Privacy Statement
This page explains our privacy policy and explains how we will
use and protect any information about you that you give to us or that we
collect when you visit this website to upload self-verification evidence. To
manage and quality assure your training, Health Education England (HEE),
Devolved nation deaneries (Northern Ireland, Scotland & Wales), and
Cloudoko, an external IT support company, need to collect, store and process
information about you. This is done in compliance with the Data
Protection Act 2018 and UK General Data Protection Regulation (GDPR), and in
accordance with the data protection principles set out within the
regulation. Among other matters, these require that your data must be
processed fairly and lawfully.
Topics:
- Why we process your data
- How we process your data
- What data do we collect?
- Data Controllers and Data Processors
- Processing your data during the recruitment process
- Processing of successful applicants’ data by HEE Local Offices, Deaneries and employing NHS Organisations
- Processing of personal data
- Legal Basis for Processing
- Your rights under GDPR
- What are cookies?
- How do we use cookies?
- What type of cookies do we use?
- How to manage your cookies
- Your responsibilities under GDPR
Why we process your data
We will process the data that you upload into the
Self-Assessment Portal in accordance with the Data Protection Act (DPA) 2018,
and will do so for the following purposes:
- Processing of your data during the recruitment process
- Use of recruitment data for evaluation, research and testing purposes
- To manage your training and programme
- To quality assure training programmes and ensure that standards are maintained
- To identify workforce planning targets
- To maintain patient safety through the management of performance concerns
How we process your data
Your personal data will be securely stored in password protected
web-based management and administrative computer systems. If you agree, where
appropriate, this information may be shared with those who have responsibility
for the organisation, management and delivery of training to help them execute
their function, the planning and delivery of specialist training. The evidence
that you upload will be assessed by assessors. If our privacy policy changes in
any way, we will update the changes in the privacy policy on the Self-Assessment
Portal website. Regularly reviewing the Self-Assessment Portal privacy
policy ensures you are always aware of what information we collect about you,
how we use it and which other organisations we will share it with and
why.
What data do we collect?
We only collect data that you share with us, i.e. the documents
you upload.
Data Controllers and Data Processors
The following data controllers; Health Education England (HEE),
Northern Ireland Medical & Dental Training Agency (NIMDTA), NHS Education
for Scotland (NES) and Health Education Improvement Wales (HEIW) all have
responsibilities to determine the purpose for which and the manner in which any
personal data are, or to be, processed in their own right.
The Data Processor is Health Education England, working with
Cloudoko, an external supplier and an IT specialist.
Data Recipients: your data are disclosed in accordance with the
principles set out in this privacy policy. Your personal data will be shared
with other organisations involved in the planning, management and delivery of
training including the HEE local offices and Deaneries, employing NHS
organisations, Department of Health and Social Care, Royal Colleges and
Faculties, regulatory bodies, such as the GMC and GDC, Qpercom (our digital
scoring system) as part of the determination of your application. Where
your data is shared with another organisation or HEE systems, the principles
set out in this privacy policy will be adhered to.
Data Subject: you, i.e. the person whose data is obtained as
part of the recruitment process and processed in the way described in this
privacy policy.
Processing your data during the recruitment process
Your data will be held securely and in confidence. Access will
be restricted to designated persons who are authorised to view it as a
necessary part of their work.
During the recruitment process, your personal data and special
categories of personal data will be used by the HEE local offices, Deaneries
(Northern Ireland, Scotland & Wales) and recruiting Royal Colleges for the
purpose of determining your suitability for this position.
It will also be used for the purposes of enquiries in relation
to the prevention and detection of fraud.
Once a decision has been reached about your application,
information held about you will not be kept on the recruitment system for any
longer than 13 months after the start date of the post to which you have
applied.
Data is retained in line with the minimum retention periods as
specified in the Records Management Code of Practice for Health and Social Care
2016.
