Working with doctors Working for patients

Data protection

Introduction

Under the Data Protection Act 1998 the GMC is known as a 'data controller'. This means we're an organisation that controls how we collect, record, and use personal information, or as the Act calls it, 'personal data'.

Personal data is information about an identifiable living person. The person who the personal data is about is called a 'data subject'. The Data Protection Act does not cover information about people who have died.

As a data controller, we must comply with certain rules of good information handling, more commonly known as the eight data protection principles. You have the right to expect us to make sure personal data is:

  • processed fairly and lawfully
  • gathered for specific and lawful purposes
  • adequate, relevant and not excessive for those purposes
  • accurate and kept up to date
  • not kept for longer than necessary
  • processed in line with your rights as a data subject
  • kept secure
  • not transferred abroad unless it's to countries with adequate data protection laws.

Your rights under the Data Protection Act

You have the right to:

  • find out what information we hold about you on computer and in some paper records
  • ask us to stop processing your personal data if the processing will cause you or somebody else any unjustified damage or substantial distress
  • require us not to use your personal data for direct marketing
  • claim compensation if you have suffered damage and distress as a result of us failing to comply with the Act
  • ask the Information Commissioner to investigate and assess whether we have breached the Data Protection Act. View the Information Commissioner’s contact details.

If you want to exercise any of these rights or would like to talk to us about them, please contact us.

How can I see personal data you hold about me?

A request to see your personal data is called a subject access request. We're allowed to charge you a fee of £10 before we send you the information.

You're entitled to be:

  • given a description of the personal data in question
  • told what we are using your personal data for
  • told the people, or types of people, we have shared your personal data with
  • given a copy of any personal data with any acronyms or codes explained
  • given any information available to us about the source of the personal data.

Please send your request to us in writing us describing the information you want, together with a cheque or postal order for the £10 fee. We can't accept the payment electronically. Post your request to:

Information Access team

General Medical Council

3 Hardman Street

Manchester

M3 3AW

We will look at your request as quickly as possible, normally within the 40-day limit set by the Data Protection Act. The 40 days start after you have paid the fee. We may also ask you to send proof of your identity.

Information we can't give you

There are a number of exemptions under the Data Protection Act which may mean we can't give you some of the information you want. Some examples of these exemptions are:

  • personal data about somebody else or information that would identify somebody else
  • information that might affect the way we carry out our regulatory activities
  • information that carries legal professional privilege
  • examination scripts
  • crime and taxation (if disclosure could affect matters such as the prevention or detection of crime).

If your personal data includes other information that would not be appropriate to release to you (for example, other people’s information), we will blank this out. This means that you might receive documents that have blanked-out sections.

If we can't give you your personal data, we will tell you why it has been withheld unless the Data Protection Act also exempts us from having to confirm or deny its existence.

Find out more

For more information about the Data Protection Act and its principles you can: