UPDATED: May 25, 2018
Our Commitment to Privacy
The National Resident Matching Program® (NRMP®) uses your Personal Data to provide our Matching Program Services to you and to engage in research for specific, defined purposes. NRMP takes very seriously its responsibility to protect the safety and security of its websites and mobile application and all information collected through them. We recognize that users of our websites and participants in NRMP surveys may have questions about how and why this information is collected. This Privacy Statement explains what kinds of information we collect and how we use and disclose this information in connection with the Services offered by NRMP. This Privacy Notice also describes your and our legal rights and responsibilities with respect to information which identifies you or which could be used to identify you, including your name and contact details, your Association of American Medical Colleges identification number or NRMP identification number, and your user account information, all of which we call “Personal Data” in the text below. It also may include information about how you use our websites and mobile applications that are part of the Services.
This Privacy Statement is part of the Match Participation Agreement that governs your access to and use of our Matching Program. We will refer to access, use, transmission, and exchanges of information, availability or utilization of features, functions or activities, simply as “use” in the material below.
We are the data controller of the data that we collect from you, and we control the ways your Personal Data are collected and the purposes for which your Personal Data are used. NRMP recognizes it has a responsibility to treat with care the Personal Data it collects about you arising from use of our Services and to respect your privacy relative to Personal Data that may be sensitive. To meet those obligations, NRMP has developed policies designed to prevent the disclosure, compromise, and unauthorized use of Personal Data without the permission of the individual involved, to limit the distribution of Personal Data to those situations that require it in order to perform our obligations related to your use of our websites, and to permit distribution of non-Personal Data such as directory information whenever a useful purpose can be served. Our registered address is 2121 K Street NW, Suite 1000 Washington, DC 20037. We are registered as a private, non-profit organization in the United States.
ACCEPTANCE OF PRIVACY NOTICE
By using NRMP’s Services, including its websites and mobile applications, you signify your acceptance of this Privacy Notice. If you do not agree to the terms of this Privacy Notice, please do not use NRMP’s Services. Your continued use of NRMP’s Services following the posting of changes to this Privacy Notice will mean that you accept those changes.
WHAT PERSONAL DATA WE COLLECT
As part of its Matching Program, NRMP collects certain Personal Data to provide you with Services and to engage in research for specific, defined purposes. NRMP processes Personal Data received from a range of sources, including but not limited to medical students/graduates, medical schools, medical licensing authorities, graduate medical education programs, credentialing agencies, and other third parties in connection with the Services offered by NRMP. Depending on how you use our Services, the data we collect includes, but is not limited to, the following kinds of information about you.
We collect your name, date of birth, the last four digits of your social security number (optional), identification numbers, contact information (email address, telephone number, address), institutional affiliation, and other biographical information like birth country, city, and citizenship status when you create a user account in our password-protected website, the Registration, Ranking, and Results® (R3®) system; when you update your personal information; when you register for a Match with the National Resident Matching Program; or when you submit a rank order list. We also collect your name, email address, contact information (email address, telephone number, address), employment history, and list of references when you apply for a job at NRMP.
We collect your education, training, registration/licensure information, and professional and employment information when you create a user account in our password-protected website, the Registration, Ranking, and Results (R3) system.
We collect a record of communication(s) we have with you (such as emails, letters, telephone calls, messages sent to us through our social media platforms, feedback) when you contact us, when we contact you, or when you respond to our requests for feedback.
We collect your payment card details when facilitating payment by credit card. Your card details are transmitted to our third party payment processor and protected in accordance with best industry practices.
We collect information about your preferences when you participate in our Matching Program and when we conduct surveys for specified educational and research purposes.
We collect your Internet Protocol (“IP”) address and web log data when you browse our websites.
AUTOMATICALLY COLLECTED DATA AND ANONYMOUS INFORMATION
Each time you visit NRMP’s websites, NRMP, its partners, and/or vendors collect information to improve the overall quality of your online experience.
NRMP collects data for internal reporting and counts, tracks, and aggregates the visitor’s activity for the purpose of analysis of general traffic flow and feature usage related to NRMP websites. To those ends, NRMP may include information about you in aggregated group data. NRMP may remove personal identifiers from Personal Data or may use pseudonymization to disassociate the individual from the Personal Data, allowing statistically accurate analysis of data without exposing any individual’s identity. Such anonymous data may be shared with NRMP affiliates, business partners, service providers and/or vendors; if it does so, NRMP will not disclose your individual identity.
Web Server Logs and IP Addresses
An IP address is a number that automatically identifies the computer or device you use to access the Internet. The IP address enables our server to send you the web pages that you want to visit, and it may disclose the server owned by your Internet Service Provider. NRMP may use IP addresses to conduct analyses and performance reviews and to administer the websites, and also may use other information provided by you or your browser for purposes such as enabling support for applications and services being used.
HOW WE USE YOUR PERSONAL DATA
We can use your Personal Data only if we have a justification for doing so. According to the law, we can use your Personal Data only for one or more of these reasons:
- To fulfill a contract we have with you, or
- If we have a legal duty to use your data for a particular reason, or
- When you consent to it, or
- When it is necessary to protect your vital interests or that of another person, or
- When it is necessary for the performance of a task carried out in the public interest, or
- When it is in our legitimate interest.
Legitimate interests are our business or commercial reasons for using your data, but even so, we will not unfairly place our legitimate interests above what is best for you. Below, we have detailed the different ways we use your Personal Data and the reasons for using it.
NRMP processes your Personal Data in order to comply with legal and regulatory obligations, contractual obligations, requests by you or on your behalf to provide our Matching Program Service to you, and for other purposes for which NRMP has a legitimate interest or other lawful basis including but not limited to: (i) keeping our records up to date (ii) providing NRMP Services to you; (iii) maintaining or administering the Services, performing business analyses, or for other internal purposes to improve the quality of our business and the Services we offer; (iv) preventing fraud and financial crime to protect the public; (v) communicating with you concerning programs or services consistent with NRMP’s obligations to provide those services or otherwise; (vi) participating in litigation, investigations, regulatory or governmental inquiries, or for other legal or regulatory purposes involving NRMP applicants who use or have used NRMP Services and programs or other third parties; (vii) research; and (viii) satisfying other legitimate business interests.
Data Collection for Educational Research
In addition to using it for our Matching Program, your Personal Data also may be used by NRMP for educational research, for verification purposes, or under restricted conditions by third parties as explained below in “Sharing Your Data With Third Parties”.
NRMP surveys are collect data for educational and research purposes, including reporting to NRMP constituents and providing summary information to the U.S. Congress and other federal and state policymakers. From time to time, NRMP may contact you to participate in such a survey. Whenever NRMP conducts research using personally identifiable data (human subjects research), that research is reviewed by an external (to NRMP) institutional review board whose responsibility is to protect your interests.
NRMP reserves the right to use Personal Data in its databases to confirm the identity of parties who may have made or attempted to make unauthorized or inappropriate use of NRMP’s Services or assets or who may be a threat to public safety including but not limited to denial of service attacks, unauthorized use of NRMP services, systems and/or networks, inappropriate email list activity, unauthorized use or distribution of NRMP intellectual property, or threats to the safety or privacy of the public. Contact information will be used to provide notice to the offending individuals, and in such cases Personal Data may be given to law enforcement agencies if warranted or required by law.
How We Use Your Data To Personalize the Service We Offer
Email addresses, aggregate information about which pages visitors access, and information volunteered by website visitors—such as user survey responses and website registrations—are used to improve the content of the NRMP website. Some portions of our website collect information using cookies or similar tracking technologies to improve your experience and to help us administer, operate, and manage our website more efficiently.
SHARING YOUR DATA WITH THIRD PARTIES
We share some of your data with, or obtain data from, the following categories of third parties:
- NRMP will share certain Personal Data about applicants who use its Services with (a) any U.S. or international governmental department or agency, including regulatory authorities with a legitimate interest in the Personal Data; (b) any organization with your approval; (c) any other organization where NRMP has a legitimate interest in doing so including but not limited to when NRMP must verify information relating to applicants; (d) any other organization or individual if NRMP is satisfied that the third party has a legitimate interest in such information including but not limited to when there is a need for those third parties to update and maintain their databases, to provide services to or for applicants, or to conduct research or analyses of the international medical graduate (IMG) workforce; and for (e) other purposes in support of NRMP ‘s mission.
- Disclosures to third parties who assist us in our operations: We may share your Personal Data under confidentiality agreements and any required data processing agreements with other companies that work with or on behalf of NRMP to provide products and services such as, but not limited to, those who provide (i) email or mail solutions; (ii) payment processing solutions, such as Authorize.net; (iii) cloud hosting services; (iv) analysis of usage of NRMP websites; (v) support and maintenance services for NRMP websites such as LiveChat; (vi) services to assist us in processing employment applications; (vii) services to assist with credentialing operations including but not limited to identity verification, translations services, and investigative firms; and (viii) surveys such as Survey Gizmo. We also may share your Personal Data with our legal, regulatory, audit, and other professional advisors. Those companies may use your Personal Data to assist us in our operations consistent with our legitimate business interests. However, those companies do not have any independent right to share the information. We will make sure that our suppliers respect your Personal Data and comply with data protection laws.
