Data subject specific personal data use
Registered doctor or prospective registrant
Registrant means a currently registered doctor, former doctor or potential registrant.
Registration information
Why we hold it
We are required under law, including the Medical Act 1983, to keep a register of medical practitioners. We make sure that doctors on the register are suitably qualified.
We hold contact information so that we can contact doctors about their registration, revalidation, annual retention fee payment and fitness to practise matters. We also contact doctors with relevant news, such as new guidance or standards.
What we hold
We hold information about practitioners who are registered with us. We also hold information about practitioners who apply for registration, and those who are no longer registered.
For registration and revalidation purposes we hold information about a doctor’s nationality, qualifications, employment history, and other relevant evidence in support of their application for registration. We process recommendations, annual returns and revalidation assessment results in relation to a doctor’s revalidation.
We hold data about a doctor’s health and criminal convictions if they have told us this information as part of their application or appraisal.
When a potential registrant applies for registration as an international medical graduate, we verify their primary medical qualification and, if relevant, their post graduate qualification. The verification process is carried out on our behalf by an external organisation and may require data to be transferred outside the European Economic Area. We receive confirmation of the verification, or information about any concerns raised through the process.
If a practitioner has undergone any Professional and Linguistic Assessments Board (PLAB) test, we will hold information about their assessment history and scores.
We hold contact information about doctors, and depending on how they pay their Annual Retention Fee, we may also hold bank account or credit card information.
We hold information about fitness to practise incidents which take place while a student is at a UK medical school. This information is provided by students and universities when the student is applying for provisional registration.
How we share it
We are required to make some of this information publicly available on the medical register. Organisations can subscribe to download the medical register and view a full list of fields included in the download file. The published medical register and the download file do not contain doctors’ contact details.
We share non-public registration information with relevant third parties when it is necessary to assist them with their functions or legitimate interests. Third parties include UK health departments, employers, designated bodies, responsible officers, suitable persons and other bodies where appropriate. This information may include date of birth, photograph, passport details, registered email address, registered address and whether a doctor is being investigated under our fitness to practise procedures.
We may share personal data for audit or research purposes to ensure that we are carrying out our functions in a fair, consistent, and robust way. You can find out more under the Research and audit section of this privacy notice.
You can find more information about how we publish registration information, in our Registration and revalidation publication and disclosure policy.
Digital identity checks
Why do we do identity checks?
We check the identity of anyone who wants to join or be restored to our register to comply with our statutory obligations in the Medical Act 1983. We do this to protect doctor identities, to make sure no one can falsely use their information, and to protect the public.
What is Digidentity?
We’ve partnered with Digidentity to carry out digital identity checks on our behalf.
During your Digital Identity Check with Digidentity, you will be asked to use the Digidentity app to scan a valid identity document using your smartphone. If you would prefer not to use the Digidentity app, you can choose to have an in-person identity check at our London office. We’ll email you with more information about booking an appointment.
What type of data will be collected during your Digital Identity Check?
During your digital identity check with Digidentity, you will be asked to take a photograph of your identity document (or read the embedded NFC chip if present) using the Digidentity app.
We will accept the following identity documents for your digital identity check:
- Passport
- Full UK driving licence
Digidentity will use the data from the photograph and NFC chip if your document has one.
You will also be asked to take photographs of your face, known as a ‘liveness check’.
Digidentity are a ‘data controller’ in their own right, meaning that you will register and complete your identity check with them, and they will have responsibility and control over the data that you provide. For more information, please see Digidentity's privacy statement.
Alongside the data provided to us by Digidentity, the GMC will also process your name, GMC reference number, and the email address that we have on our records.
How is your identity confirmed?
There are two stages to the process:
- Digital identity check by Digidentity
- Manual check by the GMC
Once you have completed your digital identity check, you will need to provide consent within the app for Digidentity to share your provided data with the GMC. In addition to the automated check performed by Digidentity, the GMC will perform a manual identity verification on the evidence provided. We’ll also check that the data matches your registration application.
If we can’t verify your documents, or if your photographs aren’t clear, we may need you to complete another digital identity check. In this case, we’ll email you with further information. In some cases we may ask you to visit our office in person, for example if we haven’t been able to confirm your identity after a number of attempts. If we ask you to visit our office, we’ll provide a clear explanation as to why this is required.
Who will have access to your identity information?
In order to review and manually check your data, the data collected during your identity check will be shared with the GMC and securely stored in our internal database. Your data will only be accessed by GMC staff members who require it for their role.
Data about whether or not you have completed your check may be shared with your responsible officer. If you are a UK medical student/graduate, we will share data about whether or not you have completed an ID check with your medical school.
Your data won’t be shared with anyone else, with the exception of the photograph taken during your liveness check, which we may disclose, on request, to employers as part of pre-employment checks.
