Close

Privacy

​About our Privacy Notice

Last updated: 4 June 2024

This is the privacy notice for the General Dental Council (GDC). It tells you what information we hold about you and how we use it, explaining this is part of our responsibility under data protection law.

We will give you a more detailed explanation when we need to, for example when we collect information from you because you are involved in a hearing, or when you register with us.

This notice also explains your rights in relation to any personal data that we process, as under data protection law, the GDC is known as the ‘controller’ of the information we hold about you. 

We are accredited to international information security standards and are Cyber Essential Plus certified, which means that we keep your information safe and secure.  We also adhere to the NHS Toolkit which is a set of requirements for organisations who manage NHS data. 

The way in which we process personal data is governed by data protection law, which is primarily the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA”).

The following terms are defined by the UK GDPR and the DPA. 

By personal data, we mean information relating to a living identified or identifiable person.

By special category personal data, we mean:

  • Personal data that reveals any of the following about an individual: racial or ethnic origin; political opinions; religious or philosophical beliefs; or trade union membership.
  • Personal data that consists of: genetic data; biometric data used for the purpose of identifying an individual; data concerning health; or data concerning an individual’s sex life or sexual orientation.

By criminal offence data we mean personal data about whether an individual is alleged to have committed or has been convicted of a criminal offence.

What rights do you have?

Under data protection law, primarily the UK General Data Protection Regulation (UK GDPR) and DPA 2018, you have rights over the information we hold about you.

  • You can ask us to give you access to your personal data
  • You can ask for your personal data to be erased.
  • You can ask us to restrict the processing of your personal data, so that the data will only be used for limited purposes.
  • You can object to the processing of your personal data.
  • You can ask for your personal data to be provided to you in a structured, commonly used and machine-readable format, and you can transmit that data to another data controller.

You can make a request for any of these by contacting us at [email protected].

You can contact the GDC's Data Protection Officer by emailing: [email protected].

You can find out more about your rights on the Information Commissioners Office website.

Privacy notice sections

How we use your personal data when you contact the GDC

How we use personal data in Registration

How we use personal data in fitness to practise – initial assessment, assessment and investigation

How we use personal data in fitness to practise - prosecution and hearings

How we use personal data in education and quality assurance

How we use personal data in the Dental Complaints Service (DCS)

How we use personal data for statistical analyses and research

How we use personal data in consultations

How we use personal data for employment purposes

How we use personal data when you apply to work with us

How we use personal data in connection with Whistleblowing

Specific data sharing requests from third parties

How we use Closed-Circuit Television (CCTV)

The GDC’s websites

How we use your personal data when you contact the GDC

Our Customer Services team manages most of the communication we receive. This includes calls made to 020 7167 6000, emails sent to [email protected] and most web forms sent to us. 

There are two web forms managed by other teams. These are the ‘Complaint – about a dental professional’ webform, which is managed by our fitness to practise team, and ‘Dental Complaints Service – resolution service for private dental treatment complaints’ webform, which is managed by the Dental Complaints Service.

We will collect different information from you, depending on the type of communication you have with us.  For example, if you are a registered dental professional or are applying to join one of our registers, it is likely that we will need to ask for personal data to assist with your enquiry. If you are raising a concern about a registered dental professional, we may need to collect personal data to investigate your concerns. 

General enquiries, such as, checking a dental professional’s registration, should not require the collection of personal data.

Phone calls

Like many other organisations, we record our telephone calls for quality monitoring, training, compliance and security purposes.

All calls received into Customer Services are recorded and retained for a period of six months. In addition, we record details of all calls received for reporting purposes.

Calls to any other telephone numbers to the GDC are not recorded. When calls are transferred from our Customer Services team to another GDC staff member, the call recording will end once the call is transferred.

Calls will not be retrieved or monitored unless:

  • It is necessary to investigate a complaint.
  • There is a threat to the health and safety of staff or visitors
  • For the prevention or detection of crime.
  • We need to check compliance with regulatory procedures.
  • It is part of a ‘spot check’ to ensure that our customer service standards are being met.
  • To improve standards in call handling through training and coaching of our staff. In this instance the call will be edited to ensure the callers details are anonymised. The staff member will also need to agree to the call being used in this way. 

All calls that are used for quality monitoring are retained.

Emails

All emails relating to a fitness to practise case, registration, or an enquiry from a member of the public that are sent to [email protected] are stored on our Customer Relationship Management (CRM) system.

All other emails received by the GDC are retained on our email system for a period of twelve months (plus a 28-days period for deletion) before they are automatically deleted.

Web forms

All web forms we receive are stored in our CRM.

Letters

All letters we receive are scanned and saved either into our CRM system or by the relevant team in their electronic files.

How we use personal data in Registration

Registration

We have a statutory responsibility to maintain a register of dentists and a register of dental care professionals, which includes clinical dental technicians, dental hygienists, dental nurses, dental technicians, dental therapists, and orthodontic therapists.

Everyone who applies to join our register will be required to provide personal data to us. This may include special category data, for example, information about your health, and criminal conviction data (including declaring a past criminal conviction).

We may need to contact referees, or other persons who are named by you in your application form or provided subsequently. This is to verify the information you provided or to obtain further information. Where you have declared any information about a health issue, we may need to obtain information from your doctor or other healthcare professional, involved in your care or treatment. 

The registration application form includes equality monitoring questions, which are voluntary. Some of the information that we hold from this form is special category personal data (e.g. data about your racial or ethnic origin).

Overseas Registration Exam (ORE)

Some applicants for registration will be required to undertake the Overseas Registration Exam (ORE). This consists of Part 1 (a written exam) and Part 2 (a clinical exam).

People who sit the ORE are required to provide a character reference and clinical experiences references, and we will receive and store personal data about applicants from these referees.

The ORE application includes an equality monitoring form, which is voluntary for you to complete. 

Dental professionals can also choose to complete the equality monitoring form on our online portal eGDC. Some of this equality information provided will be special category personal data (e.g. data about individuals’ racial or ethnic origin).

Part 1 and Part 2 of the ORE are administered by external providers under contract with the GDC, known as the Consortium.
 
We provide the Consortium with a list of the candidates sitting the ORE, together with information to enable them to identify candidates when they arrive to sit the exams. We also receive personal data from these external providers about candidates’ performance in the ORE. We may share equality monitoring data with the external providers, after the exam has taken place, to quality assure the exam. 

Applications

Some applicants such as overseas qualified dentists and dental care professionals, will be required to undergo an assessment of their qualifications. Where this is the case, you will need to complete an application form.

We may obtain personal data about you from any character referees who have been named in your application, or from any health practitioners involved in treating you. 

These applications are considered by our Registration Assessment Panel which are independent panels of dentally qualified assessors.

Where we process personal data, special category personal data or criminal conviction data in connection with registration, we do it on the basis that the processing is necessary to carry out our statutory functions in relation to registration, and the processing is in the substantial public interest. In addition, some special category personal data is processed by us for the purpose of monitoring equality of opportunity or treatment.

In some cases, providing data to us for registration is a statutory requirement. Not providing data, or providing inaccurate data, may mean that your application for registration is refused or your applicant may be subject to fitness to practise procedures by us. This may lead to various outcomes, including conditions being imposed on your registration, the suspension of your registration, or removal (erasure) from the register.

How we use personal data in registration maintenance and sharing

Register Maintenance

Once you are successfully registered, we require that you undertake a retention process annually. The Annual Retention Fee (ARF) is the fee all registered dental professionals must pay each year to remain on the register. 

We collect banking transaction and payment data for this purpose and contract with a direct debit collection service provider to manage the bulk processing of direct debit payments.

We will confirm and update personal information, collect indemnity declarations and continuing professional development (CPD) as part of the renewal process. 

We use external providers and applications to send out the emails, letters and texts that support our renewal and registration communications. 

Our online portal, eGDC-uk.org allows you to maintain you registration with the GDC. This website uses cookies to record personal information changes, banking and transaction information, IP address and online activity data from the website for security purposes.

Sharing register data

We may share our register information with the NHS and other healthcare bodies in the UK. A list of monthly removals is shared with the NHS to alert them of the people we have removed from the register.

Working pattern data

We ask dental professionals to complete a small number of questions about their working patterns as part of their annual renewal process. These questions are voluntary, and you can choose not to answer these if you prefer. You will hear about this as part of our Annual Retention Fee communications. 

We’re doing this as we believe having a better understanding of how dental professionals are working throughout the UK will provide important insight into the issues affecting dental professionals and patients. 

This insight will help the profession develop future services that will bring about the changes the profession and patients want and need.

We collect this information for the purposes of undertaking analysis and producing and sharing reports about working patterns in dentistry and how it changes over time.

We will use the responses we receive to undertake analyses, produce reports and make data available to external organisations and stakeholders. 

The responses we receive will help us and others to better understand: 

  • Where dental professionals are working.  
  • What dental professionals are doing.
  • The number of hours they are working.
  • Whether they are working in NHS or private practice.
  • How the way dental professionals are working changes over time.  

Our working pattern survey will ask registrants for the postcode of their primary place of work. This will be used to assist in our reporting of working pattern data, and to create reports based on more accurate place of work location data. 

When you enter your work postcode, the lookup will include a full address for you to select. However, only the postcode itself, not the full address, will be visible to and retained in the GDC database for your response to this question. 

Working pattern data will be used alongside other information we hold, including registrant equality, diversity and inclusion data, to better meet this purpose. 

We will only share and report datasets in a format where no individual is directly identifiable and only following approval under our report request process. 

We will ensure that no individual can be identified when we publish reports based on this data. 

Working pattern data, including postcode, will not be used to make decisions about fitness to practise cases, your registration, or your annual renewal nor will they affect your access to GDC services or how we treat you.  

The responses you provide are your personal data but will only be viewable by specific GDC staff who technically manage our data and systems and undertake data analysis.  

Under data protection law, the basis we use to process this information is our ‘legitimate interests’. This means we have judged it ‘necessary’ for us to use personal data to meet the purposes we have for this work. 

When we process special category data, such as some equality, diversity and inclusion information for this purpose, we do so as it is necessary for our public task and necessary for reasons of substantial public interest. 

This is because we are uniquely placed to contact dental professionals wherever they work. The objective of this work is to support the wider public benefit from analysis and sharing of information with sector stakeholders such as NHS organisations. 

This will facilitate a better understanding of how dental professionals are working throughout the UK and will provide important insight into the issues affecting dental professionals and patients. These interests support our statutory function of protecting the public. 

How we use personal data in fitness to practise – initial assessment, assessment and investigation

We have a statutory responsibility to investigate whether the fitness to practise (FtP) of a dental professional who is registered with us is impaired. Where FtP is impaired, this may lead to various outcomes, including conditions imposed on a dental professional’s registration, the suspension of that registration, or erasure from the register.

We have statutory powers that allows us to obtain information as part of our fitness to practise investigations, and we may exercise these powers to help us investigate these issues.

In completing our FtP functions, we may process personal data about: 

  • Registered dental professionals
  • Informants (including people who have raised concerns with us about a dental professional)
  • Other relevant individuals (e.g. people who have been treated by the dental professional but who are not themselves informants). 
This may include special category personal data (e.g. health). It may also include criminal conviction data (e.g. where a FtP issue arises as a result of a criminal conviction).

When investigating concern about a dental professional, we may need to share details of the concern with them, their current and (in some circumstances) previous employer(s), their legal representatives and other individuals or organisations. 

More information about the disclosure and publication of information during the fitness to practise process can be found in our Disclosure and Publication Policy.

Where the FtP investigation relates to clinical matters, we may need access to the medical or dental records of the informant or other relevant people. We may also need information about the health and wellbeing of the dental professional, informants, or other relevant individuals such as other patients treated by the dental professional.

Concerns can be raised by sending us a web form, email or letter.  

We can also raise a concern directly through our In-house Legal Presentation Service (ILPS) or Dental Complaint Service (DCS).

Initial assessment, assessment and investigation

The concerns received will initially be considered by our Initial Assessment team, to determine whether they should go forward to be considered at the assessment stage.

When cases are referred to the casework stage, the caseworker will obtain the information necessary to complete their investigation. This may include sharing relevant information with a clinical adviser for comment. Where the concerns raised relate to a dental professional’s health, we may need access their medical records, and contact their GP or other medical practitioners. 

It may also be necessary for the dental professional to have a health assessment and for information to be shared with our contracted Occupational Health providers for that purpose. As part of this assessment, we may ask for hair and blood samples, for the purpose of alcohol or drugs testing.

Once the caseworker has completed their investigation, they will review the matter and will conclude that either:

  • The information received does not mean we can raise an allegation that the dental professionals’ fitness to practise may be impaired, and will close the case; or
  • The information received does mean we can raise an allegation that the dental professionals’ fitness to practise may be impaired and will refer the case to our case examiners. 
Case examiners are dental professionals or lay people but are also GDC staff who have a statutory duty to make decisions at the conclusion of an investigation. The evidence is considered by two case examiners (one lay and one a dentist or dental care professional) who review the evidence obtained during our investigation, including any evidence provided by the dental professional or their representatives and the informant.

Case examiners don’t make findings of fact in a case or come to substantive conclusions regarding a dental professional’s fitness to practise. They do determine whether an allegation should be considered by a Practice Committee. They can also close a case or impose conditions on the dental professional.

How we use personal data in fitness to practise - prosecution and hearings

Prosecution

When a Fitness to Practise (FtP) case is referred by the case examiners to be heard by one of our Practice Committees, the In-house Legal Prosecutions Service (ILPS) will take responsibility for conducting the case before the Committee on behalf of the GDC. The ILPS also conducts cases where we are seeking an Interim Order and Review cases before our respective Practice Committees. 

The ILPS may need to share information with witnesses, including expert witnesses, for this purpose. In some instances, we may ask our External Legal Prosecution Service (ELPS), a third-party law firm contracted to carry out this work for us.
 
In preparing a case (particularly a case involving the health of a dental professional) the ILPS and/or the ELPS may need access to your medical records, and it may be necessary for us to contact your GP or other medical practitioners involved in your care and treatment.
 

It may be necessary for the dental professional to have a health assessment and for information to be shared with our contracted service provider for that purpose. As part of this assessment, hair and blood samples may be taken.

Hearings

Hearings held before our committees are managed by our Dental Professionals Hearings Service.
 

You can review the Privacy notice of our hearings service on the Dental Professionals Hearings Service website.

How we use personal data in connection with illegal practice

It is a criminal offence for someone who is not a registered dentist or dental care professional to practise dentistry, or to say that they practise dentistry. It is also a criminal offence to use a protected dental title or to unlawfully carry on in the business of dentistry as an individual or body corporate. 

We will investigate and prosecute these offences or take other appropriate enforcement action.

We collect personal data from anyone who complains to us about illegal dental practice. This may include witness statements provided to us and medical records of any informants.

As part of our review, we will collect personal data about the people we investigate   to ascertain whether they are practising dentistry illegally. This may include data obtained through publicly available information or because of our investigations.

If the matter proceeds to Court, we are required to disclose material to the defendant. This may include details of the initial complaint we received. If the informant did not assist us in our investigation, these details will be provided in redacted form without disclosing the informant’s identity.

Where we process personal data, special category personal data or criminal conviction data in connection with illegal practice, we do so on the basis that the processing is necessary to exercise our statutory functions in relation to illegal practice and is in the substantial public interest.
 

Failure to provide information to us in connection with illegal practice may prejudice the success of a prosecution brought by us. In the case of a registered dental professional, failure to provide information or the provision of inaccurate information may lead to FtP proceedings.

How we use personal data in education and quality assurance

We have a statutory responsibility to monitor the quality of education and training programmes in the UK that lead to registration as a dentist or a dental care professional. To achieve this responsibility, we carry out quality assurance of these programmes. This work is carried out by education associates working for us.

Before an inspection, we will normally have access to the CV’s of staff members from the education provider. During the inspections, our inspectors will meet staff members and students and will take notes of these meetings. Our inspectors may ask to see a copy of student log books which contain details of the clinical work that students have carried out. 

All student and patient data sent to us is anonymised. Any information that cannot be anonymised is only viewed in person and no details are recorded. Our inspectors may also see student exam results (anonymised) and progress reports and student FtP data (not anonymised).

Inspectors contribute to the preparation of a final report which is shared with the education provider. In this report, staff and student names are anonymised, and staff roles and gender are not disclosed to avoid identification.

On occasion, students will contact our’ education and quality assurance team with a complaint about their education provider. The complaint will be investigated if the student agrees that it should be investigated or if we consider that the nature of the complaint requires investigation even without the student’s agreement.

Where we process personal data, special category personal data or criminal conviction data in connection with quality assurance, we do so on the basis that the processing is necessary to complete ’our statutory functions in relation to dental education and is in the substantial public interest.

If a registered dental professional fails to provide information to us in connection with quality assurance, or provide inaccurate information, it may lead to fitness to practise proceedings.

How we use personal data in the Dental Complaints Service (DCS)

The DCS was set up by the GDC to assist dental patients and dental professionals in resolving complaints about private dental treatment. 

It is a resolution service, where the final stage is a panel meeting. The panel comprises of two lay and a clinical member who make recommendations to resolve disputes. More detailed information about their process including how they use and share information with the GDC is available on the DCS website.

Patients who are in dispute with a dental professional are not obliged to use the DCS route in order to resolve the complaint. Neither patients nor dental professionals are obliged to follow the panel’s recommendations as to how their dispute should be resolved.

The DCS process involves the processing of personal data about both patients and dental professionals. This may include special category personal data, or criminal conviction data. Information held and used by the DCS will include:

  • Patient contact details, addresses, contact numbers, emails, dates of birth etc.
  • Dental professional’s contact details.
  • Dental records.
  • Correspondence relating to dental complaints.
  • Panellist information.
  • Anonymised equality and diversity information.
  • Recordings of calls to the DCS helpline for training and quality monitoring purposes.

Anonymised case studies are developed from real life case examples to assist in learning and development of DCS staff.

The basis for processing personal data is the patient’s consent, or in relation to special category data, their explicit consent.

We process dental professionals’ personal data in connection with the DCS as it is necessary to carry out our statutory functions.

Where we process dental professionals’ special category personal data or criminal conviction data in connection with the DCS, we do so because it is necessary in delivering our statutory functions and is in the substantial public interest.

Patients are not obliged to make use of the DCS. However, where a patient decides to make use of the service, the dental professional is obliged to engage in the process which includes providing information. Failure to do so may lead to fitness to practise proceedings.

How we use personal data for statistical analyses and research

The personal data which we use to carry out our regulatory functions is used for statistical analyses and research. Personal data includes demographic information, employment, and data generated during the fitness to practise process.

We conduct data analyses, commission and support research on a range of topics to provide evidence that informs our approach to regulatory functions related to registration, fitness to practise, and education and training.

We process personal data in carrying out research on our own behalf on the basis that it is necessary to exercise our statutory functions and is carried out in the public interest. Where the processing includes special category data, it is also on the basis that it is necessary for research purposes. 

As part of data analyses and research, we use personal data including special category and protected characteristics to help us understand more about a range of issues and their impact on dental professionals across everything we do. We do this to help ensure we are not discriminating against anyone and being fair. 

Statistical analysis of personal data or research are never used to make decisions about a dental professional’s registration or about a fitness to practise case. 

We share personal data with researchers working on our behalf if it is necessary to do so. We do so under contract and ensure we have adequate safeguards in place, only sharing what is necessary for the research, using secure methods. When we commission research to contractors or provide support to external research not commissioned by GDC, we default to providing them with anonymised data. 

When we publish research or statistics, we ensure individuals cannot be identified from reports. We will never identify individuals in published data analyses or research without first gaining consent from those involved. 
 
In some circumstances we want to use non-anonymised data. These requests for internal or external use are carried out under our report request process, which includes advice from our Data Protection Officer. Decisions to allow these data uses are made by the relevant Executive Director and if needed the Chief Executive and Registrar.  

Third Party Research

As well as conducting our own research, we co-operate with third party organisations that are conducting their own research. We default to sharing anonymised or pseudonymised data (where a unique reference is used instead of personal data). Sometimes we share non-anonymised personal data with third parties. 

Third party research will typically support our regulatory functions, for example registration, fitness to practise, and education and training.

We share data with third party organisations conducting their own research on the basis that it is carried out in the public interest. Where the processing includes special category data, it is also on the basis that it is necessary for research purposes.

Where we share data with third party researchers, we do so under appropriate agreements and ensure we have adequate safeguards in place, only sharing what is necessary for the research, using secure methods. These are considered under our report request process. 

How we use personal data in consultations

A public consultation is any exercise where we are seeking agreement or views on a set of proposals to amend policies, procedures, rules, or guidance.

When exercising our regulatory functions, we must have proper regard for the interests of the public and patients, and dental professionals. In some circumstances, we have a statutory duty to consult if we are proposing changes to fitness to practise rules.

A consultation is normally a formal, timebound and public process, where our proposals are set out and explained in full. Public consultations typically invite responses from dental professionals, the public and patients, and other stakeholders. That can be done by asking for responses to specific questions or simply inviting comments on the proposals. Public consultations tend to be done in writing, but can include engagement activities, such as facilitated focus groups, stakeholder meetings etc.

Personal data is often collected or created as part of a consultation exercise. The processing and sharing is necessary for us to perform a task in the public interest or to meet our statutory duties. Your information will be shared with relevant GDC staff members, and may be shared with GDC Council members.

The information you provide, will be used to:

  • Clarify any issues raised by the respondent.
  • Assess the potential impacts of the proposed changes.
  • Analyse the views of respondents. 
Providing personal data as part of a public consultation means you understand it will be used for the purposes set out above. If you do not wish it to be used in this way, you should limit any personal data you provide, or remove it completely. 

An anonymised summary of consultation respondents and the responses received will be included in a consultation outcome report. Consultation outcome reports are published in the  consultations and responses section of our website.

All information contained in consultation responses, including personal data, can be subject to potential disclosure if requested under the Freedom of Information Act 2000. Personal data will not be published if doing so would breach data protection laws.

How we use personal data for employment purposes

We hold personal data about people who apply to work for us, work for us and who previously worked for us. This may include special category personal data (e.g. about health) and criminal conviction data. 

For recruitment purposes, we use an applicant tracking system to collect, store and manage recruitment documentation. This is managed by an independent provider. When candidates apply, their personal data in connection with the application will be stored in the site. This includes information provided by unsuccessful applicants.

All new employees are required to provide various items of personal data. This includes data about health, copies of passports, evidence of the right to work, and an equality and diversity form.

Where employees are unfit to attend work, they are required to advise their line manager, who will then update the absence on our HR system. This information will be made available to our People Services team.

Employees may be referred to the external Occupational Health provider; and, with the consent of the employee, we may receive copies of an individual's occupational health report.

Performance reviews are usually conducted by an employee's line manager. Statements from the employee and their manager about performance are entered and stored on our HR system. Information about performance reviews may also be held by the line manager and/or by People Services.

Information about an individual's disciplinary record will be held by People Services.

People Services may prepare reports on matters such as absence and performance, to present to the management team. Such reports will be anonymised, so they do not contain personal data.

All employees are required to provide regular and considered declarations of any conflicts, or perceived conflicts of interest. To promote transparency, and public confidence in the organisation and the regulatory process, we publish the declarations of the Executive team and our Case Examiners on our website.

We process personal data in connection with employment that is under the basis that it is necessary for the exercise the various statutory functions conferred on us.

Where we process special category personal data or criminal conviction data in connection with employment, we do so on one or more of the following bases:

  • The processing is necessary for the exercise of our statutory functions and is also in the substantial public interest.
  • The processing is necessary to perform or exercise our legal obligations and rights in connection with employment.
  • The processing is necessary for health purposes (including occupational health or the assessment of an employee's working capacity).

Some special category personal data is processed by us in the context of employment, for the purpose of monitoring equality of opportunity or treatment. It is optional to provide this information and is collected and processed only with the consent of the employee.

How we use personal data from GDC associates

We work with associates who provide expert advisory, investigatory or adjudicatory services to support us in carrying out our regulatory functions. 

These associates perform roles such as Fitness to Practice Panel Members or Advisers, Registration Appeal Panel Members, Overseas Registration External Examiners, Education Inspectors, Clinical Advisers, Expert Witnesses, Dental Complaints Service Panellists, Specialist List Appeals Panellists, Council members and members of other statutory and standing committees.

We hold personal data about people who apply to be associates, and about our current or former associates. This may include special category personal data (e.g. health) and criminal conviction data.

We collect, store and manage information related to the recruitment of our associates. This site is managed by an independent provider. When candidates apply to work at the GDC, their personal data in connection with the application is stored. This includes information provided by unsuccessful applicants.

Associates are required to provide personal data, including name, contact details, bank account details, identification, evidence of the right to work, and details of any qualifications, skills, experience and employment history. This data is held on our CRM system. Contact information such as name, addresses and telephone numbers, are also stored in our database.

In addition, we process some special category personal data about associates for the purpose of monitoring equality of opportunity or treatment. Proving this information is optional, and its collected and processed only with your consent.

Information about the quality of an associate's work for us is held by the line manager and may also be shared with people Services.

Associates are required to provide regular and considered declarations of any conflicts, or perceived conflicts of interest. To promote transparency, and public confidence we publish these declarations.

We process personal data about associates as it is necessary to allow us to exercise the various statutory functions we carry out. 

The data is used to verify an associate's identity and work rights, to enable performance of the contract for services between the parties (including communication, payment of fees and reimbursement of expenses, if applicable), and to monitor and provide feedback on work quality.

Where we process special category personal data or criminal conviction data about associates, then we do so on one or more of the following bases:

  • It’s necessary to allow us to exercise our statutory functions and is also in the public interest.
  • It’s necessary for allow us to exercise our legal obligations and rights regarding any contract for services with the associate.
  • It’s necessary for health purposes (including occupational health or the assessment of an associate's working capacity).

Some associates are paid through our payroll system, and we may share their personal data with third parties in connection with payroll processing, taxation and pension contributions if applicable.

How we use personal data when you apply to work with us

When you apply, you will be asked to provide personal data which we need to process to manage and keep records of the recruitment process, assess your suitability for employment and decide who we offer a job to. We may also need to process job applicant data to respond to and defend against legal claims.

We process health information if we need to make reasonable adjustments to the recruitment process to support applicants who have a disability. In some cases, we need to collect and process data to ensure we are complying with our legal obligations, for example checking an applicant's eligibility to work in the UK before employment starts.

If your application is successful, we will process your data to prepare your contract and offer of employment.

You are encouraged to provide equality and diversity information, such as racial origin, disability, religious belief or sexual orientation, which will be anonymised and used for monitoring purposes. Please note that you may choose not to provide this information and it will not affect your application in any way.

Your data will be held in in confidential files held by our People Services team. Your data will be shared with the hiring manager, other selection panel members and senior managers who are involved in the decision making process. Your information will be held on file for a maximum of 12 months.

How we use personal data in connection with Whistleblowing

We welcome hearing from anyone who wants to raise a concern about an individual or organisation as a whistleblower. We have described what we mean by a whistleblower in our definition of a whistleblower page on our website. We have summarised there the types of concerns that count as whistleblowing. 

We will ensure that if you raise a genuine concern, you will not suffer any detriment or adverse treatment as a consequence. Any information you provide will be used in line with our Data Protection policy.

