Privacy Policy

How we process your data
This privacy policy explains how we will use the data you provide to us when applying for a place on a training.  We will process that data in accordance with the Data Protection Act (DPA) 1998, and will do so for three main purposes:

 Processing of your data during the recruitment process
 Processing of successful applicant data by Health Education England (HEE) local offices, Deaneries, Royal Colleges and employing NHS organisations
 Use of recruitment data for evaluation, research and testing purposes

In order to manage and quality assure your training, the HEE local office/devolved nation Deanery needs to collect, store and process information about you.  This is done in compliance with the General Data Protection Regulation (GDPR) 2018, and in accordance with the data protection principles set out within the regulation.  Among other matters, these require that your data must be processed fairly and lawfully.

If our privacy policy changes in any way, we will publish this on the Oriel website.  Regularly reviewing the Oriel privacy policy ensures you are always aware of what information we collect, how we use it and under what circumstances, if any, we will share it with other parties.

Data Controllers and Data Processors
Health Education England (HEE) is the Data Controller;

Other organisations that operate the Oriel system such as the recruiting Royal Colleges and recruiting offices in Northern Ireland, Scotland and Wales are “data controllers in common”;

The Data Processor is the Oriel Supplier, Deloitte MSC Ltd.

Data Recipients: organisations to whom your data are disclosed in accordance with the principles set out in this privacy policy, as defined further below.

Data Subject: you, i.e. the person whose data is obtained as part of the recruitment process and processed in the way described in this privacy policy.

Legal Basis for Processing
The GDPR requires that data controllers and organisations that process personal data demonstrate compliance with its provisions.  This involves publishing our basis for lawful processing.

As personal data is processed for the purposes of statutory functions, legal bases for the processing of personal data as listed in Article 6 of the GDPR are as follows:

• 6(1)(a) - Consent of the data subject
 6(1)(b) - Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
 6(1)(c) - Processing is necessary for compliance with a legal obligation
 6(1)(e) - Processing is necessary for the performance of official functions vested on the data controller

Where special categories of personal data are processed, the additional legal bases for processing such data, as listed in Article 9 of the GDPR are as follows:

 9(2)(a) - Explicit consent of the data subject
 9(2)(b) - Processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
 9(2)(f) - Processing is necessary for the establishment, exercise or defence of legal claims or wherever courts are acting in their judicial capacity
 9(2)(j) - Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes

Special categories of personal data include data relating to racial or ethnic origin, political opinions, religious beliefs, sexual orientation and data concerning health.

Please note that not all of the above legal bases will apply for each type of processing activity undertaken.  However, when processing any personal data for any particular purpose, one or more of the above legal bases will apply.

We may seek your consent for some processing activities.  If you do not give your consent for us to use your data for these purposes, we will not use your data for these purposes, but your data may still be retained by us and used by us for other processing activities based on the above lawful conditions for processing.

Processing your data during the recruitment process
Your application will be held securely and in confidence. Access will be restricted to designated persons who are authorised to view it as a necessary part of their work.

During the recruitment process, your personal data and special categories of personal data will be used by the HEE local offices, Deaneries and recruiting Royal Colleges for the purpose of determining your suitability for this position.

It will also be used for the purposes of enquiries in relation to the prevention and detection of fraud.

Your personal data will be shared with other organisations involved in the planning, management and delivery of training including the HEE local offices and Deaneries, employing NHS organisations, Department of Health and Social Care, Royal Colleges and Faculties, regulatory bodies, such as the GMC and GDC, Qpercom (our digital scoring system) as part of the determination of your application.  Where your data is shared with another organisation, the principles set out in this privacy policy will be adhered to.

Once a decision has been reached about your application, information held about you will not be kept on the recruitment system for any longer than 13 months after the start date of the post to which you have applied.  Pseudo anonymised data is retained in our data warehouse to allow for longitudinal analysis.

Processing of successful applicants’ data by HEE Local Offices, Deaneries and employing NHS Organisations
If your application is successful, your personal (including special categories) data will be imported into the workforce database of the HEE local office/ Deanery responsible for your training.  In addition, this data will also be provided to your employing NHS organisation (e.g. NHS Trust) through the Oriel employer portal.  The following principles will apply:

 Processing of personal and special category personal data – the Data Controller will store and process information about you, including where you live, work and train, on secure management information systems.  Information about your qualifications, assessments and appraisals and any other information pertinent to the effective management of your training and education will be stored on a secure database.  Access to this information is restricted to authorised personnel within the Data Controller and to authorised personnel involved in the management of your training, such as training programme directors, educational supervisors and other personnel working for the Data Recipients and NHS employing organisations.  Your data will be treated as confidential by the Data Controller (subject to what is said below about data sharing).  It will be retained only for as long as necessary to manage and quality assure your training, following which it will be securely destroyed.

 Sharing your personal data – your personal data may be shared with other organisations (referred to as Data Recipients in this policy), using secure channels to provide the best possible training and education and to ensure that we discharge responsibilities for employment and workforce planning for the NHS; this will be on a legitimate need to know basis only.
The Data Controller and the Data Recipients will process your data for the following purposes:

 Managing the provision of training programmes
 Quality assurance of training programmes
 Workforce planning
 Managing patient safety
 Compliance with legal and regulatory responsibilities, including monitoring under the Equality Act 2010
 Purposes of revalidation (where this applies)
 Employment purposes

Your personal and special category personal data will not be shared with your consent (save in the way described below).  The Data Controller will not share your personal data unless satisfied of the following matters:

 The data sharing is for a legitimate purpose and is proportionate
 Where the data are used for analysis and publication by the recipient, any publication will be on an anonymous and aggregated basis and will not make it possible to identify any individual
 The data will be handled by the Data Recipients in accordance with the General Data Protection Regulation
 The Data Recipients will maintain appropriate technical and organisational controls to ensure the protection of your personal data
 The data will not be transferred outside the EEA without adequate protection

Data Recipients are bodies from the following list: the UK Health Departments, Royal Colleges and Faculties, HEE local offices and devolved nation Deaneries, regulatory and licensing bodies (including the General Medical Council, General Dental Council, General Pharmaceutical Council and Health and Care Professions Council), NHS Trusts/Boards/Social Care Trusts, Medical Schools Council, UK Medical Schools (including overseas campuses), Higher Education Institutions, Royal Pharmaceutical Society, Academy of Healthcare Science, Work Psychology Group, Pearson Vue, approved academic researchers (i.e. individuals undertaking analysis for academic, non-commercial purposes on behalf of or in partnership with the Data Controller) and future employers (including private providers of healthcare).

 Use of recruitment data for evaluation, research, pilots and testing purposes – in addition to the data sharing referred to above, we may need to share your personal data and special category personal data with HEE local offices, the devolved nation Deaneries, the Department of Health and Social Care, the GMC, the GDC or any organisation designated by Health Education England.

The Department of Health and Social Care is a Data Recipient of all recruitment data.  The extracts contain details of all applications (and therefore included your personal and special category personal data and your GMC number).  These extracts are held securely and confidentially with access restricted to analysts who are not directly involved in the recruitment process itself but need access to the data to perform certain tasks.  The data from these extracts are used for research and statistical purposes only.

For evaluation and research, your personal and special category personal data will be shared with the GMC or GDC or Academy of Healthcare Science.  These research data are not used to make decisions about individual data subjects and all reports produced as a result of the research will be anonymous such that it will not be possible to identify an individual in any such report.  A key requirement of the research undertaken is to understand applicant behaviour over time, to inform workforce planning and develop and improve recruitment systems.  As part of the development of recruitment systems “real” (as opposed to dummy) information must be used for testing purposes.  The carrying out of research and the testing of systems will not have any impact on data subjects.

Your rights under GDPR
 Right to rectification and erasure – the GDPR extends and strengthens your rights as a data subject. Under the GDPR you have the right to rectification of inaccurate personal data and the right to request the erasure of your personal data.  However, the right to erasure is not an absolute right and it may be that it is necessary for the data controller to continue to process your personal data for a number of lawful and legitimate reasons.

 Right to object – you have the right, in certain circumstances, to ask the data controller to stop processing your personal data in relation to the recruitment process.  However, the right to object is not an absolute right and it may be that it is necessary in certain circumstances for the data controller to continue to process your personal data for a number of lawful and legitimate reasons.
If you object to the way in which the data controller is processing your personal information or if you wish to ask the data controller to stop processing your personal data, please contact the appropriate recruitment office.  However, if the data controller stops processing your personal data, this may prevent them from providing you with the best service.

 Subject Access – you can access a copy of the information held about you by writing to HEE’s Public and Parliamentary Accountability Team (  This information is generally available to you free of charge subject to the receipt if appropriate identification.

• Data Portability – the GDPR sets out the right of a data subject to have their personal data ported from one controller to another on request, in certain circumstances.  You should discuss any request for this with the appropriate recruitment office.

If you want to complain about how your personal data has been used or to know more about how your information will be used, please contact or you can contact HEE’s Data Protection Officer at

Alternatively, you can also contact the Information Commission if you have a complaint about the processing of your personal data:

The Office of the Information Commissioner, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Your responsibilities under GDPR

It is important that you work with us to ensure that the information we hold about you is accurate and up to date.  Please inform us if any of your personal data needs to be updated or corrected.

All communications from Oriel will normally be by email.  It is therefore essential for you to maintain an effective and secure email address or you may not receive information or other important news and information about your employment or training.

Health Education England’s privacy notice is available at: