About this Notice
This notice explains how the GDC processes personal data – that is to say, the various ways in which the GDC obtains, holds, uses and discloses personal data. The notice does this by referencing the main purposes for which the GDC processes personal data.
This notice also explains what your rights are in relation to personal data processed by the GDC. This notice will be formally reviewed and updated annually at the start of each year. It will also be updated and amended during the year as needed.
The way in which the GDC processes personal data is governed by data protection law, which includes the General Data Protection Regulation 2016 (“GDPR”) and the Data Protection Act 2018 (“DPA 2018”).
Explanation of terms used in this Notice
The following terms are defined by the GDPR and DPA 2018. A short explanation is given below (though it is not intended to substitute for the legal definitions).
By personal data, we mean information relating to a living identified or identifiable person.
By special category personal data we mean:
- Personal data that reveals any of the following about an individual: racial or ethnic origin; political opinions; religious or philosophical beliefs; or trade union membership.
- Personal data that consists of: genetic data; biometric data used for the purpose of identifying an individual; data concerning health; or data concerning an individual’s sex life or sexual orientation.
By criminal offence data we mean data about whether an individual has committed or has been convicted of a criminal offence.
When you contact the GDC
Customer data-sf-ec-immutable="" data-sf-ec-immutable="" data-sf-ec-immutable="" Services team manages the majority of incoming communication at the GDC, this includes calls made to 020 7167 6000, emails sent to email@example.com and all web forms barring two which are titled, ‘Complaint – about a dental professional’, and ‘Dental Complaints Service – resolution service for private dental treatment complaints’. The former goes directly to our Fitness to Practice Initial Assessment Team, and the latter to the Dental Complaints Service.
The nature of your communication will dictate the information we need to collect from you. If you are a registered dental professional or are applying for entry onto one of our registers, it is likely that we will need to ask for personal data to assist with your enquiry. If you are raising a concern about a registered dental professional, it is likely that we will need to collect personal data to investigate your concerns. General enquiries, such as, checking a dental professional’s registration, will likely not require the collection of personal data.
Like many other organisations, the GDC operates a standard practice that allows the recording of telephone calls for quality monitoring, training, compliance and security purposes.
All calls received into Customer Services will be recorded by the GDC and will be retained for a period of six months. For each call made to the Customer Services team, a note is added to our database representing the call contents.
However, if the person making the call says that they do not wish to have their call recorded, the call recording will be stopped. Calls to any other telephone numbers within the GDC are not recorded. If calls are transferred from Customer Services to another GDC staff member, the call recording will cease to act once the call is successfully transferred.
Under normal circumstances a call will not be retrieved or monitored unless:
- It is necessary to investigate a complaint.
- It is part of a management 'spot check' that customer service standards are being met.
- There is a threat to the health and safety of staff or visitors or for the prevention or detection of crime.
- It is necessary to check compliance with regulatory procedures.
- It will aid standards in call handling through use in training and coaching our staff. However, this will only be permitted if the recording is edited so that the caller remains anonymous and the member of staff who was party to the call agrees to its being used in this way.
- Any calls that are used for quality monitoring are retained.
Written communication - emails
All business critical emails relating to a case, registration, or an enquiry from the member of the public that are sent to firstname.lastname@example.org are saved onto the GDC’s CRM. Any emails that are not saved either by Customer Services or the relevant team are retained on our server for a period of six months (plus a 28 days period for deletion) before automatically being deleted.
Written communication - web forms
All web forms are stored in CRM.
Written communication - letters
All letters received by the GDC are scanned and saved either into CRM or by the team into their electronic files.
Use of personal data in connection with registration - registration, ORE and application
Under the Dentists Act 1984, the GDC has a statutory responsibility to maintain: a register of dentists; and a register of dental care professionals (clinical dental technicians, dental hygienists, dental nurses, dental technicians, dental therapists, and orthodontic therapists).
Individuals who apply for registration as dentists or dental care professionals will be required to provide personal data to the GDC. This may include special category data (e.g. data about an applicant’s health), and criminal conviction data (in cases where an applicant is required to declare a past criminal conviction).
The GDC may need to contact referees, or other persons who are named by the applicant in the application form or provided subsequently, in order to verify information given by the applicant or to obtain further information about the applicant. Where the applicant declares any information about a health issue, the GDC may need to obtain information from medical practitioners or other healthcare professionals, involved in the applicant’s care or treatment. Information may also need to be shared with our contracted Occupational Health providers.
The application form for registration also contains an equality monitoring form (completion of which is voluntary). Some of the information that the GDC holds as a result of completion of this form will be special category personal data (e.g. data about individuals’ racial or ethnic origin).
Overseas Registration Exam (ORE)
Some applicants for registration will be required to undertake the Overseas Registration Exam (ORE). This consists of Part 1 (a written exam) and Part 2 (a clinical exam).
Individuals who sit the ORE are required to provide a character reference and clinical experiences references, and the GDC will receive personal data about applicants from these referees.
The ORE contains an equality monitoring form (completion of which is voluntary). Registrant’s can also choose to complete equality monitoring forms on our online portal eGDC. Some of the information that the GDC holds as a result of completion of this form will be special category personal data (e.g. data about individuals’ racial or ethnic origin).
Part 1 and Part 2 of the ORE are administered by external providers under contract with the GDC. The Consortium who provide this service is made up of the Royal College of Surgeons, UCL Eastman Dental Institute, UCLH Eastman Dental Hospital, and Barts and The London Institute of Dentistry.
The GDC provides the Consortium with a list of the candidates sitting the ORE, together with information to enable them to identify candidates when they arrive to sit the exams. The GDC will receive personal data from these external providers about candidates’ performance in the ORE. We may also share equality monitoring data with the external providers, after the exam has taken place, to quality assure the exam.
Some applicants for registration such as dentists, and all overseas qualified dental care professionals, will be required to undergo an assessment of their qualifications. Where this is the case, the applicants will need to complete an application form.
The GDC may obtain personal data about the applicant from any character referees who have been named by the applicant, and also from any health practitioners involved in treating the applicant. The applications are considered by the GDC’s Registration Assessment Panel which are independent panels of dentally qualified assessors.
Where the GDC processes personal data, special category personal data or criminal conviction data in connection with registration, then it does so on the basis that: the processing is necessary for the exercise of the GDC’s statutory functions in relation to registration; and the processing is also in the substantial public interest. In addition, some special category personal data is processed by the GDC for the purpose of monitoring equal opportunity or treatment.
In some cases, the provision of data to the GDC by applicants for registration will be a statutory requirement (pursuant to the GDC’s powers in relation to registration). Failure to provide data, or the provision of inaccurate data, may mean that: the application for registration is refused; or the applicant may be subject to fitness to practise procedures by the GDC (which may lead to various consequences, including: the imposition of conditions on a practitioner’s registration as a dentist or a dental care professional; the suspension of that registration; or erasure from the register).
Use of personal data in connection with registration - register maintenance and sharing
Once dental professionals are successfully registered on the GDC’s registers, we require registrants to undertake a retention process, on an annual basis, the Annual Retention Fee (ARF) is the fee all registered Dentists and Dental Care Professionals must pay each year to remain on the Dentists Register or Dental Care Professionals Register. We will collect banking transaction and payment data for this purpose and contract with a direct debit collection service provider to manage the bulk processing of direct debit payments.
We will also confirm and update personal information, collect indemnity declarations and continuing professional development(CPD)/Enhanced CPD data at these times. The GDC engages with third party organisations and uses external applications to manage and support our large scale communications.
The GDC’s online portal, eGDC-uk.org allows registrants to maintain their registration with the GDC, this website uses essential cookies and we record personal information changes, banking and transaction information, IP and online activity data from the website for security purposes.
Sharing register data
The GDC may share our register information with the NHS and other healthcare bodies in the UK. A list of monthly removals is shared with the NHS to alert them of removals processed by the GDC.
