Breach of DPA
Under the FOIA 2000 I request the following information:
1. Since 2015, how many times have complaints been made to the General Medical Council [GMC] concerning a breach of the Data Protection Act?
2. How many times (in total) has the GMC been found by the Information Commissioner to have been in breach of the DPA?
3. How many times has the Information Commissioner found the GMC to have been in breach of the DPA and decided to take no further action?
4. How many times has the Information Commissioner found that the GMC has been in breach of the DPA and taken action of any kind, including written warnings?
Thank you
Sasha Rodoy
Thank you for getting in touch. Please note this is an automated email.
Your receipt of this means that we have safely received your email.
We are currently receiving a high volume of requests and there will be a
delay in getting back to you with a further acknowledgement. We will do so
as soon as we can.
In the meantime, if you want any further information about the GMC, please
visit our website: [1]Home - GMC (gmc-uk.org)
Thank you
Information Access team
General Medical Council
Email: [2][GMC request email]
General Medical Council
We work with doctors, patients, and other stakeholders to support good,
safe patient care across the UK. We set the standards doctors and those
who train them need to meet, and help them achieve them. If there are
concerns these standards may not be met or that public confidence in
doctors may be at risk, we can investigate, and take action if needed.
This email may contain privileged or confidential information which should
only be used for the purpose for which it has been sent.
If you are not the addressee or have received this email in error, please
do not read, print, re-transmit, store or act in reliance on it or any
attachments. Please email the sender and then immediately delete it.
The General Medical Council is a charity registered in England and Wales
(1089278) and in Scotland (SC037750)
_________________________________________________________________
Cyngor Meddygol Cyffredinol
Rydym yn gweithio gyda meddygon, cleifion a rhanddeiliaid eraill i
gynorthwyo gofal da a diogel i gleifion ar draws y DU. Rydym yn gosod y
safonau y bydd angen i feddygon a’r rhai sy’n eu hyfforddi eu bodloni, ac
yn eu helpu i’w cyflawni. Os bydd pryderon efallai na fydd y safonau hyn
yn cael eu cyflawni neu y gallai hyder y cyhoedd mewn meddygon fod mewn
perygl, gallwn ymchwilio, a gweithredu os oes angen.
Efallai bod y neges e-bost hon yn cynnwys gwybodaeth freiniol neu
gyfrinachol, y dylid ei defnyddio at y diben y’i hanfonwyd yn unig.
Os nad chi yw’r derbynnydd neu os ydych chi wedi cael yr e-bost hwn mewn
camgymeriad, peidiwch â’i ddarllen, argraffu, ail-anfon, storio na
gweithredu mewn ffordd sy’n dibynnu arni neu unrhyw atodiadau os gwelwch
yn dda. Dylech anfon e-bost at yr anfonwr ac yna, ei ddileu ar unwaith.
Mae’r Cyngor Meddygol Cyffredinol yn elusen gofrestredig yng Nghymru a
Lloegr (1089278) ac yn Yr Alban (SC037750)
References
Visible links
1. https://www.gmc-uk.org/
2. mailto:[GMC request email]
Dear Ms Rodoy,
Your information request - IR1-4077287299
Thank you for your email dated 12 September.
How we will consider your request
We’re going to consider your request under the Freedom of Information Act 2000 (FOIA). The FOIA gives us 20 working days to respond, but we’ll come back to you as soon as we can.
Yours sincerely
Information Access Team
General Medical Council
3 Hardman Street
Manchester
M3 3AW
Dear Sasha Rodoy
Your information access request IR1-4077287299
Thank you for your email dated 12 September asking for information
relating to complaints made to the GMC about breaches of the Data
Protection Act. I’ve considered your request under the Freedom of
Information Act 2000 (FOIA). I’m sorry for the delay in providing this
response and any inconvenience caused.
I can’t provide the information you requested. This is because of the
amount of data you’ve asked for and the work that would be involved. Under
the FOIA there’s an exemption for requests where it would cost the public
authority more than £450 (the ‘appropriate limit’) to process - equivalent
to two and half days’ work. I’ve given the details of this exemption
below.
To estimate the cost we can take into account determining, locating,
retrieving and extracting the information requested. Complaints concerning
breaches of the Data Protection Act can come through various channels to
different teams in the GMC. They could form part of a corporate complaint,
be raised with various teams in response to a data breach, relate to the
processing of subject access requests and other data rights requests under
the DPA, or arise in the course of other correspondence. Therefore the
information is not centrally recorded or easily retrievable. The work
involved in determining where the information would be held and then
retrieving it would take us over the cost limit.
Advice and assistance
Given the information you’ve asked for is not stored centrally we’re
unable to answer it within the cost limit. We may be able to answer a
request for a narrower category of information.
The exemption
Under the FOIA, the specific exemption which we believe applies is at
Section 12. This states that we are not required to comply with a request
if we estimate that the cost of doing so would exceed the appropriate
limit.
I'm sorry I couldn’t provide the information you requested. If you would
like to appeal this decision please set out your reasons in writing
to [1][GMC request email]. Please note that we will only usually consider
appeals received within 40 working days of our response. You can also
appeal to the [2]Information Commissioner, the regulator of the FOIA and
DPA.
Yours sincerely
Edd Mustill
Information Access Officer
Information Access Team
General Medical Council
[3]www.gmc-uk.org
E: [4][email address]
T: 0161 923 7128
I would appreciate your guidance on how I could best reframe my request in order to obtain as much of the information as possible, while bringing it below the cost limit.
As you may be aware, Section 16 of the FOI Code of Practice (https://www.gov.uk/government/publicatio...) advises that bodies should 'provide advice and assistance, so far as it would be reasonable to expect the authority to do so' and ICO guidance (https://ico.org.uk/media/for-organisatio...) interprets this as a suggestion that the authority should provide suggestions of this nature.
Thank you
Sasha Rodoy
Thank you for getting in touch. Please note this is an automated email.
Your receipt of this means that we have safely received your email.
We are currently receiving a high volume of requests and there will be a
delay in getting back to you with a further acknowledgement. We will do so
as soon as we can.
In the meantime, if you want any further information about the GMC, please
visit our website: [1]Home - GMC (gmc-uk.org)
Thank you
Information Access team
General Medical Council
Email: [2][GMC request email]
General Medical Council
We work with doctors, patients, and other stakeholders to support good,
safe patient care across the UK. We set the standards doctors and those
who train them need to meet, and help them achieve them. If there are
concerns these standards may not be met or that public confidence in
doctors may be at risk, we can investigate, and take action if needed.
This email may contain privileged or confidential information which should
only be used for the purpose for which it has been sent.
If you are not the addressee or have received this email in error, please
do not read, print, re-transmit, store or act in reliance on it or any
attachments. Please email the sender and then immediately delete it.
The General Medical Council is a charity registered in England and Wales
(1089278) and in Scotland (SC037750)
_________________________________________________________________
Cyngor Meddygol Cyffredinol
Rydym yn gweithio gyda meddygon, cleifion a rhanddeiliaid eraill i
gynorthwyo gofal da a diogel i gleifion ar draws y DU. Rydym yn gosod y
safonau y bydd angen i feddygon a’r rhai sy’n eu hyfforddi eu bodloni, ac
yn eu helpu i’w cyflawni. Os bydd pryderon efallai na fydd y safonau hyn
yn cael eu cyflawni neu y gallai hyder y cyhoedd mewn meddygon fod mewn
perygl, gallwn ymchwilio, a gweithredu os oes angen.
Efallai bod y neges e-bost hon yn cynnwys gwybodaeth freiniol neu
gyfrinachol, y dylid ei defnyddio at y diben y’i hanfonwyd yn unig.
Os nad chi yw’r derbynnydd neu os ydych chi wedi cael yr e-bost hwn mewn
camgymeriad, peidiwch â’i ddarllen, argraffu, ail-anfon, storio na
gweithredu mewn ffordd sy’n dibynnu arni neu unrhyw atodiadau os gwelwch
yn dda. Dylech anfon e-bost at yr anfonwr ac yna, ei ddileu ar unwaith.
Mae’r Cyngor Meddygol Cyffredinol yn elusen gofrestredig yng Nghymru a
Lloegr (1089278) ac yn Yr Alban (SC037750)
References
Visible links
1. https://www.gmc-uk.org/
2. mailto:[GMC request email]
Dear Sasha Rodoy,
Thank you for your email dated 12 October.
We will be considering your email as a Freedom of Information Act 2000
(FOIA) appeal. We have a target response time of 20 working days. We will
endeavour to respond to you within this timeframe.
Yours sincerely
Lauren Barrowcliffe
Information Access Team Assistant
[1][email address]
General Medical Council
3 Hardman Street
Manchester
M3 3AW
J Roberts left an annotation ()
This is no direct answer to your second request, but the figure is likely to be tiny.
Figures provided by Sir John Whittingdale in answer to a parliamentary question from Justin Madders:
Information Commissioner’s Office: Complaints
UIN 188734, tabled on 9 June 2023
'To ask the Secretary of State for Science, Innovation and Technology, how many and what proportion of complaints made to the Information Commissioner’s Office met the threshold for action in each year since 2019.'
https://questions-statements.parliament....
The proportion of Data Protection Complaints - 'Investigation Pursued' - increased from 0.02% in 2022 to 0.04% in 2023.
Dear Ms Rodoy
I write further to previous correspondance. We have considered your email
dated 12 October 2023 as an appeal against our initial decision.
Your request:
On 12 September 2023 you asked:
1. Since 2015, how many times have complaints been made to the General
Medical Council [GMC] concerning a breach of the Data Protection Act?
2. How many times (in total) has the GMC been found by the Information
Commissioner to have been in breach of the DPA?
3. How many times has the Information Commissioner found the GMC to have
been in breach of the DPA and decided to take no further action?
4. How many times has the Information Commissioner found that the GMC has
been in breach of the DPA and taken action of any kind, including written
warnings?
On 10 October 2023 my colleague Mr Mustill responded saying that we could
not provide the information within the scope of your request because the
information was not centrally recorded or easily retrievable. He suggested
we may be able to respond to a narrower request, which I accept was not
particularly illuminating.
In order to be as helpful as possible, rather than make a suggestion as to
what we could do within the costs limit, then have you request the
information and us provide it within 20 working days, I will just set out
below the information we are able to provide.
We have a section of our database which records corporate complaints and
there are many categories we can record them against. Two of them are ‘DPA
Request’ and ‘DPA Review.’ The earliest of these was received in January
2019. The complaints might not be about a breach of data protection
legislation per se. They could be about any element of how we handled
issues connected to it, e.g. if a requester thought the response was rude
or discriminatory. Many will be about delays in responding.
The number of complaints under each of these headings is below.
┌─────────────────┬────────────────┐
│Complaint Heading│Complaint number│
│ │ │
│ │ │
├─────────────────┼────────────────┤
│DPA Request │52 │
│ │ │
│ │ │
├─────────────────┼────────────────┤
│DPA Review │7 │
│ │ │
│ │ │
└─────────────────┴────────────────┘
If any of these involved the ICO they would very likely be captured within
data set out below.
The work of the Information Access Team is recorded on the same database
referenced above. Initial DPA requests are logged, as are internal appeals
to DPA decisions we make. There is also a section for recording when the
ICO informs us that a requester has made a complaint to them. The earliest
of these on the database was received on 26 November 2019.
We have 23 closed complaints to the ICO recorded regarding Data Protection
requests. We also record outcomes of these complaints in a structural way.
Of these 23, 16 were about a delay in our response and were likely
recorded as a breach of data protection legislation by the ICO but no
further action of any kind followed as a result. In one further instance
the ICO held that the GMC breached data protection legislation. No action
was taken in respect of this matter.
---
Kind Regards
Matt
Matthew McCoig-Lees
Senior Information Access Officer
Information Access Team
General Medical Council
3 Hardman Street
Manchester
M3 3AW
Email: [1][email address]
Website: [2]www.gmc-uk.org
Tel: 0161 923 6579
I sometimes work flexibly and therefore this email may reach you outside
of core working hours. I don’t expect you to respond outside of your own
working hours.
From: FOI
Sent: 17 October 2023 13:26
To: [FOI #1024795 email]
Subject: RE: Freedom of Information request - Breach of DPA
Dear Sasha Rodoy,
Thank you for your email dated 12 October.
We will be considering your email as a Freedom of Information Act 2000
(FOIA) appeal. We have a target response time of 20 working days. We will
endeavour to respond to you within this timeframe.
Yours sincerely
Lauren Barrowcliffe
Information Access Team Assistant
[3][email address]
General Medical Council
3 Hardman Street
Manchester
M3 3AW
We work to defend the right to FOI for everyone
Help us protect your right to hold public authorities to account. Donate and support our work.
Donate Now
S. Ali left an annotation ()
The GMC manipulates breaches of the Data Protection Act to say they are spotless. It is a public service you are exploring this, especially given the number of failed and unsuccessful requests with jobsworth excuses rather than integrity.
Although an option is to complain of 'breaches of dpa' to the ICO then the GRC for redress. An Alternative is to complain to the Police for a criminal investigation, as I did to Greater Manchester Police with Dr Sarah Marwick https://www.mpts-uk.org/hearings-and-dec... whom stole from an NHS third-party (different company) without my permission/consent, and continues to store and process; my occupational health medical records and over a hundred pages of secondary over-disclosures from an enquiry to that third party; so she can make a favourable complaint to her GMC employers (and judge your own complaint) obviously with FTP immunity.