Under the Data Protection Act 1998 (or DPA) the GMC is known as a “Data Controller”. This means we are an organisation that controls how we collect, record, and use personal information, or as the Act calls it, “personal data”.
Personal data is information about an identifiable living person. The person who the personal data is about is called a “Data Subject”. The DPA does not cover information about deceased people.
As a data controller we must comply with certain rules of good information handling, more commonly known as the eight data protection principles. You have the right to expect us to ensure that personal data is:
- processed fairly and lawfully
- obtained for specific and lawful purposes
- adequate, relevant and not excessive for those purposes
- accurate and where necessary, kept up to date
- not kept for longer than is necessary
- processed in accordance with your rights as a data subject
- kept secure
- not transferred abroad unless to countries with adequate data protection laws
Your rights under the DPA
You have the right to:
- find out what information we hold about you on computer and in some paper records
- ask us to stop processing your personal data if the processing will cause you or somebody else any unjustified damage or substantial distress
- require us not to use your personal data for direct marketing
- claim compensation if you have suffered damage and distress as a result of us failing to comply with the Act
- ask the Information Commissioner to investigate and assess whether we have breached the Data Protection Act. Click here for the Information Commissioner’s contact details.
If you want to exercise any of these rights or would like to talk to us about them generally please contact us.
Make a subject access request
If you want to make a request to see your personal data this is called a subject access request and we are allowed to charge you a fee of up to £10 before providing the information to you.
You are entitled to be:
- given a description of the personal data in question
- told for what purposes we are using your personal data
- told the people, or types of people we have disclosed your personal data to
- given a copy of any personal data with any acronyms or codes explained
- given any information available to us about the source of the personal data
There are a number of exemptions under the DPA which may mean we are unable to disclose some of the information you want. Some examples of these exemptions are:
- Personal data about somebody else or information that would identify somebody else
- Information that may prejudice the way we carry out our regulatory activities
- Information that attracts legal professional privilege
- Examination scripts
- Crime and Taxation (if disclosure could prejudice matters such as the prevention or detection of crime)
If your personal data has other information amongst it that would not be appropriate to release to you (for example, other people’s information), we will blank out or “redact” this. This means that you might receive documents that have blanked-out sections.
If we are unable to give you your personal data we will tell you why it has been withheld unless the DPA also exempts us from having to confirm or deny its existence.
Please send your request in writing to us together with the £10 fee describing the information you want. Our contact details are under the Contact us section. It would be helpful if you could clearly mark your mail “Subject Access Request”.
We will deal with your request as quickly as possible, normally within the 40 calendar days limit set by the DPA. The 40 days will start after payment of the fee. You may also be asked to supply proof of your identity.
For more information about the Data Protection Act and its principles you can: