Jobs Contact us Shop online Talkabout Community eCards
Support Lines 0800 090 2309 Donate

The Right of Access at Marie Curie

The General Data Protection Regulation (GDPR) allows you to make a request to Marie Curie (MC) for copies of all personal information we hold about you. This is known as the Right of Access, or a Data Subject Access Request (DSAR).

This guide tells you what your rights are as an individual when requesting a copy of all the information that MC holds under GDPR Article 15, why we need to verify your identity, what we will do with it and what you can expect from us. It also tells you how to get a copy of any personal information we may hold about you.

This guide can also help you or your representative to get access to the medical records we hold for you as a patient or service user under the Access to Health Records Act 1990.

Why would MC hold my personal information?

The most common reasons that we will hold your information is if you have:

  • Applied for a job, or are/were an employee of MC; this includes temporary and contract positions
  • If you are/were a supporter or have made a donation to MC
  • If you volunteer, fundraise, or take part in events for MC
  • If you are a patient, or service user
  • If you are the patient’s representative or family directly involved in their care
    If you have been given a grant for medical research by MC
  • If you campaign or take actions for MC
  • You have agreed for your pictures, quotes or stories being used for MC publications
  • You have agreed to receive information about our research and research publications
  • You have asked for information from our Information and Support Line.

This is not a limited set of circumstances and we will search all our systems and records to check for information for all data subject access requests.

Who is the data controller?

MC is the data controller of information held by MC for the purposes of GDPR. A data controller determines the purposes for which, and the manner in which, any personal data is to be processed (either alone or jointly or in common with others). We have the responsibility for the safety and security of all the data we hold in our systems.

Who are the data processors?

Any supplier that works on behalf of MC is one of our data processors. A data processor is any organisation that processes data on behalf of MC. We make sure that our data processors comply with all relevant requirements under data protection legislation. This is defined in the contractual arrangements.

Contacting the Data Protection Officer

The Data Protection Officer can be contacted via telephone on 020 7091 6631, via email at DPO@MarieCurie.org.uk, or in writing to:

The Data Protection Officer
Marie Curie
One Embassy Gardens
8 Viaduct Gardens
London
SW11 7BW

What can you expect from us?

We aim to provide you with a copy of the information we hold about you within one calendar month of receiving a valid request.

In rare circumstances where we cannot meet that deadline, we will contact you within that calendar month to tell you the reasons why and give you a realistic date of when we will provide the information. This should be no longer than 3 months from the original date of a valid application.

We will send you a copy of all the information we hold on you, and only you. Any information about identifiable other people mentioned in the same documents will be removed or blacked-out unless we have consent from the other person to provide it.

We reserve the right to charge an administrative fee in certain circumstances. We will let you know if and why this applies within one calendar month of receiving your application.

Where possible, we will provide your information to you in the format you prefer:

  • In paper format, and posted to you, or
  • sent by secure electronic means.

Please let us know which format you would like as part of your request.

We will require a valid form of ID in order to process your request, if the request contains sensitive and/or confidential information; or if we are unsure as to the identity of the person making the request.

What can you do if you think the information MC holds is inaccurate?

If you are dissatisfied with the way your data subject access request has been processed or if you believe that data contained in your subject access information is incorrect or incomplete; please raise a concern with the Data Protection Officer using the contact details above.

Where your data was provided to MC by another party (for example, via a referral by an NHS patient record) this request will be forwarded to the relevant originating party for correction.

Who will we share your personal information with?

We will only share your personal information to someone else other than you in response to a request for access under the following circumstances:

  • To provide you with the best care possible by sharing it with other primary healthcare organisations who are involved in your care; such as your GP or hospital consultant.
  • if you give your written consent for us to provide it to someone else (for example a lawyer working on your behalf, or a member of your family); or if a member of your family has legal authority to manage your affairs.
  • Under the Access to Health Records Act 1990 after you have died. The Duty of Confidentiality still applies under these circumstances, and we can only supply information in limited scenarios to specific individuals. For more information see the NHS Access to Medical Records page.
  • If the request is for evidence for the purposes of the prevention or detection of crime, the apprehension or prosecution of offenders; the assessment or collection of tax or duty. We will only do this via a formal request from a court, law enforcement or government agency, and only provide the minimum information required for their stated purpose.

Where is my subject access information stored?

In the main, your information is kept electronically on computer files, which have restricted access; this includes for CCTV. Where your information is held in paper format we have secure storage and processes for this. All our IT systems are subject to formal accreditation in line with NHS Digital and Government Cyber Security regulations. They also align with the security required within GDPR/Data Protection Act 2018 and NHS Code of Practice for Confidentiality  to protect against disclosure and unauthorised and/or unlawful processing.

How long will MC retain my subject access information?

We operate a Data Retention and Destruction Standard to ensure that information is not held for longer than necessary.

Our staff and systems

All our staff, volunteers, suppliers and contractors:

  • are subject to strict checks and references; including criminal records checks if necessary before taking up their role.
  • are data protection trained and are aware of their data protection responsibilities. This training is compulsory and completed every year.

We conduct regular compliance checks on all MC departments and systems and continual security checks on our IT systems are undertaken.

You have the right to make a complaint to the MC and the ICO

If you wish to make a complaint to MC about the way in which we have processed your personal information you can make a complaint to the Data Protection Officer via the contact details above. If you remain dissatisfied with the response received, you have the right to lodge a complaint to the ICO at the following address:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

https://ico.org.uk/

Notification of changes

If we decide to change this policy we will add a new version to our website, so please check back from time to time for updates.