JETS, JETS Workforce and NED Privacy Notice

This privacy notice explains how the JAG Endoscopy Training System (JETS), JAG Endoscopy Training System Workforce (JETS Workforce) and the National Endoscopy Database (NED) at the Royal College of Physicians (RCP) collects, stores, manages and protects your personal data. It outlines the types of data that we hold and how we use them. The RCP takes its responsibilities around the correct collection, use and destruction of the personal data of its various audiences and stakeholders very seriously and is committed to openness and fairness in the handling of personal data.

What information do we collect about you?

If you are an individual participating in any of these projects, then the RCP will collect and process the data as outlined below.

JETS (JAG endoscopy training system)

• Name, professional body, registration number, role, job title, and specialism.
• Ethnicity, sex, gender identity, and sexuality.
• Email address(es), phone number(s), current work and correspondence address, registration number (GMC/NMC) and National Training Number.
• Country, deanery, organisation, department, academy region and hospital worked at currently and historically.
• Notes from appraisals.
• Training courses booked and attended.
• Certification achieved and current level of training.
• Information regarding procedures performed including performance and feedback using JAG procedure feedback forms (DOPS and DOPyS).

If you are a professional that is, or wants to be, part of our assessment team then we will collect and process the following data:

• Name, address, personal email address and telephone number.
• Current employment information including name and address of your existing employer.
• Employment history and relevant qualifications.
• Bank account details where relevant.

If you are a professional that is, or wants to be, a trainer then we will collect and process additional data:

• Feedback on training courses delivered.

JETS Workforce

• Name, email, professional body, registration number, role and job title.
• Ethnicity, gender identity and sexuality.
• Sites worked at.
• Performance and feedback using JAG procedure feedback forms (DOPS and DOPyS) and information added as witness statements.
• Training courses booked and attended.
• Learning objectives.

NED (National Endoscopy Database)

• Name, email, professional body, registration number.
• Sites worked at.
• Information regarding endoscopic procedures performed.

How will we use your information?

We use the information you give us to:

• Administer any user accounts we set up for you.
• Send you publications, newsletters and updates that are relevant to the programme.
• Provide you with the services you registered for and information about our activities and events.
• Conduct surveys and process your response to any survey you participate in for research, evaluation and statistical purposes.
• Analyse and improve the activities and content offered by the website(s) to provide you with the most user-friendly navigation experience.
• Keep your data up to date and maintain an internal record of your relationship with us.
• Communicate with you and provide you and appropriate people within your organisation with a visual display of your training progress, certification status (JETS), and endoscopy performance (NED).
• Provide appropriate feedback if you are one of our assessors.
• Share anonymised data for JAG approved research projects.
• Carry out evaluation, audit, and service intelligence using anonymised data.
• Monitor provision of; access to; and quality of endoscopy training across the regions.
• Share anonymised data with appropriate stakeholder bodies including NHSE.

Patient/sensitive personal data

We do not require access to any patient identifiable data or any identifiable data which relates to employees of your service. JETS and NED only record patient age and gender from procedures performed by endoscopists.

As your service is recognised as the data controller for any patient and employee data you hold under GDPR legislation, it is your responsibility to ensure you process the data accordingly.

How we collect the data

The majority of our information about you is obtained directly from you online. Procedure information is collected by NED directly from endoscopy reporting systems. Agreement is obtained at service level for this data to be shared. If you are an assessor that has expressed an interest in being part of our assessment team, we may also capture your data via email.

We may also obtain your information when we use cookies on our websites (see below). JAG uses cookies to ensure you get the best experience on the website. If you wish to, you may change your browser settings at any time. Go to www.aboutcookies.org for information on how to do this.

What are Cookies

Cookies are small information files placed on your device and are used to improve services for you by:

• enabling the service to recognise your device so you do not need to give the same information repeatedly
• recognising when you have already given a username and password so that you do not need to do so for every subsequent web page you visit
• measuring how many people are using the services we provide, so we can make them easier and faster to use
• analysing data, anonymously, to help us understand how people interact with government services.

When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your computer, mobile phone or whatever device you are using to access the internet. This information is held in cookies. You can learn more about cookies from the article 'Internet Browser cookies - what they are and how to manage them'.

Cookies cannot be used to identify you personally.

For more information about how to remove cookies from your device, or how to block individual cookies from being received, please see the instructions and guidance at www.aboutcookies.org.

See below for further details about cookies you may encounter while visiting our websites. These details include what information is being held, how long you can expect it to be stored, and how your experience of our website will change if you block individual cookies from being sent to your device.

Cookies used by the JETS site are grouped into 3 categories shown below, a full list of the cookies used and their lifespan can be found here.

JETS Website

These cookies are required to use the JETS website, they support authentication and session management.

Google Analytics

Usage monitoring, these cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site.

The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from, the pages they visited and the technology they were using (browser, device information).

RECAPTCHA

We use the Google reCAPTCHA APIs as part of our services to help protect our clients and our systems from cyber spam and abuse. You acknowledge and understand that the reCAPTCHA API works by collecting hardware and software information, such as device and application data, and sending this data to Google for analysis. The information collected in connection with your use of the service will be used for improving reCAPTCHA and for general security purposes. It will not be used for personalised advertising by Google. You can find further details via this link https://support.google.com/recaptcha/?hl=en.

PayPal

These cookies are required to make PayPal payment for JETS certification.

Who do we share your information with and why?

We share your data with:

• JAG Unit Assessors: service and anonymised endoscopist level data is shared for the purpose of unit accreditation.
• Training accreditation assessors who are professionals working in the healthcare sector under contract to the RCP. We share your data with training assessors for them to liaise with you on progress of your training certification.
• Weblogik Ltd who are a Software Company under contract to the RCP to provide hosting and development of the programme websites, which is necessary for delivering the programmes.

