac.uk

Tel: +44 (0)20 3075 1505

If you are not satisfied with how your information is managed by the RCP, you have the right to complain to the Information Commissioner Office.

The ICO can be contacted at https://ico.org.uk/global/contact-us/

Concerns can also be logged via the ICO website https://ico.org.uk/concerns/

Future changes

If our information practices change, we will update this statement to reflect that. Regularly reviewing this information ensures you remain aware of what data we hold and use.

This privacy notice was last updated on the 5 April 2024.

Please read carefully and take any action requested - this message will not be shown the next time you log in