We also welcome matters raised by GDC staff and Associates, and have a Staff Whistleblowing Policy, which staff can access on our intranet. We will ensure staff who raise a whistleblowing concern will not suffer any detriment or adverse treatment as a consequence. 

We process this personal data in order to carry out our regulatory function or to comply with our legal obligations as a ‘prescribed person’ under the Public Interest Disclosure Act 1998 and The Public Interest Disclosure (Prescribed Persons) Order 2014.

We may need to use and share information you give us with other organisations, such as government departments, enforcement agencies and the police, for the purpose of investigating the issues raised. There may also be certain circumstances where we are required, by law, to share your information.

Specific data sharing requests from third parties 

There may be occasions where we process and share data held by the GDC where it is necessary to comply with legal obligations, for example:  

  • in relation to legal proceedings  
  • in response to requests from law enforcement agencies 
  • in response to requests from other regulators.  

We may also share information with law enforcement agencies, other regulators, or other appropriate bodies when it is necessary for either their, or our, statutory or public functions or legitimate interests.   

The data shared in these situations will be limited to what we are satisfied is necessary and lawful for the stated purpose. 

How we use Closed-Circuit Television (CCTV)

CCTV is in operation at our offices. Where we are not the sole occupier of the building (Colmore Square) there is additional CCTV which is controlled by the building owners or management company.

We record CCTV images of people who enter and leave our premises as well as at other locations throughout the buildings. This is for the purposes of security and safety monitoring and the investigation of alleged criminal offences. We may share our CCTV images with law enforcement and courts if this is needed.

We use our premises to perform our regulatory functions. We consider that ensuring the security and safety of our premises is necessary to perform a task carried out in the public interest and/or in our official authority as a regulator.

The GDC’s websites

The GDC operates the following websites:

olr.gdc-uk.org/SearchRegister

standards.gdc-uk.org

Our privacy policies apply to our websites only. If you follow a link to an external website, you will be subject to that organisation’s privacy policies, not the GDC’s.

Cookies

Cookies are small text files that are placed on your computer or phone by websites that you visit.

We use cookies to collect and store information about how you use GDC websites, such as the pages you visit. This information is anonymised. It cannot be used to identify you personally.

Read more about the cookies we use.

Personal information we collect about you

You can use our websites without disclosing any information which identifies you as an individual.

If you enter personal details into a form, the GDC will use your information to provide the service you have requested.

Special category of personal data

Some personal data processed by us is special category data or criminal conviction data.

Read our guidance on disclosing Convictions and Cautions Guidance.

More information about how we comply with data protection law (as set out in the UK GDPR and in DPA 2018) in relation to special category data is set out in the our Data Protection Policy.

Period of retention

We keep anonymised data about how our websites are used for 14 months.

Our Retention schedule sets out the length of time we keep personal data.

Your rights

You have the right to see any personal data that we hold about you.

See our Data Subjects Rights Policy for more information about how we protect your rights in the UK GDPR. This policy also explains how we process requests for correction, or erasure, or objections to processing.

In summary you can:

  • Ask for access to any personal data we hold about you.
  • Ask for personal data we hold about you to be erased.
  • Ask us to restrict the processing of your personal data, so that it can only be used for limited purposes (set out under UK GDPR).
  • Object to the processing of your personal data.
  • Ask for personal data to be provided in a structured, commonly used and machine-readable format, that allows you to send it to another data controller.
  • Withdraw your consent where we process your personal data on the basis of consent. 

Find out more about your rights on the Information Commissioner's office website

The GDC’s Data Protection Officer

Our Data Protection Officer (DPO) assists in monitoring internal compliance, informs and advises on data protection obligations, and acts as a contact point for data subjects and the Information Commissioner.

If you have any questions or concerns about how the GDC is using and sharing your personal data, then you can contact our Data Protection Officer by emailing: [email protected].

The Information Commissioner

The Information Commissioner's role is to improve the information rights practices of organisations by gathering and dealing with concerns raised by members of the public.

Information about their work, including how to submit a complaint, is available on their website: ico.org.uk.
 
They can also be contacted by calling their advice line on 0303 123 1113 or emailing [email protected].