Are You Ready NotificationAre You Ready? Oriel browser support is changing. More information Close

Privacy Policy

How we process your data

This notice explains how we will use the data you provide to us when applying for a place on a training programme. We will process that data in accordance with the Data Protection Act 1998, and will do so for three main purposes:

  1. Processing your data during the recruitment process
  2. Processing of successful applicant data by Local Education and Training Boards (LETBs), Deaneries and Royal Colleges.
  3. Use of recruitment data for evaluation, research and testing purposes

In order to manage and quality assure your training, the LETB/Deanery needs to collect, store and process information about you. This is done in compliance with the Data Protection Act 1998, and in accordance with the data protection principles set out in the Act. Among other matters, these require that your data must be processed fairly and lawfully.


Terms Used In this Notice

There are some terms that appear in the Data Protection Act 1998 that are used in this notice. These are explained below:

Data Controllers and Data Processors

Health Education England (HEE) is the Data Controller;

Other organisations that operate the Oriel system such as recruiting Royal Colleges and recruiting offices in Northern Ireland, Scotland and Wales are "data controllers in common";

The Data Processor is the Oriel Supplier, Deloitte MSC Ltd.

Data Recipients: organisations to whom your data are disclosed in accordance with the principles set out in this Notice, as defined further below.

Data Subject: you, i.e., the person whose data is obtained as part of the recruitment process and processed in the way described in this Notice.

Personal Data: Recorded information from which you, the Data Subject, can be identified either directly or indirectly. 

Sensitive Personal Data: personal information about your racial or ethnic origin, your political opinions, your religious beliefs and your physical or mental health or condition, your sexual life, the commission or alleged commission by you of any offence, any proceedings for such an offence and any sentence passed as a result of those proceedings.

This Notice supersedes any earlier notices regarding the use of your data by the Data Controller and Data Recipients.

In general terms, the Act requires that your Personal Data is processed lawfully and fairly, and only used for the purposes for which it was obtained. Sensitive Personal Data is subject to a greater level of protection by the Act and generally will not be processed without your consent.

1. Processing your data during the recruitment process

Your application will be held securely and in confidence. Access will be restricted to designated persons who are authorised to view it as a necessary part of their work.

During the recruitment process your Personal Data and your Sensitive Personal Data will be used by the LETB/ Deanery for the purpose of determining your application for this position. It will also be used for purposes of enquiries in relation to the prevention and detection of fraud. Your (non-sensitive) Personal Data will be shared with other LETB/ Deaneries and other organisations involved in the planning, management and delivery of training including the Department of Health, Medical Royal Colleges and Faculties and the GMC or GDC as part of the determination of your application. Where your data is shared with another organisation, the principles set out in this Notice will be adhered to.

Once a decision has been reached about your application, all the information held about you will not be kept on the recruitment system any longer than a year after the recruitment.

2. Processing of successful applicants’ data by LETBs/ Deaneries/Trust.

If your application is successful your Personal and Sensitive Personal Data will be imported into the database of the LETB/Deanery/Trust where you will be training. In which case the following principles will apply:

A. Processing of Personal and Sensitive Personal Data

The Data Controller will store and process information about you, including where you live, work and train, on secure management information systems. Information about your qualifications, assessments and appraisals and any other information pertinent to the effective management of your training and education will be stored on a secure database. Access to this information is restricted to authorised personnel within the Data Controller and to authorised personnel involved in the management of your training, such as programme directors, supervisors and other personnel working for the Data Recipients and Trusts/Boards and Data Recipients.
Your data will be treated as confidential by the Data Controller (subject to what is said below about data sharing). It will be retained only for as long as necessary to manage and quality assure your training, following which it will be securely destroyed. 

B. Sharing Your Personal Data

Your Personal Data may be shared with other organisations (called "Data Recipients" in this Notice), using secure channels. The Data Controller and the Data Recipients will process your data for the following purposes:

  • Managing the provision of training programmes
  • Quality assurance of training programmes
  • Workforce planning
  • Maintaining patient safety
  • Compliance with legal and regulatory responsibilities, including monitoring under the Equality Act 2010
  • Purposes of revalidation (where this applies)
  • Employment purposes

Your Sensitive Personal Data will not be shared without your consent (save in the way described below). The Data Controller will not share your Personal Data unless satisfied of the following matters.

  • The data sharing is for a legitimate purpose and is proportionate.
  • Where the data are used for analysis and publication by the recipient, any publication will be on an anonymous and aggregated basis and will not make it possible to identify any individual.
  • The data will be handled by the Data Recipients in accordance with the Data Protection Act 1998.
  • The Data Recipients will maintain appropriate technical and organisational controls to ensure the protection of your Personal Data.
  • The data will not be transferred outside the EEA without adequate protection.

Data Recipients may include bodies from the following non-exhaustive list:  the UK Health Departments, Medical Royal Colleges, other LETBs/ deaneries, Regulatory and/or Licensing Bodies (including the General Medical Council and General Dental Council), NHS Trusts/Boards, approved academic researchers (i.e. individuals undertaking analysis for academic, non-commercial purposes on behalf of or in partnership with the Data Controller) and future employers.

C. Your responsibilities and rights

It is important that you work with us to ensure that the information we hold about you is accurate and up to date, so please inform us immediately if anything changes. 

All communications from the LETB/ Deanery/Medical Royal College will normally be by e-mail (unless you ask us to communicate with you in a different way). It is therefore essential for you to maintain an effective e-mail address, or you may not receive information about your posts and your assessments or any other important news and information about your training. You may also be excluded from participation in mandatory activities such as the National Survey of Trainee Doctors.
If at any point you wish to access your Personal Data, you may make a request in writing, and pay the appropriate fee where applicable. Please contact your LETB/ Deanery for details.

3. Use of recruitment data for evaluation, research, pilots and testing purposes

In addition to the data sharing referred to above, we may need to share your Personal and Sensitive Personal Data with Health Education England, the Department of Health, the GMC or GDC or any organisation designated by Health Education England.  

The Department is a Data Recipient of extracts from all recruitment systems. The extracts contain details of all applications (and therefore include your Personal and Sensitive Personal Data and your GMC number). These extracts are held securely and confidentially with access restricted to analysts who are not involved in the recruitment process itself but need access to the data to perform certain tasks. The data from these extracts are used by the Department for research and statistical purposes only (which are allowed for under Section 33 of the Data Protection Act). 

For evaluation and research your (non-sensitive) Personal Data for applicants to medical or dental training posts contained within the extracts will be shared with the GMC or GDC or Academy of Helathcare Science. These research data are not used to make decisions about individual data subjects and all reports produced as a result of the research will be anonymous such that it will not be possible to identify an individual in any such report.  A key requirement of the research undertaken by the Department is to understand applicant behaviour over time, to inform workforce planning and develop and improve recruitment systems.

As part of the development of recruitment systems "real" (as opposed to dummy) information must be used for testing purposes. The carrying out of research and the testing of systems will not have any impact on data subjects.

If you have any concerns about data protection, please contact the Information Commissioner's Office (ICO). The ICO deals with complaints about information matters. Further details, and useful help and guidance, can be found on its website – www.ico.org.uk.