- Any other organizations: Personal Data will be shared with any other organizations with your approval or where NRMP has a legitimate interest in doing so, including but not limited to when NRMP must verify information relating to applicants; where NRMP is satisfied that the third party has a legitimate interest in such information, including but not limited to where there is a need for those third parties to update and maintain their databases, to provide services to or for applicants, or to conduct research or analyses of the international medical graduate (IMG) workforce; and for other purposes in support of NRMP’s mission.
- Disclosures under special circumstances. We may provide information about you, including Personal Data, to respond to subpoenas, court orders, legal processes, regulatory authority investigations, or governmental regulations or inquires, or to establish or exercise our legal rights or defend against legal claims, or when we believe it is necessary to share such information in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or as otherwise required by law or to protect the public.
NRMP shares both non-personal and Personal Data with those parties under certain limited restrictions including requirements to keep the Personal Data confidential, destroy the Personal Data once it no longer is needed for the intended purpose (except for applications to medical education institutions), and to prevent unauthorized release of Personal Data. NRMP conducts such exchanges in a secure manner designed to protect against access by unauthorized parties. Rank order list information is never shared with third parties, except under court order or in response to a subpoena issued by a court of competent jurisdiction. Other than for the specific purposes noted in this Privacy Statement or in any terms and conditions that otherwise apply to you, we do not share Personal Data and we never use or share any of your Personal Data for advertising or marketing purposes.
HOW LONG WE KEEP YOUR DATA
If the services provided are intended to protect the public, for example through the assurance of an individual’s qualification through NRMP’s verification services, NRMP has a legitimate interest in retaining this information and will do so in accordance with its data retention policy.
For other services, we keep your Personal Data only for as long as is reasonably necessary to achieve the purposes for which it was collected, whether that is to provide services to you, for our own legitimate interests (described above), or so that we can comply with the law.
We will actively review the information we hold and when there no longer is a user, legal, or business need for us to hold it, we will either delete it securely or in some cases irreversibly anonymize it. When we delete any information, it will be deleted from our active databases but may remain in our archives.
HOW WE PROTECT YOUR DATA
To prevent unauthorized access, maintain data accuracy, and facilitate the correct use of Personal Data obtained through our website, we have put in place appropriate physical, technical, and operational measures to safeguard and secure the Personal Data we collect online against unauthorized access, unlawful use, accidental loss, corruption, or destruction.
We also use operational measures to protect the data, for example by limiting the number of people who have access to the databases in which your Match results information is held. Access to Personal Data is restricted to NRMP staff members and third party service providers who require the access for specific purposes, such as helping us provide services to you or performing research.
We use technical measures such as encryption and password protection to protect your data and the systems where they are stored. However, messages you send to us through the Internet or otherwise electronically may not be secure. We recommend that you do not send any confidential information to us by email. If you choose to send confidential information to us, you accept the risk that a third party may intercept this information.
LOCATION OF YOUR DATA / DATA TRANSFER
NRMP is located in the United States (“U.S.”) and is subject to the applicable laws of the United States (where data privacy laws are less stringent than in the European Union and some other jurisdictions). We will store and process information we receive about you, as described in this Privacy Statement, in the U.S.
When we receive your Personal Data, your Personal Data may be transferred, processed, and stored outside of your country of origin, including the United States for the purposes described in this Privacy Statement. Some of the recipients of Personal Data as specified above may be located in countries (including the United States) that do not provide a level of data protection equivalent to that set forth by the European Union and some other jurisdictions.
If you choose to access or use the Services offered by NRMP, you consent to the transfer, use, and disclosure of information in accordance with this Privacy Notice and subject to such applicable laws.
If we do transfer Personal Data outside the U.S., we will make sure that it is protected in the same way as if it were being used in the U.S. We will use one of the following safeguards to ensure your information is protected:
- Transfer the data to a non-EEA country that has privacy laws at least as protective as those within the EEA, or
- Put in place a contract with the recipient of the data, which means the recipient must protect the data to the same standards as required within the EEA, or
- Transfer it to organizations that are part of the Privacy Shield. The Privacy Shield is a framework that sets out the standards for data to be sent between the United States and European countries. The Privacy Shield ensures that data are protected to the same standards as used within the EEA.