Processing of successful applicants’ data by HEE, Deaneries and
employing NHS Organisations
Records containing personal information are subject to the
General Data Protection Regulation 2016 and the Data Protection Act 2018.
The retention period for your data on the Self-Assessment Portal is up to 13
months.
Processing of personal data
The following principles will apply:
-
Information about your qualifications, assessments and
appraisals and any other information pertinent to the effective management of
your training and education will be stored on secured management and
administrative systems. Access to this information is restricted to
authorised personnel involved in the management of your training, such as
training programme directors, educational supervisors and other personnel
working for the Data Recipients and NHS employing organisations. Your
data will be treated as confidential.
-
Sharing your personal data – your personal data may be
shared with other organisations (referred to as Data Recipients in this
policy), using secure channels to provide the best possible training and
education and to ensure that we discharge responsibilities for employment and
workforce planning for the NHS; this will be on a legitimate need to know basis
only.
The Data Controller and the Data Recipients will process your
data for the following purposes:
- Managing the provision of training programmes
- Quality assurance of training programmes
- Workforce planning
- Managing patient safety
- Compliance with legal and regulatory responsibilities, including monitoring under the Equality Act 2010
- Purposes of revalidation (where this applies)
- Employment purposes
Your personal data will not be shared without your consent (save
in the way described below). The Data Controller will not share your
personal data unless satisfied of the following matters: The data sharing is
for a legitimate purpose and is proportionate:
-
Where the data are used for analysis and publication by the
recipient, any publication will be on an anonymous and aggregated basis and
will not make it possible to identify any individual
-
The data will be handled by the Data Recipients in accordance
with the General Data Protection Regulation
-
The Data Recipients will maintain appropriate technical and
organisational controls to ensure the protection of your personal data
-
The data will not be transferred outside the EEA without
adequate protection
Data Recipients are bodies from the following list: the UK
Health Departments, Royal Colleges and Faculties, HEE local offices and
devolved nation Deaneries (Scotland, Wales and NI), regulatory and licensing
bodies (including the General Medical Council, General Dental Council, General
Pharmaceutical Council and Health and Care Professions Council), NHS
Trusts/Boards/Social Care Trusts, Medical Schools Council, UK Medical Schools
(including overseas campuses), Higher Education Institutions, Royal
Pharmaceutical Society, Academy of Healthcare Science, Work Psychology Group,
Pearson Vue, approved academic researchers (i.e. individuals undertaking
analysis for academic, non-commercial purposes on behalf of or in partnership
with the Data Controller), Cloudoko, our IT supplier, and future employers
(including private providers of healthcare).
-
Use of recruitment data for evaluation, research, pilots and
testing purposes – in addition to the data sharing referred to above, we
may need to share your personal data and special category personal data with
HEE local offices, the devolved nation Deaneries (Scotland, Wales & NI),
the Department of Health and Social Care, the GMC, the GDC or any organisation
designated by Health Education England.
The Department of Health and Social Care is a Data Recipient of
all recruitment data. The data extracts sent across contain details of
all applications (and therefore included your personal data and your GDC/GMC
number). These extracts are held securely and confidentially with access
restricted to analysts who are not directly involved in the recruitment process
itself but need access to the data to perform certain tasks. The data
from these data extracts are used for research and statistical purposes
only.
For evaluation and research, your aggregated personal data will
be shared with the GMC or GDC or Academy of Healthcare Science. These
research data are not used to make decisions about individual data subjects and
all reports produced as a result of the research will be anonymous such that it
will not be possible to identify an individual in any such report. A key
requirement of the research undertaken is to understand applicant behaviour
over time, to inform workforce planning and develop and improve recruitment
systems. As part of the development of recruitment systems “real” (as
opposed to dummy) information must be used for testing purposes. The
carrying out of research and the testing of systems will not have any impact on
data subjects.
Legal Basis for Processing
The GDPR requires that data controllers and organisations that
process personal data demonstrate compliance with its provisions. This
involves publishing our basis for lawful processing.
As personal data is processed for the purposes of statutory
functions, legal bases for the processing of personal data as listed in Article
6 of the GDPR is as follows: 6(1)(a) - Core purpose. Please note that that HEE’s
main privacy notice can be accessed here:
https://www.hee.nhs.uk/about/privacy-notice
We may seek your consent for some processing activities.
If you do not give your consent for us to use your data for these purposes, we
will not use your data for these purposes, but your data may still be retained
by us and used by us for other processing activities based on the above lawful
conditions for processing.
Your rights under GDPR
-
Right to rectification and erasure – the GDPR extends and
strengthens your rights as a data subject. Under the GDPR you have the right to
rectification of inaccurate personal data and the right to request the erasure
of your personal data. However, the right to erasure is not an absolute
right and it may be that it is necessary for the data controller to continue to
process your personal data for several lawful and legitimate reasons.
-
Right to object – you have the right, in certain
circumstances, to ask the data controller to stop processing your personal data
in relation to the recruitment process. However, the right to object is
not an absolute right and it may be that it is necessary in certain
circumstances for the data controller to continue to process your personal data
for several lawful and legitimate reasons.
If you object to the way in which the data controller is processing your
personal information or if you wish to ask the data controller to stop
processing your personal data, please contact the appropriate recruitment
office. However, if the data controller stops processing your personal
data, this may prevent them from providing you with the best service.
-
Subject Access – you can access a copy of the information
held about you by writing to HEE’s Public and Parliamentary Accountability Team
(DPA@hee.nhs.uk). This information is generally available to you free of
charge, subject to the receipt of appropriate identification.
-
Data Portability – the GDPR sets out the right of a data
subject to have their personal data ported from one controller to another on
request, in certain circumstances. You should discuss any request for
this with the appropriate recruitment office.
If you want to complain about how your personal data has been
used or to know more about how your information will be used please contact HEE’s Data Protection Officer at ig@hee.nhs.uk and
emails should be marked “FAO the Data Protection Officer”.
Alternatively, you can also contact the Information
Commissioner’s Office (ICO) if you have a complaint about the processing of
your personal data:
The Office of the Information Commissioner, Wycliffe
House, Water Lane, Wilmslow, Cheshire, SK9 5AF
What are cookies?
Cookies are small text files that are placed on your computer by
websites that you visit. They are widely used in order to make websites work,
or work more efficiently, as well as to provide information to the owners of
the site.
How do we use cookies?
When you access the Self-Assessment Portal, your computer's
browser provides us with information such as your IP address, browser type,
access time and referring URL which is collected and used to compile
statistical data on the use of our system. This information may be used to help
us to improve our system and the services we offer.
What type of cookies do we use?
We do not use cookies on our system other than in the online
application section where session cookies are used. These are required to
enable that section of the site to be used and navigated. A session cookie is
stored temporarily by your computer.
How to manage your cookies
Session cookies can be disabled by changing the settings on your
browser, but you will not be able to access the application form section of our
system if you do so. In this case, please write to us for more
information.
Your responsibilities under GDPR
It is important that you work with us to ensure that the
information we hold about you is accurate and up to date. Please inform
us if any of your personal data needs to be updated or corrected.
All communications about the Self-Assessment Portal will
normally be by email. It is therefore essential for you to maintain an
effective and secure email address or you may not receive information or other
important news and information about your employment or training.
Health Education England’s privacy notice is available at: https://www.hee.nhs.uk/about/privacy-notice
Health Education and Improvement Wales privacy notice is available at: https://heiw.nhs.wales/use-of-site/privacy-policy/
NHS Education for Scotland privacy notice is available at: https://www.nes.scot.nhs.uk/privacy-and-data-protection.aspx
Northern Ireland Medical & Dental Training Agency privacy notice is available at: https://www.nimdta.gov.uk/privacy-notice/