As of 18 January 2016, the GDC and all other European healthcare regulators are legally required to issue alerts about registrants with restrictions or prohibitions on their practice. Alerts are sent for registrants with conditions, suspensions, undertakings and erasures, whether issued by Interim Orders, Health or Practice Committees as well as GDC case examiners. Alerts are not sent for warnings or reprimands as these do not restrict a registrant’s practice. The information contained within the alert enables other regulators to check the individual against their own registrants and applicants to help safeguard the public.
The GDC sends alerts securely over the Internal Market Information (IMI) system to healthcare regulators in each Member State. Registrants will be notified when an alert has been issued about their restriction and are informed of their right to appeal the issuing of the alert with the County Court.
The GDC also receives incoming alerts from other EU regulators. Each alert for dental professionals is checked with our current register and potential applicants. If a registrant is subject to the issue of an alert, the relevant teams (FTP for registrants and the registration teams for applicants) are sent a copy of the alert for further investigation.
Use of personal data in connection with fitness to practise - assessment and investigation
Under the Dentists Act 1984, the GDC has a statutory responsibility to investigate whether the fitness to practise (FtP) of registrants (i.e. dentists or dental care professionals registered by the GDC) is impaired. Where FtP is impaired this may lead to various consequences, including: the imposition of conditions on a practitioner’s registration as a dentist or a dental care professional; the suspension of that registration; or erasure from the register.
The GDC has statutory powers to obtain information for the purposes of its FtP functions, and it may exercise these powers to help it investigate the issues.
In connection with its FtP functions, the GDC may process personal data about: registrants; informants (including persons who have raised concerns with the GDC about a registrant); and other relevant individuals (e.g. persons who have been treated by the registrant but who are not themselves informants). This may include special category personal data (e.g. information about health). It may also include criminal conviction data (e.g. where a FtP issue arises as a result of a registrant’s criminal conviction).
For the purposes of investigating a FtP complaint about a registrant, the GDC may need to share details of the complaint with: the registrant; their current and (in some circumstances) previous employer(s); their legal representatives; and other individuals or organisations (for example, the NHS, MHRA, CQC).
The GDC may need access to the medical or dental records of the informant or other relevant individuals (where the FtP issue relates to clinical matters). The GDC may also need to obtain information about the health of registrants (e.g. where the FtP issue relates to the registrant’s health), informants, or other relevant individuals such as other patients treated by the registrant.
A FtP concern may be raised by various routes, including: online; by email or letter; or from within the GDC itself, including by referral from the In-house Legal Prosecution Service (ILPS) or the Dental Complaint Service (DCS).
Assessment and investigation
The issues raised will initially be considered by the GDC’s Initial Assessment team, to determine whether the matter should go forward to be considered at the casework stage.
Where cases are referred to the casework stage, the caseworker will obtain whatever information is necessary in order to complete their investigation. This may include sharing relevant information with a clinical adviser for comment. Where the concerns raised relate to a registrant’s health, the GDC may need access to the registrant’s medical records, and it may be necessary for the GDC to contact the registrant’s GP or other medical practitioners involved in the care and treatment of the registrant. It may also be necessary for the registrant to have a health assessment and for information to be shared with our contracted Occupational Health providers for that purpose. As part of this assessment, hair and blood samples may be taken.
When the caseworker has completed their investigation, they will assess the case. A Casework Manager will then review the matter and will conclude that either:
- The complaint and / or information received does not raise an allegation that fitness to practise may be impaired – the case will be closed; or
- The complaint and / or information received does raise an allegation that fitness to practise may be impaired – the case, and information relating to it, will be referred to our Case Examiners.
The Case Examiners are dental professionals appointed as GDC staff members with a statutory duty to make decisions at the conclusion of an investigation. Evidence in each case is considered by a pair of Case Examiners (one lay and one a dentist or dental care professional) who review all relevant evidence obtained during our investigation, including any evidence provided by the registrant in question or the informant.
