GCC Data Protection Policy and Privacy Notice

Introduction

This policy:

  • is for people whose personal data we hold and use;
  • applies to all personal data held by us or by third parties on our behalf;
  • has been produced with clarity in mind.

We (the GCC) are a ‘Data Controller’ under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). This means that if we collect and use your personal data we must comply with the requirements set out in the GDPR and DPA.

This policy also serves as a privacy notice under the GDPR.

Contents

1.    Our commitment to data protection

2.    Why we use personal data

3.    How we use personal data

  • If you are applying for registration or are a registrant:
  • If you raise a concern with us about a registrant
  • If you are applying for a post or are a current or former employee or GCC ‘partner’:
  • If you are a member of the public:
  • If you use the GCC website or subscribe to our newsletter

4.    Sharing your personal data

5.    Data protection principles

6.    Your Information Rights

7.    Contact us

8.    Complaints

9.    Definitions


1.    Our commitment to data protection

  • We recognise that your privacy is important and that we have a responsibility to you when handling your personal data.
  • We only use your personal data to perform our role as a statutory regulator of chiropractors.
  • We take appropriate steps and put adequate technical measures in place to protect your personal data against misuse.
  • We will never provide your personal data to third parties for their marketing purposes.
  • If we plan to make substantial changes to the way we use personal data or the personal data we collect, we will undertake a Data Protection Impact Assessment in accordance with the ICO’s guidance.
  • We will ensure your personal data is used according to the principles set out in the GDPR and the DPA unless an exemption applies.

2.    Why we use personal data and the legal basis for the processing

We are a statutory regulator and our role is to protect the public. To do this, we keep a register of chiropractors who meet our standards as set out in The Code: Standards of conduct, performance and ethics for chiropractors.

Our primary personal data processing purpose under the GDPR is ‘in the exercise of official authority’ or as part of our ‘public task’.

The law that sets out our functions and powers is the Chiropractors Act 1994, which can be read here:

http://www.gcc-uk.org/publications/legislation/governance.aspx

We also use personal data to:

  • comply with legal obligations, for example sharing information with the tax authorities;
  • fulfil our contractual obligations, for example using personal data to pay our employees;
  • communicate with people who have asked us to provide them with information about regulation and our regulatory activities.

3.   How we use your personal data

How we use your data will depend on your relationship with us.

If you are applying for registration or are a registrant:

  • processing and managing your application, including verifying the information you have provided.  In doing so, we may share it with third parties (such as referees, education providers, other regulators or employers);
  • managing your registration, including maintaining the accuracy of the GCC register and the information we hold about you;
  • sending you registration renewal reminders and communicating with you for any other reason related to your registration;
  • responding to public enquiries about your registration status;
  • managing and developing our relationship with you, including inviting you to events that we are holding, sending you guidance and other information about professional practice and sending you our compulsory monthly newsletter;
  • investigating complaints made about or by you and publishing the outcome of any investigation or hearing.

If you raise a concern with us about a registrant

  • processing and managing your complaint, including sharing your complaint with relevant third parties during the course of any investigation;
  • normally, if an investigation progresses, we will have to disclose your identity to the registrant you have raised a concern about.  We will try to respect any request by you not to be identified, but it may not be possible for us to pursue your complaint on an anonymous basis;
  • keeping your personal information on file as part of the record of your concern.

If you are applying for a post or are a current or former employee or GCC ‘partner’:

  • processing and managing your application, including verifying the information you have provided.  In doing so, we may share it with third parties (such as referees, education providers, other regulators or employers);
  • sharing with third parties who provide payroll services or pension administration services for us;
  • creating and maintaining your personnel or partner file;
  • managing and developing our relationship with you;
  • investigating concerns raised about or by you in your capacity as an employee or partner;
  • fulfilling legal or regulatory requirements if necessary.

If you are a member of the public:

  • maintaining contact with you, managing and developing our relationship with you;
  • responding to your enquiries and providing you with relevant information or services;
  • investigating concerns raised by you about any of our services, employees or partners;
  • obtaining further information in respect of any enquiry or complaint made by you.

If you use the GCC website or subscribe to our newsletter

  • We will notcontact you unless you specifically agree to be contacted for specified purposes at the time you submit your information on the site, or at a later time if you sign up specifically to receive such information.
  • Where you have opted-in to future communications, we will, on each subsequent communication, offer you an easily executable 'opt-out' option, which will allow you to remove yourself from any future mailings.

More information about how we use your information, and how long we keep information for

Further information about the personal data we use and how we use it can be found in:

We do not ordinarily transfer personal data overseas.

4.    Sharing your personal data

We will never provide your personal data to third parties for their marketing purposes.

It may be necessary for us to share information with others as part of the discharge of our functions – for instance, if you make a complaint about a chiropractor, we will need to provide that complaint to the chiropractor as part of our investigations. Information may also be shared with our lawyers and professional advisors, who are subject to obligations of confidentiality

If you are involved in regulatory proceedings, we may publish details of those proceedings in accordance with our Disclosure and Publication Policy.

Public protection

We may share information with other agencies and regulators in order to protect the public.

We have signed a number of data sharing agreements and memorandums of understanding (MoUs), with other public bodies. An MoU is an agreement by two or more organisations committing them to work together to support common goals.

All of our MoUs aim to protect the public through effective intelligence sharing. This can include sharing your personal data if this is necessary to achieve this aim.

We will release your personal data when we are required to do so by law.

Data processors

We have contracts with suppliers (data processors) to carry out certain activities or services on our behalf.  These include providers of legal support, translation, research and monitoring services, printers, transcribing services and bulk mail delivery.

Sometimes in order to perform these services our suppliers require access to some of the personal data the GCC holds.

If we provide a supplier with your personal data, we will ensure an appropriate contract is in place that specifies how the supplier must handle your personal data and restricts any further use of the data which we have not permitted.

We will ensure the supplier has adequate technical and organisational measures in place to protect your data and we will specify how your personal data should be returned or disposed of when the service ends.

5. Data protection principles

The GDPR requires us to ensure that any personal data we hold is:

  • processed lawfully, fairly and in a transparent manner in relation to individuals;
  • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • accurate and, where necessary, kept up to date, having regard to the purposes for which they are processed, and erased or rectified without delay;
  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • processed in an appropriately secure manner which protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

6. Your information rights

The GDPR provides you with the following general information rights:

  • the right to be informed;
  • the right of access;
  • the right to rectification;
  • the right to erasure;
  • the right to restrict processing;
  • the right to data portability;
  • the right to object;
  • rights in relation to automated decision making and profiling.

Some of these rights do not apply or may be limited where we use your data to help us undertake a task in the exercise of our official authority or in the public interest. We explain below our general position in relation to these rights.

If you seek to exercise the rights below, we may need to ask you to confirm your identity in order to protect your data from unauthorised disclosure.

Your right to be informed

  • We will be transparent about our use of your personal data.
  • We will inform you of the reasons why we use your data and our legal basis for using your data.
  • We will provide you with specific information when we collect your data if you apply for registration or raise a concern about a GCC registrant.

Your right of access

  • You can request to receive a copy of the personal information we hold about you. This is called a subject access request and is free of charge.
  • You can make a subject access request by writing to the Data Protection Officer using the details given at the end of this policy.
  • If your request is manifestly unfounded or excessive, in particular because it is repetitive, we can refuse to respond. We will always advise you if we take this decision.

Your right to rectification

  • You can request that we correct your personal data if you believe the data we hold is inaccurate.
  • Your request can be made orally or in writing, but if made orally we confirm in writing what you have asked us to do.
  • If you are a registrant you are able to update your personal contact details through the relevant online portal at any time.

Your right to erasure

  • This right is also known as ‘the right to be forgotten’.

The right to erasure does not apply if your data is used to help us undertake a task carried out in the exercise of our official authority or in the public interest. We therefore ordinarily are not required to comply with erasure requests.

Your right to restrict processing

  • If you raise a concern about our processing of your data, you can restrict the way that we use your data while we consider your concern.
  • You will need to explain your reason for wanting the restriction. This may be because you believe it is inaccurate and have requested that we rectify this.
  • If our processing of your data is restricted, we can still store your data, but we cannot use it.
  • Restrictions on our processing will normally only be temporary, while we consider your request for rectification or your concern about our processing.

Your right to data portability

  • This right allows consumers to easily switch between service providers by obtaining their personal data in an easily re-useable format.

This right only applies when data processing is carried out by automated means. As we do not process your personal data in this way, this right does not apply to the data we hold.

Your right to object

  • If you do not want us to process your data any more, you can request that we stop.
  • You will need to explain to us your reason for wanting the processing to stop.
  • We are required by law to undertake certain tasks in the public interest. If processing your data is needed to perform these tasks it is likely that we will be unable to agree to stop processing your data.
  • We may also refuse to stop processing your data if we can demonstrate that our reasons for processing your data are more compelling than your reasons for wanting us to stop.

If we do refuse to stop, we will explain our reasons to you.

Your rights in relation to automated decision making and profiling

  • You have a right to stop your personal data being used to make decisions about you without human involvement.

We do not use your data to carry out any profiling or automated decision-making.

Our response

If you choose to exercise any of your rights, we will endeavour to respond substantively to your request promptly and within one calendar month.

If your request is particularly complex or large, we may extend this timeframe by up to a  further two months. We will inform you as soon as possible if we need to extend our response time.

7.  Contact us

You can contact our designated Data Protection Officer regarding this policy or your information rights using the contact details below;

Data Protection Officer

GCC

44 Wicklow Street

London

WC1X 9HL

Tel: 020 7713 5155

Email: [email protected]

8.  Complaints

You can contact the Information Commissioner’s Office (ICO) to discuss any concerns you have about our processing of your personal data.

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Tel: 0303 123 1113

Website: www.ico.org.uk

Email: [email protected]

We keep our privacy notice under regular review. This privacy notice was last updated on 25 May 2018.


Explanation of key terms

Data Controller

A data controller determines the purposes and means of processing personal data. The GCC is a data controller.

Data Processor

A data processor is responsible for processing personal data on behalf of a data controller.  A data processor must act on the clear instructions of data controller and must not use the data for any other purpose.

Data Protection Act 2018 (DPA)

The DPA supplements the GDPR in the UK and sets out UK-specific requirements not covered by the GDPR.

Data Protection Officer

A Data Protection Officer is the lead person for data protection within an organisation. They have specialist knowledge and act as a source of advice on data protection issues.

Data Subject

An individual who is the subject of personal data. If the data is yours, you are the data subject.

General Data Protection Regulation (GDPR)

The GDPR is the European Union (EU)  legal framework for the collection and processing of personal data (personal information about individuals)

Information Commissioner’s Office (ICO)

The ICO is the UK regulator of data protection rights. You can contact them if you have concerns about how your personal data is being used or how your rights have been respected. They also regulate access to public information (Freedom of Information).

Personal Data

Any information relating to an individual who can be directly or indirectly identified from that data or from that data when combined with other data.

Processing

Almost anything done to personal data is regarded as processing. This includes, recording, organising, storing, transmitting, sharing, amending or destroying data.

Special Category Personal Data

Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.

 

GCC Data Protection Policy and Privacy Notice (pdf)

Cookies (pdf)

FOI policy (pdf)

Subject Access Requests (pdf)