By submitting any Personal Data or by using our websites and mobile application and without limitation to any other rights or obligations we have, you consent to such transfer to and processing in the United States and these other countries and you acknowledge that your information may be subject to access by law enforcement and other government entities including courts and tribunals, in accordance with laws applicable in those jurisdictions.
YOUR RIGHTS OVER YOUR PERSONAL INFORMATION
If the services provided are intended to protect the public, for example through the assurance of an individual’s qualifications through NRMP’s verification services, then in accordance with NRMP policies and procedures you may not have a right to erasure of your Personal Data, to restrict processing of your Personal Data, or to object to the processing of your Personal Data.
For other services, in accordance with NRMP’s policies and procedures you have the right to review, verify, correct, and request erasure of the Personal Data that we hold about you under certain circumstances. You also have the right to limit, restrict, or object to the processing of your Personal Data under certain circumstances. You may also have the right to request that we transfer your Personal Data to another party to the extent provided for under applicable data privacy laws.
Access to your Personal Data is available through your NRMP login credentials (username and password). When you register for an NRMP Match, you have an opportunity to correct or update most information you have provided using our website. If you are an existing NRMP registered participant, you can log in to your NRMP account to update the details held there. In the alternative and in some cases to correct and update certain types of information (e.g., date of birth, name), you may contact NRMP directly at the address below to report corrections, or to limit, restrict, or object to the processing of your data.
If you gave us your consent to the collection and processing of your Personal Data, you have the right to withdraw your consent for that specific processing by individual newsletter and / or email list. Information about how to prevent your data from being used for research purposes is set out under the heading “Data Collection For Educational Research”. Please note that even if you withdraw your consent, we can still rely on the consent you gave as the lawful basis for processing your data before you withdrew your consent.
You can object to our use of your data where we rely on our legitimate interests to do so. We explained the legitimate interests under the heading How We Use Your Personal Data.
If you want to review, verify, correct, or request erasure of your Personal Data; limit, restrict, or object to the processing of your Personal Data; or request a transfer of your Personal Data to another party, please contact us at email@example.com or write to us at National Resident Matching Program, ATTN: Data Protection, 2121 K Street NW, Suite 1000, Washington, DC 20037. To protect your privacy and security, we also will take reasonable steps to verify your identity before granting access, making corrections, or following such a request to correct or delete your data.
When you contact us, we will respond as soon as possible and where possible within one month. If your request is more complicated, it may take longer to respond to you, but we will respond within two months of your request. There is no charge for most requests, but if you ask us to provide a significant amount of data, for example, we may ask you to pay a reasonable administrative fee. We also may ask you to verify your identity before we provide any information to you.
Protecting Your Personal Information Online
Although NRMP takes measures designed to protect your Personal Data in its systems, you also must be vigilant in protecting access to your information online and assume responsibility for protecting Personal Data. Treat your user names and passwords with care. Do not share them or enter them into fraudulent sites. Be aware that the legitimate NRMP website is “nrmp.org”. Do not conduct NRMP business with any site that does not contain that address.
If you have any complaints concerning NRMP’s processing of your Personal Data, please email us at firstname.lastname@example.org or write to us at National Resident Matching Program, ATTN: Data Protection, 2121 K Street NW, Suite 1000, Washington, DC 20037.
Please note that you have the right to lodge a complaint with the supervisory authority that is responsible for the protection of Personal Data in the country where you live or work, or in which you think a breach of data protection laws might have taken place.
Customers in the United Kingdom can contact the Information Commissioner’s Office by telephone on 0303 123 1113, or by using the live chat service that is available through the Information Commissioner’s website www.ico.org.uk.
If you have any questions, comments, requests, or concerns related to this Privacy Statement, please contact the NRMP at email@example.com or at:
National Resident Matching Program
2121 K Street, NW
Washington, DC 20037
CHANGES TO THIS PRIVACY STATEMENT
NRMP has the right, at any time and from time to time, to make changes to this Privacy Statement. If the changes are material, we will provide at least 30 days’ notice. Any changes to this Privacy Statement will be posted on this website and will be effective when posted unless another date is referenced in the notice. We recommend you check the Privacy Statement on a regular basis so that you know the current terms and conditions that apply to you. If you use our website after any changes are effective, you are agreeing to comply with and be bound by them.