Data protection policy and procedures

In order to conduct its business, The Royal College of Radiologists (RCR) processes personal data about living individuals. These are current and prospective individuals who come in to contact with the RCR and with whom it communicates and conducts business.

The RCR has an obligation to ensure that it handles personal data lawfully and correctly adhering to the key principles of the General Data Protection Regulation as set out below:

Principle (a) – lawfulness, fairness and transparency       

Principle (b) – purpose limitation

Principle (c) – data minimisation       

Principle (d) – accuracy        

Principle (e) – storage limitation        

Principle (f) – integrity and confidentiality    

Accountability principle

Your consent

By transacting with The Royal College of Radiologists you are giving consent for your personal data being collected, used and transferred in accordance with the College’s ICO registration and this policy. It is your responsibility to ensure that the College is able to keep your personal data accurate and up-to-date. 

When trainees and examination candidates register with the College they accept that details of their training and examination records may be passed to their trainers, educational supervisors and Deanery/Local Educational Training Board (LETB).                                                                                

Application of the General Data Protection Regulation

The General Data Protection Regulation applies to the processing of personal data by data controllers

What is personal data?

Personal data only includes information relating to natural persons who:

  • can be identified or who are identifiable, directly from the information in question; or
  • who can be indirectly identified from that information in combination with other information.

Types of 'personal data' processed by the RCR include names, addresses, email addresses, date of birth, identification number; location data; and an online identifier.

Special categories data 

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.

Special categories data as defined by the GDPR means personal data consisting of information as to -

(a) race;

(b) ethnic origin;

(c) politics;

(d) religion;

(e) trade union membership;

(f) genetics;

(g) biometrics (where used for ID purposes);

(h) health;

(i) sex life; or

(j) sexual orientation.

What is processing?

‘Processing’ in relation to information or data means the obtaining, recording, or holding of personal data.

The RCR processes personal data in order to -

  • record and update details about the members of the College

  • record and update details about those who are associated, affiliated or work with the College

  • fulfil its duties in respect of training and examining in its specialties

  • create and maintain records for the purpose of providingprofessional development activities

  • undertake surveys, censuses and questionnaires to fulfil its objects and purposes

  • undertake research, audit and quality improvement work to fulfil its objects and purposes

  • produce, review and update standards, guidelines and guidance to fulfil its objects and purposes

  • carry out College Council, board and committee administration

  • fulfil its role in respect of NHS Advisory Appointments Committees

  • fulfil its duties as an employer

  • monitor its activities including the equality and diversity of its activities

  • fulfil its duties in operating premises including security

  • assist regulatory and law enforcement agencies

Where appropriate and governed by necessary safeguards we will carry out the above processing jointly with other appropriate bodies from time to time.

What is a data controller?

A 'data controller' is the body that is responsible for complying with the Data Protection Act within the United Kingdom. The RCR for this purpose under the General Data Protection Regulation is the Data Controller in respect of RCR personal data processing.

The Royal College of Radiologists’ Information Commissioner’s Office (ICO) listing on the Data Protection public register can be viewed at by inputting the College’s registration number Z6099298.

Who is responsible for protecting my personal data?

The trustees of the RCR as a charity registered with the Charity Commission (the trustees are the elected and appointed Officers and the elected members of Council of the RCR) have ultimate responsibility for ensuring compliance with the General Data Protection Regulation for the RCR. Council has delegated this responsibility day to day to the RCR Chief Executive.

The Data Protection Officer is responsible for compliance by the RCR with the General Data Protection Regulation and this policy and the handling of any Subject Access Requests made to the RCR.  The Data Protection Officer can be contacted on 020 7406 5951 or via email at

Subject Access Request

Under the General Data Protection Regulation, any living person, who is the subject of personal data processed by the RCR, has a right to apply for access to that data.  This is known as a Subject Access Request.

Subject access requests provide a right to see the information contained in personal data, rather than a right to see the documents that include that information.

This right applies to all organised data sources. Fellows and members also have the right to be informed on how to keep their personal data up to date.

Subject access requests should be made in writing by email to   or to Data Protection Officer, The Royal College of Radiologists, 63 Lincoln’s Inn Fields, London, WC2A 3JW.  The Data Protection Officer will send an acknowledgement confirming receipt of the request.

The College will respond to a subject access request promptly and in any event within 30 calendar days, or as detailed below if the request relates to examinations, of receiving it, in line with the General Data Protection Regulation.


Examination marks

Under paragraph 8, Schedule 7 of the GDPR the time limit for the period in which a subject access request has to be dealt with is extended to the earlier of:

  1. the end of five months from the date of the request; or

  2. the end of 30 days from the date of the announcement of the results

Examination scripts

Under Schedule 7, paragraph 9 it is provided that anything recorded by candidates is exempt from a subject access request.  Therefore candidates do not have an automatic right of access to examination scripts.

Transferring of business data

Third party data transfer within the UK

In order for the RCR to perform its day-to-day activities it uses the services of third-party data processors. The RCR as a data controller is legally responsible for the processing undertaken by its data processors therefore the RCR has ensured that third party businesses are contractually obliged to comply with Information security as set out in the General Data Protection Regulation on its behalf.

Transfer of personal data outside the UK

The RCR transfers personal information overseas.  Where transfers are made within the EEA, the RCR will adhere to the ICO guidance on transfer of data. 

The College performs various activities in a number of countries. Personal data sent to these countries is sent securely in compliance with the requirements of the General Data Protection Regulation.

Diversity monitoring

The College monitors the diversity of its Fellows and members, its employees and others in order to ensure that there is no inappropriate or unlawful discrimination in the way the RCR conducts its activities.  This data will be treated as confidential.  It will only be accessed by authorised individuals at the College and will not be disclosed to any other bodies or individuals.  Anonymised data derived from diversity monitoring will be used for monitoring purposes and may be published and passed to other bodies. 

Online directory of Fellows and members

The College maintains an online directory of its Fellows and members, which can be accessed through the members’ and Fellows’ area of the website using a password. This is not available to the public.  Upon registration with the College the default information of name and membership type will automatically appear.  The full listing comprises postal address, telephone and facsimile numbers and email address for both home and work (when known).  You may, if you wish, restrict the data that appears in the online Directory, through myRCR and withhold publication of any of your personal data in the Directory altogether.  The College makes every effort to prevent data being copied or multiple searches taking place to avoid improper use of personal data.