Data protection School of Medicine Privacy Notice

Privacy Notice for Ulster University, School of Medicine

Ulster University (“we”, “us”, “our” and “the university”) is committed to protecting the privacy and security of your personal information.

This privacy notice is supplementary to University’s Student Privacy Notice and describes how we collect and use personal information about you during and after your working relationship with us, in accordance with UK data protection legislation, specifically the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

It applies to all students (“you” and “your”) who apply to or register with a medical or physician assistant programme within the School of Medicine.

What is the purpose of this document?

This privacy notice describes how Ulster University School of Medicine collects, uses, retains and discloses personal information. Personal information is any information that can be used to identify a living individual, directly or indirectly. It is the same as ‘personal data’ as defined in data protection legislation.

This Privacy Notice should be reviewed in conjunction with the University’s Student Privacy Notice.

Please see the section ‘What personal information do we collect?’ for a description of the personal information we hold about you. The law says that personal information should be processed fairly, lawfully and transparently: information is used in a way that people would reasonably expect; and people know how their information will be used by Ulster University School of Medicine. This means we are required to inform you of the following:

• Why we need your personal information
• How it will be used
• With whom it will be shared
• Your rights to control how we use your information

Data protection legislation covers the lawful processing of personal information. Ulster University is a ‘Data Controller’ under the UK data protection legislation and is registered with the Information Commissioner’s Office (ICO) under: University of Ulster, Cromore Road, Coleraine, BT52 1SA

General information on data protection and your rights is publicly available from the ICO website.

If you have any questions about this privacy notice or how your personal information is used by Ulster University, then please contact the University’s Data Protection Officer:

Eoin Coyle at: c/o Ulster University, Room J308, Coleraine, BT52 1SA, 02871 675525 GDPR@ulster.ac.uk

What personal information do we collect?

Some personal information is collected by central University services and some directly by the School of Medicine. We include examples of both here as the University is considered a single data controller. The types of personal information we collect from you and use for the purposes set out below include, but are not limited to:

• Names, addresses, telephone numbers, date of birth
• Next of kin details
• UCAS information
• Entrance test information including GAMSAT and interview data
• Student funding details
• Student placement details
• Assessment scores and outcomes including those related to professionalism
• Attendance and engagement
• Photographs
• Responses to surveys including student evaluation questionnaires
• Recommendations for reasonable adjustment
• Computer use
• Qualifications and awards
• Healthcare provider details
• Data relating to complaints or appeals, by or against students
• Data relating to Fitness to Practise concerns

Some personal information collected by Ulster University and the School of Medicine is classed as “special category personal data”. This includes:

• Racial or ethnic origin
• Physical or mental health information
• Religious beliefs or beliefs of a similar nature
• Sexual orientation
• Identified pronouns
• Criminal convictions, offences, warnings

The legal basis for collecting and using your information?

The legal bases for collecting and processing your personal information are set out in Article 6 UK GDPR (lawfulness of processing), Article 9 UK GDPR (special category data) and Article 10 UK GDPR (criminal offence data). We will process your personal information on the following lawful bases:

1. To perform the contract we have entered into with you - Article 6(1)(e) UK GDPR.
2. Where we need to comply with a legal obligation as per Schedule 1 of Data Protection Act 2018 (for example, preventing and detecting unlawful acts, protecting the public and safeguarding individuals) - Article 6(1)(c) UK GDPR
3. Where it is necessary for legitimate interests pursued by us or a third party and your interests and fundamental rights do not override those interests - Article 6(1)(f) UK GDPR.
4. To fulfill public task / statutory responsibilities - Article 6(1)(e) UK GDPR
5. Where you have provided explicit consent - Article 9(2)(a) UK GDPR.
6. To protect your vital interests – Article 9(2)(b) UK GDPR
7. Where it is necessary for the establishment, exercise or defense of legal claims – Article 9(2)(f) UK GDPR
8. Where processing is necessary for reasons of substantial public interests – Article 9(2)(g) (e.g. Equality of opportunity or treatment, preventing or detecting unlawful acts, protecting the public, safeguarding of children and individuals at risk.

In particular, your personal information may be used by us, our employees, service providers, and disclosed to third parties for the following purposes:

Criminal convictions and offences

Personal information related to criminal convictions and offences will only be used under the control of official authority or where processing is authorised by the law. Students on regulated courses require criminal record checks before they can take up clinical placements and/or access environments involving children or vulnerable adults. We will also ask for self-declarations of criminal convictions and offences and therefore may be notified of such information directly by you while you are involved with the School of Medicine.

The lawful bases for processing personal data relating to criminal convictions and offences will be as follows:

1. Protecting the public against dishonesty, malpractice or other seriously improper conduct, unfitness or incompetence
2. Regulatory requirements relating to unlawful acts and dishonesty

Who will we share your personal information with

For applicants to the School of Medicine (MBBS and MSc Physician Associate Studies) and students enrolled on these courses, we will share data with:

The General Medical Council (GMC), the independent regulator of doctors, physician associates and anaesthesia associates in the UK, and the UK Foundation Programme Office (UKFPO), the organiser of postgraduate training for medical graduates.

We will share your information with the GMC and, where applicable, the UKFPO to assist them in their statutory functions and obligations to you as a UKFPO applicant, including:

• Registration:
  • For medical graduates: we will share information with the GMC and UKFPO to progress your UKPFO application and grant you provisional registration. This may include information about Fitness to Practise incidents involving you which the university investigated and confirming relevant details.
  • For physician associate graduates: we will share information with the GMC to support your application for registration. This may include confirming successful completion of the programme and information about Fitness to Practise incidents involving you which the university investigated.
• Research (medical courses only): we will share information about applicants and students which will help the GMC to conduct research into medical education, through the UK Medical Education Database (UKMED). This may include demographic data, attainment and exam data, and fitness to practice information. This information will not be used for other purposes by the GMC, will not be used to make decisions about your registration, will not be published in a way which could identify you, and will only be used with the appropriate safeguards as set out in data protection legislation to ensure your privacy is respected.

The School of Medicine may also share your information with:

• Statutory bodies e.g. HESA, Irish Medical Council (in addition to the GMC)
• Department of Health and SUMDE office
• Placement Providers for managing undergraduate medical training
• Health and Social Care Trusts involved with education delivery
• Primary healthcare and community organisations involved with education delivery
• The Medical Schools Council for its own research purposes
• Organisations involved in the administration of student funding e.g. University Hardship Fund, Student Loans companies, NHS Bursaries Office, Scholarship providers, award or prize providers
• Software providers for teaching and assessment purposes including e-Portfolio
• Other departments within Ulster University
• GP Sub-Deanery (through Queens University Belfast) for the allocation of GP clinical placements

Transfers of your personal information

Ulster University School of Medicine does not routinely transfer or store your personal data outside the jurisdiction of the United Kingdom ("UK"). If we do, for example where it is processed by staff operating outside the UK who work for the University or for one of our suppliers, or where personal data is processed by one of the University’s suppliers who is based outside the UK or who uses storage facilities outside the UK, your personal data will only be transferred on one of the following bases:

• where the transfer is subject to one or more of the "appropriate safeguards" for international transfers prescribed by applicable law (e.g. International Data Transfer Agreement (“IDTA”) or the UK Addendum to the Standard Contractual Clauses adopted by the European Commission);
• UK Adequacy Regulations provide that the country or territory to which the transfer is made ensures an adequate level of protection; or
• there exists another situation where the transfer is permitted under applicable law (e.g. where we have your explicit consent).

How long will we hold your personal information?

The University will only retain your personal information for no longer than is necessary. Please see the University’s retention schedule for more information Ulster University Retention and disposal schedule

What are your rights?

As a University data subject, you have the right to:

• Access and obtain a copy of your personal data on request.
• Require the University to change incorrect or incomplete personal data.
• Require the University to delete or remove your personal data, for example where the data is no longer necessary for the purposes of processing.  Note, however that the University may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to the processing of your personal data where the University is relying on its legitimate interests as a legal ground for processing.
• Where the University is relying upon consent to process your personal data, you may withdraw your consent at any time; and ask the University to stop processing personal data for a period if the personal data is inaccurate or there is a dispute about whether or not your interests override the University’s legitimate grounds for processing the personal data.

To exercise your rights to your personal information, please contact the university’s data protection officer:

Eoin Coyle at: c/o Ulster University, Room L143, Coleraine, BT52 1SA 02871 675525 GDPR@ulster.ac.uk

If you are not satisfied with how the University is processing your personal data, you can make a complaint to the ICO. Further information about your data privacy rights is available on the ICO’s website.