This privacy notice explains how the Joint Advisory Group for GI endoscopy (JAG-UK) at the Royal College of Physicians (RCP) and the National Endoscopy Quality Improvement Programme (NEQIP) collects, stores, manages and protects your personal data. It outlines the types of data that we hold and how we use them.

The RCP, on behalf of NEQIP, hosts your data upon servers located within the UK, in accordance with current recommended UK data governance practices. Data is managed within NZ by the NEQIP team.

The RCP takes its responsibilities around the correct collection, use and destruction of the personal data of its various audiences and stakeholders very seriously and is committed to openness and fairness in the handling of personal data.

What information do we collect about you? 

If you are a staff member working in a clinical service and contributing to the New Zealand Global Rating Scale (NZGRS) activity, then the RCP will, on behalf of NEQIP, collect and process the following data:

• Name and job title of staff working in the service and scope of practice
• Contact details including work email and phone number of key service personnel including CEO, hospital director (or equivalent), medical director (or equivalent), nursing director (or equivalent)

How will we use your information?

We use the information you give us to:

• provide you with the services you registered for and the information about our activities and events 
• administer any user accounts we set up for you
• send publications, newsletters and updates that are relevant to the programme, including training days
• conduct surveys and process your response to any survey you participate in for research, evaluation and statistical purposes
• keep your data up to date and maintain an internal record of your relationship with us

Patient/sensitive personal data

JAG-UK and NEQIP do not require access to any patient identifiable data. As your organisation/service is recognised as the data controller for any patient and employee data you hold under the NZ Privacy Act 2020, it is your responsibility to ensure you process the data accordingly.

How we collect the data

The majority of our information is obtained directly from you as part of our registration process which is completed online.

If you are an assessor that has expressed an interest in being part of our assessment team we may also capture your data via email. 
We may also obtain your information when we use cookies on our websites (see below).

Cookies

JAG-UK uses cookies to ensure you get the best experience on the website. If you wish to, you may change your browser settings at any time. Go to www.aboutcookies.org for information on how to do this.

Cookies are small information files placed on your device and are used to improve services for you by: 

• enabling the service to recognise your device so you do not need to give the same information repeatedly
• recognising when you have already given a username and password so that you do not need to do so for every subsequent web page you visit
• measuring how many people are using the services we provide, so we can make them easier and faster to use
• analysing data, anonymously, to help us understand how people interact with government services.

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your computer, mobile phone or whatever device you are using to access the internet. This information is held in cookies. You can learn more about cookies from the article 'internet browser cookies - what they are and how to manage them'. 

Cookies cannot be used to identify you personally.

For more information about how to remove cookies from your device, or how to block individual cookies from being received, please see the instructions and guidance at www.aboutcookies.org.

See below for further details about cookies you may encounter while visiting the JAG-UK website. These details include what information is being held, how long you can expect it to be stored, and how your experience of our website will change if you block individual cookies from being sent to your device.

Cookie: Google Analytics
Names:  _gat, _ga, _gid, __utma, __utmb, __utmc, __utmt, __utmz
Lifespan: Up to 2 years
Purpose: Usage monitoring, these cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site.
The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from, the pages they visited and the technology they were using (browser, device information).

Further information on the cookies used by Google Analytics can be found here.

Name:  ASP.NET_SessionId
Lifespan: Session
Purpose: Strictly Necessary, used to maintain an anonymised user session by the server.

Name:  ASPXFORMSAUTH
Lifespan: Session
Purpose: Strictly Necessary, you must accept this cookie to be able to login to the website and use the elements within the site. Without this cookie the website will not function as intended.

Name: CookieCompliance
Lifespan: Unlimited
Purpose: Tracks confirmation of cookie acceptance for the site on this device 

Name: lang
Lifespan: Session
Purpose:  Functionality, used to store language preferences

Name: __AntiXsrfToken
Lifespan: Session
Purpose: Strictly Necessary, used to protect against cross-site request forgery (also known as XSRF or CSRF).

Who do we share your information with and why?

We share your data with:

• Weblogik Ltd who are a software company under contract to the RCP to provide hosting and development of the programme website, which is necessary for delivering the accreditation programme. 
• Accreditation assessors who are professionals working in the healthcare sector under contract to the RCP. We share your data with assessors for them to liaise with you on progress of your accreditation including arranging assessments. 

Weblogik Ltd, all RCP and NEQIP employees and, other contractors are bound by the required legal and regulatory contractual clauses regarding confidentiality and data protection.

We do not share your personal data with any other organisations. Census data from the NZGRS is shared with the organisations listed below.

The NBSP funds and holds overarching responsibility for the delivery of the National Endoscopy Quality Improvement Programme.

Endoscopy Guidance Group New Zealand - National Bowel Screening Programme Advisory Committee (EGGNZ NBSP AC)

The EGGNZ NBSPAC provides guidance to NEQIP and supports NBSP quality assurance processes.

JAG-UK and NEQIP may use anonymised data for research provided the application for data is deemed appropriate by NEQIP and the NBSP. All research outputs are published so that learning can be taken forward by endoscopy services. Individual services are not identifiable in any research outputs.

How long we keep your data and why

JAG-UK retains data relating to your service for as long as you are engaged with the NEQIP programme. Any user accounts will be deleted upon request from the individual or service. Any service reports will be kept on file permanently so that a record of previous engagement and assessments can be maintained and progress over time can be reviewed.

How do we protect your data?

We ensure that there are appropriate and operational measures in place to protect your personal data, in alignment with the requirements of Cyber Essentials and the RCPs Data Security Protection Toolkit.

• We have appropriate technical controls in place to protect your personal data including:
• The RCPs external network perimeter is protected via dual boundary firewalls.
• Anti-virus and malware software/solutions have been deployed to all networked computers.
• All networked systems use password based authentication. Passwords must confirm with a controlled standard.
• Networked systems are monitored externally via a managed SIEM solution, which provides real-time analysis of security alerts generated by applications and network hardware.
• Vulnerability scanning on all internal and external systems is carried out daily.
• Mobile and removable devices are encrypted in line with organisation policy. Mobile smart devices can be remotely wiped on demand.

We have appropriate operational measures in place to protect your personal data.

We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and contractors. Unstructured data is monitored via a third party solution designed for this express purpose and any changes to file permissions generates an alert.  

We have a robust audit framework in place to ensure internal and external measures and obligations are in place and being maintained.

We have appropriate contractual measures in place to protect your personal data:

• Where we have contracted third parties to support us in the delivery of the accreditation programme a contract is in place that sets out our expectations and requirements, especially regarding how they manage the personal data they process on our behalf, or have access to.
• Third parties are asked to complete a bespoke data security framework toolkit as part of the procurement process, which checks that they have the capability to meet the required standards when handling or processing RCP owned data. 
• Third parties invited to work on our systems are asked to complete a non-disclosure agreement, prior to accessing RCP information systems. 

Who to contact at the RCP and how to complain

If you have any concerns about how your personal data is being collected and processed, or wish to exercise any of your rights detailed in this privacy notice please contact:

The RCP Data Protection Officer
Email: dataprotection@rcplondon.ac.uk 
Tel: +44 (0)20 3075 1505

If your complaint relates specifically to NEQIP contact the team on: neqip@cdhb.health.nz

Future changes

If our information practices change we will update this statement to reflect that. Regularly reviewing this information ensures you remain aware of what data we hold and use.

This privacy notice was last updated for New Zealand in March 2023