The Case Examiners are not asked to make findings of fact in a case or come to substantive conclusions regarding a registrant's fitness to practise but are instead asked to determine whether an allegation ought to be considered by a Practice Committee.
Use of personal data in connection with fitness to practise - prosecution and hearings
If the Fitness to Practise (Ftp) case is referred by the General Dental Council's (GDC) Case Examiners to be heard by one of the GDC’s Practice Committees, then the In-house Legal Prosecutions Service (ILPS) will take responsibility for conducting the case before the Committee on behalf of the GDC. The ILPS also conducts cases where the GDC are seeking an Interim Order and Review cases before the GDC’s respective Practice Committees.
Where necessary the ILPS will need to share information with witnesses, including expert witnesses, for this purpose. In some instances, the GDC will ask its External Legal Prosecution Service (ELPS) - a third-party law firm contracted to carry out this work on the GDC’s behalf - to conduct a case.
In preparation of a case (particularly a case involving the health of a registrant) the ILPS and/or the ELPS may need access to the registrant’s medical records, and it may be necessary for the GDC to contact the registrant’s GP or other medical practitioners involved in the care and treatment of the registrant. It may also be necessary for the registrant to have a health assessment and for information to be shared with our contracted service provider for that purpose. As part of this assessment, hair and blood samples may be taken.
Hearings before one of the GDC’s committees (including those considering interim orders or resumed hearings) may take place in public. For the purposes of the hearing, information about the relevant FtP issues will be provided to the members of the committee that hears the matter: this may include special category data or criminal conviction data about registrants, complainants, or relevant third parties.
Where an individual is legally represented in connection with a FtP investigation, the GDC may ask for the individual’s consent to disclose information about the investigation to the legal representative. In such cases, the basis on which the GDC discloses the information is that the individual has given consent (or, in relation to special category personal data, has given explicit consent) to the disclosure.
Otherwise, the basis on which the GDC processes personal data in connection with FtP is that the processing is necessary for the exercise of the GDC’s statutory functions in relation to FtP.
Where the GDC processes special category personal data or criminal conviction data in connection with FtP, then it does so on the basis that: the processing is necessary for the exercise of the GDC’s statutory functions in relation to FtP; and the processing is also in the substantial public interest.
In some cases, the provision of information to the GDC in connection with FtP will be a statutory requirement (pursuant to the GDCs powers in relation to FtP). Where a registrant fails to provide information, or provides inaccurate information, then this may in itself give rise to a FtP complaint against the registrant.
Use of personal data in connection with illegal practice
Under the Dentists Act 1984, it is a criminal offence for a person who is not a registered dentist or a registered dental care professional to practise dentistry, or to hold themselves out as doing so. It is also a criminal offence to use protected dental titles or to unlawfully carry on in the business of dentistry as an individual or body corporate. The GDC investigates and prosecutes these offences.
For these purposes, the GDC obtains personal data from individuals who complain to the GDC about illegal dental practice. This may include: witness statements provided to the GDC by the informant; and medical records about the informant.
The GDC will also obtain personal data about individuals who are investigated in order to ascertain whether they are practising dentistry illegally. This may include data obtained through publicly available information or as a result of further investigations.
If the matter proceeds to Court, the GDC will be required to disclose material to the defendant. This may include details of the initial complaint to the GDC. If the informant did not assist the GDC in its investigation, then these details will be provided in redacted form without disclosing the informant's identity.
Where the GDC processes personal data, special category personal data or criminal conviction data in connection with illegal practice, then it does so on the basis that: the processing is necessary for the exercise of the GDC’s statutory functions in relation to illegal practice; and the processing is also in the substantial public interest.
Failure to provide information to the GDC in connection with illegal practice may prejudice the success of a prosecution brought by the GDC. In the case of a registrant, failure to provide information or the provision of inaccurate information may lead to FtP proceedings in respect of the registrant.
Use of personal data in connection with education and quality assurance
Under the Dentists Act 1984, the GDC has a statutory responsibility to monitor the quality of education and training programmes in the UK that lead to registration as a dentist or a dental care professional. In order to discharge this responsibility, the GDC carries out quality assurance of these programmes. This work is carried out by education associates working for the GDC.
Prior to an inspection, the GDC will normally have access to the curriculum vitae of staff members from the education provider. During the inspections, the inspectors will meet staff members and students and will take notes of these meetings. The inspectors may also ask to see a copy of student log books which contain details of the clinical work that students have carried out; the GDC asks for student details to be anonymised, and patients are referred to in the log books by way of an individual identification number allocated by the training programme. The inspectors may also see student exam results (which are usually anonymised) and progress reports and student FtP data (both of which are not anonymised).
The inspectors contribute to the preparation of a final report which is shared with the education provider. In this report, staff and student names are anonymised, and staff roles and gender are not disclosed to avoid identification.
On occasion, students will contact the GDC's education and quality assurance team with a complaint about their education provider. The complaint will be investigated by the team: if the student agrees that it should be investigated; or if the team consider that the nature of the complaint requires investigation even without the student's agreement.
Where the GDC processes personal data, special category personal data or criminal conviction data in connection with quality assurance, then it does so on the basis that: the processing is necessary for the exercise of the GDC's statutory functions in relation to dental education; and the processing is also in the substantial public interest.
In the case of a registrant, failure to provide information to the GDC in connection with quality assurance, or the provision of inaccurate information, may lead to FtP proceedings in respect of the registrant.
Use of personal data in connection with the Dental Complaints Service (DCS)
The DCS was set up by the GDC to assist dental patients and dental professionals in resolving complaints about private dental treatment. It is a resolution service, where the final stage is a panel meeting. The panel comprises of two lay and a clinical member; who can make recommendations for resolving disputes. More detailed information about their process including how they use and share information with the GDC’s team is available on the DCS website.
Patients who are in dispute with a registrant are not obliged to use the DCS route in order to resolve the complaint. Neither patients nor registrants are obliged to follow the panel’s recommendations as to how their dispute should be resolved.
The operation of the DCS process involves the processing of personal data about both patients and registrants. This may include special category personal data, or criminal conviction data. Information held and used by the DCS will include:
- Patient contact details, addresses, contact numbers, emails, dates of birth etc.
- Dental professional’s contact details.
- Dental records.
- Correspondence relating to dental complaints.
- Panellist information.
- Anonymised equality and diversity information.
- Recordings of calls to the DCS helpline for training and quality monitoring purposes.
Anonymised case studies are developed from real life case examples to assist in learning and development of DCS staff.
In relation to patients, the basis for processing personal data is the patient’s consent, or in relation to special category data, their explicit consent.
The basis on which the GDC processes registrants’ personal data in connection with the DCS is that the processing is necessary for the exercise of the GDC’s statutory functions regarding the practice of dentistry.
Where the GDC processes registrants’ special category personal data or criminal conviction data in connection with the DCS, then it does so on the basis that: the processing is necessary for the exercise of the GDC’s statutory functions in relation to the practice of dentistry; and the processing is also in the substantial public interest.
As indicated above, patients are not obliged to make use of the DCS. However, where a patient decides to make use of the service, the registrant is obliged to engage in the process which includes providing information; failure to do so may lead to FtP proceedings in respect of the registrant.
Use of personal data in connection with research
The GDC conducts and commissions research on a range of topics to support our regulatory functions related to registration, fitness to practise, and education and training.
The personal data which we use to carry out our regulatory functions can also be used for research which supports those functions. This includes demographic information, employment and fitness to practise history, and details of complaints.
As part of our research, we may use data profiling to help us understand more about certain issues and their impact on Registrant’s in these areas. However, profiling is not used to make automated decisions about a Registrant’s registration or fitness to practise.
We process personal data in carrying out research on the basis that it is necessary for the exercise of the GDC’s statutory functions and is carried out in the public interest. Where the processing includes special category data, it is also on the basis that it is necessary for research purposes.
We share personal data with researchers working on our behalf if it is necessary to do so. We do so under contract and ensure we have adequate safeguards in place, only sharing what is necessary for the research, using secure methods. Where possible we provide researchers with anonymised or pseudonymised data for research purposes.
When we publish research or statistics, we apply disclosure controls to make sure individuals cannot be identified from the data.
Use of personal data in connection with consultations
A “consultation” is any exercise with the purpose of seeking agreement or views on a set of proposals to amend policy, procedures, rules or guidance.
When exercising our functions, we must have proper regard for the interests of the public, dental patients and dental professionals. In some circumstances, we have statutory duties to consult with specific audiences, for example, if we needed to amend fitness to practise rules.
Alongside our wider engagement activities, there will be circumstances where it is desirable to consult, through public consultation, with dental professionals and other stakeholders.
In the majority of cases, a consultation will be a formal, timebound and public process, where proposals are outlined, evidenced and explained in full. Consultations will normally invite views from the public and other stakeholders. This can be done by asking specific questions or simply inviting comments on the proposals outlined. Consultation is typically a written process, but can also include face-to-face engagement activities, such as facilitated focus groups, stakeholder meetings, issue-led seminars etc.
Where personal data is collected and processed as part of a consultation the processing is necessary for the GDC to perform a task in the public interest or for the GDC’s official function. The information provided, including personal data, will be used to assess the potential impacts and to determine the views of the public and other stakeholders on the proposals raised in this consultation exercise. The information will be shared internally with relevant GDC staff members and those appointed to Council.
By providing personal information for the purpose of the public consultation exercise, participants are agreeing to its use for these purposes. If this is not the case, participants should limit any personal information which is provided, or remove it completely. If you would want the information in your response to the consultation to be kept confidential, you should explain why as part of your response, although we cannot guarantee to do this.
An anonymised summary of the views received as part of this consultation exercise and information on any further action or next steps will be included in a consultation outcome report, which will be made available on the consultation section of the GDC website.
All information contained in responses, including personal information, may be subject to publication or disclosure if requested under the Freedom of Information Act 2000. However, personal data will not be published where doing so would breach the GDPR or Data Protection Act.
Use of personal data for employment purposes
In order to carry out its various functions, the GDC has a number of employees and contractors. The GDC holds personal data about people who apply to be employees and about current or former employees. This may include special category personal data (e.g. about health) and criminal conviction data.
For recruitment purposes, the GDC uses an applicant tracking system called Cornerstone to collect, store and manage recruitment documentation. This site is managed by an independent provider. Where candidates are instructed to apply via Cornerstone, their personal data in connection with the application will be stored in the site. This includes information provided by unsuccessful applicants.
All new employees at the GDC are required to provide various items of personal data. This includes data about health, copies of passports, evidence of the right to work, and an equality and diversity form.
Where employees are unfit to attend work, they are required to provide information about their absence through an external provider system called "Absence Manager". This information will be made available to the employee's line manager, and the GDC's HR Department.
Employees may be referred to the external Occupational Health provider; and, with the consent of the member of staff, the GDC may receive copies of an individual's occupational health report.
Performance reviews are usually conducted by an employee's line manager. Statements from the member of staff and their manager about performance are entered and stored on the GDC's Cornerstone system. Information about performance reviews may also be held by the line manager and/or by the GDC's HR department.
Information about an individual's disciplinary record will be held by the GDC's HR department.
The HR department may prepare reports on matters such as absence and performance, to present to the GDC's management team. Such reports will be anonymised and do not contain personal data.
All GDC staff are required to provide regular and considered declarations of any conflicts, or perceived conflicts of interest. To promote transparency, and public confidence in the organisation and the regulatory process, the GDC also publishes on its external website the declarations of the executive team and the GDC’s Case Examiners.
The basis on which the GDC processes personal data in connection with employment is that the processing is necessary for the exercise the various statutory functions conferred on the GDC.
Where the GDC processes special category personal data or criminal conviction data in connection with employment, then it does so on one or more of the following bases:
- The processing is necessary for the exercise of the GDC's statutory functions and is also in the substantial public interest.
- The processing is necessary for performing or exercising the GDC's legal obligations and rights in connection with employment.
- The processing is necessary for health purposes (including occupational health or the assessment of an employee's working capacity).
In addition, some special category personal data is processed by the GDC in the context of employment, for the purpose of monitoring equal opportunity or treatment. It is optional to provide this information and is collected and processed only with the consent of the employee.
Use of personal data for associate engagement purposes
In order to carry out its various functions, the GDC engages a number of associates who provide expert advisory, investigatory or adjudicatory services. These associates perform roles such as Fitness to Practice Panel Members or Advisers, Registration Appeal Panel Members, Overseas Registration External Examiners, Education Inspectors, Clinical Advisers, Expert Witnesses, Dental Complaints Service Panellists, Specialist List Appeals Panellists, Council members and members of other statutory and standing committees.
The GDC holds personal data about people who apply to be associates, and about current or former associates. This may include special category personal data (e.g. about health) and criminal conviction data.
The GDC may use an applicant tracking system called Cornerstone to collect, store and manage information related to the recruitment of associates. This site is managed by an independent provider. Where candidates are instructed to apply via Cornerstone, their personal data in connection with the application will be stored in the site. This includes information provided by unsuccessful applicants.
Associates at the GDC are required to provide various items of personal data, including names, contact details, bank account details, identification, evidence of the right to work, and details of qualifications, skills, experience and employment history. Such data will be held by the GDC's HR department and/or the associate's line manager, and basic contact information such as names, addresses and telephone numbers, are stored in the GDC's CRM database.
In addition, some special category personal data about associates is processed by the GDC for the purpose of monitoring equal opportunity or treatment. It is optional to provide this information and is collected and processed only with the consent of the associate.
Information about the quality of an associate's work for the GDC will be held by the line manager, and may be stored in HR.
The basis on which the GDC processes personal data about associates is that the processing is necessary for the exercise the various statutory functions conferred on the GDC. The data is used to verify an associate's identity and work rights, enable performance of the contract for services between the parties (including communication, payment of fees and reimbursement of expenses, if applicable), and monitor and provide feedback on work quality.
Where the GDC processes special category personal data or criminal conviction data about associates, then it does so on one or more of the following bases:
- The processing is necessary for the exercise of the GDC's statutory functions and is also in the substantial public interest.
- The processing is necessary for performing or exercising the GDC's legal obligations and rights in connection with the contract for services with the associate.
- The processing is necessary for health purposes (including occupational health or the assessment of an associate's working capacity).
Some associates are paid through a payroll system, and the GDC may share their personal data with third parties in connection with payroll processing, taxation and pension contributions if applicable.
Use of personal data when applying for a job with us
As part of your application you will be asked to provide personal data which the GDC needs to process in order to manage and keep records of the recruitment process, assess your suitability for employment and decide to whom to offer a job. We may also need to process job applicant data to respond to and defend against legal claims.
We also process health information if we need to make reasonable adjustments to the recruitment process to support applicants who have a disability. In some cases, the GDC needs to collect and process data to ensure we are complying with our legal obligations, for example checking an applicant's eligibility to work in the UK before employment starts.
If your application is successful, the GDC will also process your data to prepare your contract and offer of employment.
You are also encouraged to provide equality and diversity information, such as racial origin, disability, religious belief or sexual orientation, which will be anonymised and used for monitoring purposes. Please note that you may choose not to provide this information and it will not affect your application in any way.
Your data will be held in the Cornerstone system and in confidential files held by the GDC's HR department. Your data will be shared with the hiring manager, other selection panel members and senior managers who are involved in the decision making process. Your information will be held on file for a maximum of 12 months.
Use of personal data in connection with Whistleblowers
In line with the GDC’s Whistleblowing Policy, we welcome matters being raised by our employees or by workers who want to raise concerns about people or organisations where they believe those issues are connected to the GDC’s functions. We process this information because doing so is necessary to carry out our regulatory function or to comply with our legal obligations as a ‘prescribed person’ under the Public Interest Disclosure Act 1998 and The Public Interest Disclosure (Prescribed Persons) Order 2014.
We will ensure that, if you raise a genuine concern you will not suffer any detriment or adverse treatment as a consequence and any information you provide will be kept secure in line with our Data Protection policy.
We may need to use and share information you give us with other organisations, such as government departments, enforcement agencies and the police, for the purpose of investigating the issues raised. There may also be certain circumstances where we are required, by law, to share your information.
Use of Closed-Circuit Television (CCTV) at our sites
CCTV is in operation at our sites. Where we are not the sole occupier of the building (Colmore Square) there is additional CCTV which is controlled by the building owners or management company.
We record CCTV images of people when entering and leaving our premises as well as at strategic locations throughout the buildings. This is for the purposes of security and safety monitoring and the investigation of alleged criminal offences. We may share our CCTV images with law enforcement and courts if this is needed.
We use our premises to perform our regulatory functions. We consider that ensuring the security and safety of our premises is necessary to perform a task carried out in the public interest and/or in our official authority as a regulator.
The GDC’s websites
The GDC operates the following websites:
For information about the processing of personal data in the form of cookies in connection with the GDC's websites, see the dedicated cookies information for each site.
Please be aware that once a user clicks on a link to a site external to these GDC websites, it will be subject to that organisation’s privacy policies, not the GDC’s.
Further information about the processing of special category of personal data
As explained above, some of the personal data processed by the GDC is special category data or criminal conviction data.
Please see the GDC's guidance on disclosing Convictions and Cautions Guidance.
Further information about how the GDC complies with data protection law (as set out in the GDPR and in DPA 2018) in relation to such data is set out in the GDC's Data Protection Policy (the GDC’s appropriate policy document for the purposes of the DPA 2018).
Period of retention
The period for which personal data will be retained by the GDC is set out in our Retention schedule.
Under the GDPR and DPA 2018, you have various rights in connection with any personal data about you that is held by the GDC.
The GDC’s Data Subjects Rights Policy sets out in more detail what the GDC does to ensure the rights of the individual under the GDPR are respected and responded to appropriately. This policy also explains in more detail how the GDC will process and respond to requests for rectification, or erasure, or objections to processing under GDPR.
In summary your rights include the following:
- If you are a patient who has complained to the DCS, you are able to withdraw that consent at any point.
- You can ask us to give you access to personal data about yourself that is held by the GDC.
- You can ask for personal data about you that is held to be erased.
- You can ask us to restrict the processing of personal data about you, so that the data will only be used for limited purposes (which are set out in the GDPR).
- You can object to the processing of your personal data.
- You can ask for personal data about yourself that you have provided to the DCS to be provided to you in a structured, commonly used and machine-readable format, and you can transmit that data to another data controller.
All of these rights are set out in detail in the GDPR and DPA 2018, which explain the conditions for the exercise of these rights, and any limitations. Various exemptions may apply, including exemptions arising from the regulatory functions that are carried out by the GDC.
The GDC’s Data Protection Officer
The GDC's Data Protection Officer (DPO) assists in monitoring internal compliance, informs and advises on data protection obligations, and acts as a contact point for data subjects and the Information Commissioner.
If you have any questions or concerns about how the GDC is using and sharing your personal data, then you can contact the GDC's Data Protection Officer by emailing: DPO@gdc-uk.org
The Information Commissioner
The Information Commissioner's role is to improve the information rights practices of organisations by gathering and dealing with concerns raised by members of the public.
Information about their work, including how to submit a complaint, is available on their website: ico.org.uk. They can also be contacted by calling their advice line on 0303 123 1113 or emailing email@example.com.