The following individuals can also access your data through the JETS website:

• Training leads, clinical leads or nominated deputy of any trust(s) or organisation(s) you are a currently a member of.
• Trainers of any trust(s) or organisation(s) you are a currently a member of with whom you have set up a list on the system.
• Deaneries or equivalent appropriate regional training programme teams.
• Course administrators, centre leads and course faculty for courses you apply to.
• Regional Endoscopy Training Academy Directors and Programme Leads can access data to visualise trainee progress and training centre activity within their respective regions. This will also allow Academies to monitor training activity within the relevant Trusts.

The following individuals can also access your data through the NED website:

• Clinical leads or nominated deputy of any trust(s) or organisation(s) you are a currently a member of.
• Service level data will be shared with appropriate national NHS teams including NHSEI, NHS Wales and NHS Scotland and affiliated organisations such as Health Education England. Permission to share this data can be removed by contacting JAG.

Weblogik Ltd, all RCP assessors and other contractors are bound by the required legal and regulatory contractual clauses regarding confidentiality and data protection.

We do not share your personal data with any other organisations. We do share services’ NED compliance and data upload accuracy with JAG assessors and other appropriate individuals. Individuals can download and share their NED data with other individuals/organisations. Where this is done, they must reference the source as JAG - National Endoscopy Database.

In addition to this, users and endoscopists can give permission for their NED data to be accessed by other nominated organisations. If data is to be used for research or publications, permission must be granted by JAG Research Committee.

Research

JAG uses anonymous data for research provided the application for data is deemed appropriate by the JAG research committee. This may include the use of evidence provided for the purpose of service accreditation. All research outputs are published so that learning can be taken forward by endoscopy services. Individual services are not identifiable in any research outputs.

How long we keep your data and why

The JAG programmes keep data relating to your account indefinitely. This is because the data is used for audit and research purposes to continually improve quality of training provision. Any user logins can be deleted upon request from the individual or appropriate service lead.

If you are an assessor and your contract has ended, financial and contractual records will be retained in line with financial law and regulation for at least seven years after the end date. We will maintain some data such as your name and tenure on our assessor database for reference. Some personal data, such as your name and title, will continue to be available in historic assessment reports and historic comments on the website.

Your rights relating to your personal data:

If you are working with us an assessor, or have any of your data captured within JETS or NED, you have the following rights:

• access to your data (Article 15)
• have a copy in a standard format (Article 20)
• restrict the use of your personal data (Article 18)
• stop your personal data being used (Article 21)
• have personal data deleted (Article 17)

You have the right to access information which identifies you as a living person, held on RCP systems (Article 15). You also have the right to a copy of your data in a standard format, where technically possible (Article 20). For more information, please contact the data protection officer.

You have the right to ask us to restrict the use of your data (Article 18), stop your data being used (Article 21) or have your data deleted (Article 17). All requests will be judged on a case-by-case basis, we may refuse a request if it is incompatible with our requirements or if it will impact on our ability to deliver our service. We will approve all requests that do not impact on our ability to deliver services.

Where do we keep your data?

The RCP hosts your data upon servers located within the EU, in accordance with current recommended data governance practices in the UK.

How do we protect your data?

We ensure that there are appropriate and operational measures in place to protect your personal data, in alignment with the requirements of Cyber Essentials and the Data Security Protection Toolkit.

We have appropriate technical controls in place to protect your personal data including:

• The RCPs external network perimeter is protected via dual boundary firewalls.
• Anti-virus and malware software/solutions have been deployed to all networked computers.
• All networked systems use password-based authentication. Passwords must conform to a controlled standard.
• Networked systems are monitored externally via a managed SIEM solution, which provides real-time analysis of security alerts generated by applications and network hardware.
• Vulnerability scanning on all internal and external systems is carried out daily.
• Mobile and removable devices are encrypted in line with organisation policy. Mobile smart devices can be remotely wiped on demand.

We have appropriate operational measures in place to protect your personal data and undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and contractors. Unstructured data is monitored via a third-party solution designed for this express purpose and any changes to file permissions generates an alert.

We have a robust audit framework in place to ensure internal and external measures and obligations are in place and being maintained.

We have appropriate contractual measures in place to protect your personal data as outlined below:

• Where we have contracted third parties to support us in the delivery of the accreditation programme a contract is in place that sets out our expectations and requirements, especially regarding how they manage the personal data they process on our behalf or have access to.
• Third parties are asked to complete a bespoke data security framework toolkit as part of the procurement process, which checks that they have the capability to meet the required standards when handling or processing RCP owned data.
• Third parties invited to work on our systems are asked to complete a non-disclosure agreement, prior to accessing RCP information systems.

Who to contact at the RCP and how to complain

If you have any concerns about how your personal data is being collected and processed, or wish to exercise any of your rights detailed in this Privacy Notice please contact:

Email: askjets@rcp.ac.uk

The RCP Data Protection Officer

Email: dataprotection@rcp.ac.uk

Tel: +44 (0)20 3075 1505

If you are not satisfied with how your information is managed by the RCP, you have the right to complain to the Information Commissioner Office.

The ICO can be contacted at https://ico.org.uk/global/contact-us/

Concerns can also be logged via the ICO website https://ico.org.uk/concerns

Future Changes

If our information practices change, we will update this statement to reflect that. Regularly reviewing this information ensures you remain aware of what data we hold and use.

This Privacy Notice was last updated on 5 April 2024.