How long will we keep your identity information?
The GMC will keep your identity check information and the outcome of your identity check permanently, in line with our retention and disposal policy.
What rights do you have with your data?
Find out more about your rights under the UK General Data Protection Regulation (UK GDPR) for the information that the GMC holds about you in our privacy policy.
Who should you contact if you have questions about digital identity checks?
You can email our Contact Centre or speak to one of our advisers.
Fitness to practise investigations and sanctions information
Why we hold it
We have a statutory remit which empowers us to investigate when we believe a doctor poses a serious risk to patients or has significantly or repeatedly failed to meet our standards.
What we hold
We hold information about fitness to practise concerns, investigations of concerns, records of hearings, and records of the outcome of our investigations, including sanctions and warnings.
We hold information about patients, including medical records, where it has been provided as part of a complaint or is necessary for our investigation.
We hold information about doctor’s health and criminal convictions where it is relevant to the concern that we’re considering.
We have the power to require the disclosure of information, including medical records if necessary.
How we share it
The Medical Act empowers us to share information about fitness to practise investigations with employers, government departments and organisations that oversee our work.
During an investigation we may disclose details of the investigation to other organisations or individuals where it is necessary for us to carry out our statutory functions.
Fitness to practise sanctions are published on a doctor’s record on the online medical register. Further information about hearings and sanctions issued by a tribunal is published on the MPTS website. You can find more information about how we publish fitness to practise information, including relevant time periods, in our Fitness to practise publication and disclosure policy.
We have a legal duty to make referrals to the Disclosure and Barring Service (DBS) and Disclosure Scotland (DS) if the criteria are met under either the Safeguarding Vulnerable Groups Act 2006 or the Protection of Vulnerable Groups (Scotland) Act 2007. This involves disclosing tribunal hearing bundles and, where necessary, other relevant information to enable the DBS or DS to consider the referral. We also have a statutory duty to supply any information that is requested by the DBS or DS under this legislation.
We may share personal data for audit or research purposes to make sure that we are carrying out our functions in a fair, consistent, and robust way. You can find out more under the Research and audit section of this privacy notice.
We share information about recent sanctions with bodies in the UK and abroad who have a legitimate or statutory interest in this information.
Physician associate or anaesthesia associate
Registered physician associate, registered anaesthesia associate, or prospective registrant
Registrant means a currently registered physician associate (PA) or anaesthesia associate (AA), former PA or AA, or potential registrants including students.
Registration Information
Why we hold it
We are required under law, including the Anaesthesia Associates and Physicians Associates Order (AAPAO) to keep a register of PAs and AAs. We make sure that PAs and AAs on the register are suitably qualified.
We hold contact information so that we can contact PAs and AAs about their registration, revalidation, annual fee payment and fitness to practise matters. We also contact PAs and AAs with relevant news, such as guidance or standards.
What we hold
We hold information about PAs and AAs who are registered with us. We also hold information about PAs and AAs who apply for registration, and those who are no longer registered.
For registration purposes, we hold information about PAs and AAs nationality, qualifications, employment history and other relevant evidence in support of their application for registration.
We hold data about PAs and AAs health and criminal convictions if they have given us this information as part of their application or appraisal.
When a potential registrant applies for registration with an international qualification, we verify their qualification. The verification process is carried out on our behalf by an external organisation and may require data to be transferred outside the European Economic Area. We receive confirmation of the verification, or information about any concerns raised through the process.
We hold contact information about PAs and As and depending on how they pay their annual fee, we may also hold bank account or credit card information.
We hold information about fitness to practise incidents which take place while a student is enrolled in a UK PA or AA course. This information is provided by students and PA and AA Course providers when the student is applying for registration.
How we share it
We are required to make some of this information publicly available on the register of PAs and AAs.
We share non-public registration information with relevant third parties when it is necessary to assist them with their functions or legitimate interests. Third parties include UK health departments, organisation which employ and/or contract with PAs and AAs, other regulators both in the UK and internationally, and other bodies where appropriate. This information may include date of birth, ID photograph, passport details, contact details and whether a PA or AA is being investigated under our fitness to practise procedures.
We may share personal data for audit or research purposes to ensure that we are carrying out our functions in a fair, consistent, and robust way. You can find out more about this under the Research and audit section of this privacy notice.
You can find out more information about how we publish registration information, in our PAs and AAs registration publication and disclosure policy.
Digital Identity Checks
Why do we do identity checks?
We check the identity of anyone who wants to join or be restored to our register to comply with our statutory obligations in the AAPAO. We do this to protect PA and AA identities, to make sure no one can falsely use their information, and to protect the public.
What is Digidentity?
We’ve partnered with Digidentity to carry out digital identity checks on our behalf.
During your Digital Identity Check with Digidentity, you will be asked to use the Digidentity app to scan a valid identity document using your smartphone. If you would prefer not to use the Digidentity app, you can choose to have an in-person identity check at our London office. We’ll email you with more information about booking an appointment.
What type of data will be collected during your Digital Identity Check?
During your digital identity check with Digidentity, you will be asked to take a photograph of your identity document (or read the embedded NFC chip if present) using the Digidentity app.
We will accept the following identity documents for your digital identity check:
- Passport
- Full UK driving licence
Digidentity will use the data from the photograph and NFC chip if your document has one.
You will also be asked to take photographs of your face, known as a ‘liveness check’.
Digidentity are a ‘data controller’ in their own right, meaning that you will register and complete your identity check with them, and they will have responsibility and control over the data that you provide. For more information, please see Digidentity's privacy statement.
Alongside the data provided to us by Digidentity, the GMC will also process your name, GMC reference number, and the email address that we have on our records.
How is your identity confirmed?
There are two stages to the process:
- Digital identity check by Digidentity
- Manual check by the GMC
Once you have completed your digital identity check, you will need to provide consent within the app for Digidentity to share your provided data with the GMC. In addition to the automated check performed by Digidentity, the GMC will perform a manual identity verification on the evidence provided. We’ll also check that the data matches your registration application.
If we can’t verify your documents, or if your photographs aren’t clear, we may need you to complete another digital identity check. In this case, we’ll email you with further information. In some cases we may ask you to visit our office in person, for example if we haven’t been able to confirm your identity after a number of attempts. If we ask you to visit our office, we’ll provide a clear explanation as to why this is required.
Who will have access to your identity information?
In order to review and manually check your data, the data collected during your identity check will be shared with the GMC and securely stored in our internal database. Your data will only be accessed by GMC staff members who require it for their role.
Your data won’t be shared with anyone else, with the exception of the photograph taken during your liveness check, which we may disclose, on request, to employers as part of pre-employment checks.
How long will we keep your identity information?
The GMC will keep your identity check information and the outcome of your identity check permanently, in line with our retention and disposal policy.
What rights do you have with your data?
Find out more about your rights under the UK General Data Protection Regulation (UK GDPR) for the information that the GMC holds about you in this privacy notice.
Who should you contact if you have questions about digital identity checks?
You can email our Contact Centre or speak to one of our advisers.
Fitness to practise
Why we hold it
We have a statutory remit which empowers us to investigate when we believe a PA or AA poses a serious risk to patients or has significantly or repeatedly failed to meet our standards.What we hold
We hold information about fitness to practise concerns, investigations of concerns, records of hearings, and records of the outcome of our investigations.
We hold information about patients including medical records, where it has been provided as part of a complaint or is necessary for our investigation.
We hold information about PAs and AAs health and criminal convictions where it is relevant to the concern that we’re considering.
We have the power to require the disclosure of information, including medical records if necessary.
How we share it
The AAPAO empowers us to share information about fitness to practise investigations with employers, government departments and organisations that oversee our work.
During an investigation we may disclose details of the investigation to other organisations or individuals where it is necessary for us to carry out our statutory functions.
Fitness to practise outcomes are published on PA and AA records on the register. You can find out more about how we publish fitness to practise information, including relevant time periods, in our Fitness to practise publication and disclosure policy.
We have a legal duty to make referrals to the Disclosure and Barring Service (DBS) and Disclosure Scotland (DS) if the criteria are met under either the Safeguarding Vulnerable Groups Act 2006 or the Protection of Vulnerable Groups (Scotland) Act 2007. This involves disclosing relevant information to enable the DBS or DS to consider the referral. We also have a statutory duty to supply any information that is requested by the DBS or DS under this legislation.
We may share personal data for audit or research purposes to make sure that we are carrying out our functions in a fair, consistent, and robust way. You can find out more under the Research and audit section of this privacy notice.
We share information about recent sanctions with bodies in the UK and abroad who have a legitimate or statutory interest in this information.
Complainant
Fitness to practise investigations
Why we hold it
We have a statutory remit which empowers us to investigate when we believe a doctor, PA or AA poses a serious risk to patients or has significantly or repeatedly failed to meet our standards.
If you raise concerns about a doctor, PA or AA with us, we can use the information you give us to investigate those concerns. We detail how we use this information in How we use your information when considering concerns.
What we hold
We hold information about fitness to practise concerns, investigations of concerns, records of hearings, and records of the outcome of our investigations, including sanctions and warnings.
We hold information about patients, including medical records, where it has been provided as part of a complaint or is necessary for our investigation.
We have the power to require the disclosure of medical records if necessary.
If you choose to take part in our Patient liaison scheme, we can hold a record of any meetings or engagement as well as any personal data associated with reimbursement of reasonable travel costs.
How we share it
The Medical Act 1983 and the Anaesthesia Associates and Physician Associates Order empowers us to share information about fitness to practise investigations including employers, government departments and organisations that oversee our work.
During an investigation we may disclose details of the investigation to other organisations or individuals where it is necessary for us to perform our statutory functions.
Information about hearings and sanctions issued by a tribunal is published on the MPTS website.
You can find further information about warnings and undertakings issued by case examiners. You can find more information about how we publish fitness to practise information, including relevant time periods, in our Fitness to practise publication and disclosure policy.
We have a legal duty to make referrals to the Disclosure and Barring Service (DBS) and Disclosure Scotland (DS) if the criteria are met under either the Safeguarding Vulnerable Groups Act 2006 or the Protection of Vulnerable Groups (Scotland) Act 2007. This involves disclosing tribunal hearing bundles and, where necessary, other relevant information to enable the DBS or DS to consider the referral. We also have a statutory duty to provide any information that is requested by the DBS or DS under this legislation.
We may share personal data for audit or research purposes to make sure that we are carrying out our functions in a fair, consistent, and robust way. You can find out more under the Research and audit section of this privacy notice.
We share information about recent sanctions with bodies in the UK and abroad who have a legitimate or statutory interest in this information.
Employer or responsible officer
Registration and Revalidation information
Why we hold it
We are required under law, including the Medical Act 1983 and the Anaesthesia Associates and Physician Associates Order, to keep the registers of doctors, PAs and AAs. We are responsible for making sure that doctors, PAs and AAs on the registers are suitably qualified and keep their knowledge and skills up to date.
As an employer or responsible officer, we hold your contact information so that we can contact you about a doctor, PA or AA connected to you or your organisation. This may relate to registration, revalidation, annual retention fee payment or fitness to practise concerns. We also contact employers or responsible officers with relevant news, such as new guidance or standards.
What we hold
We hold contact details including your name, email address, postal address and telephone numbers.
We process recommendations, annual returns and revalidation assessment results in relation to revalidation.
We hold information provided to us by you relating to a doctor, PA or AA connected to you or your organisation.
How we share it
We are required to make some of this information publicly available on the medical register. This includes your name published on a doctor’s medical register entry as the responsible officer for their designated body. Organisations can subscribe to download the medical register and view a full list of fields included in the download file. The download file will include your name as responsible officer and designated body.
We share non-public registration information with relevant third parties when it is necessary to assist them with their functions or legitimate interests. Third parties include UK health departments, employers, designated bodies, responsible officers, suitable persons and other bodies where appropriate.
We may share personal data for audit or research purposes to make sure that we are carrying out our functions in a fair, consistent, and robust way. You can find out more under the Research and audit section of this privacy notice.
Fitness to practise investigations
Why we hold it
We have a statutory remit which empowers us to investigate when we believe a doctor, PA or AA poses a serious risk to patients or has significantly or repeatedly failed to meet our standards.
If you raise concerns about a doctor, PA or AA with us, we can use the information you give us to investigate those concerns.
What we hold
We hold information about fitness to practise concerns, investigations of concerns, records of hearings, and records of the outcome of our investigations, including sanctions and warnings.
If a doctor connected to you has a public tribunal decision, your name or organisation may be recorded within a public determination.
How we share it
The Medical Act 1983 and the Anaesthesia Associates and Physician Associates Order empowers us to share information about fitness to practise investigations with other employers, government departments and organisations that oversee our work.
During an investigation we may disclose details of the investigation to other organisations or individuals where it is necessary for us to perform our statutory functions.
Information about hearings and sanctions issued by a tribunal is published on the MPTS website.
You can find further information about warnings and undertakings issued by case examiners. You can find more information about how we publish fitness to practise information, including relevant time periods, in our Fitness to practise publication and disclosure policy.
We have a legal duty to make referrals to the Disclosure and Barring Service (DBS) and Disclosure Scotland (DS) if the criteria are met under either the Safeguarding Vulnerable Groups Act 2006 or the Protection of Vulnerable Groups (Scotland) Act 2007. This involves disclosing tribunal hearing bundles and, where necessary, other relevant information to enable the DBS or DS to consider the referral. We also have a statutory duty to provide any information that is requested by the DBS or DS under this legislation.
We may share personal data for audit or research purposes to make sure that we are carrying out our functions in a fair, consistent, and robust way. You can find out more under the Research and audit section of this privacy notice.
We share information about recent sanctions with bodies in the UK and abroad who have a legitimate or statutory interest in this information.
GMC staff or associate
Recruitment
Privacy notices for current GMC staff and associates are available on our internal webpage.