Medicines and Healthcare products Regulatory Agency privacy notice
Updated 11 February 2022
At the Medicines and Healthcare products Regulatory Agency (the Agency) we are committed to protecting and respecting your privacy.
This privacy notice describes how we collect and use your personal data, in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) 2016/279.
This privacy notice applies to anyone (except staff) whose personal data we might process, for example, members of the public, manufacturers, wholesalers, and other authorities.
If you work for the Agency, please refer to our intranet for details of how we process your personal data – ex-members of staff should contact: email@example.com.
1. Who are we?
The Medicines and Healthcare products Regulatory Agency (the Agency) is an executive agency of the Department for Health and Social Care (DHSC). DHSC and its executive agencies are a single legal entity (controller) for data protection purposes.
Further information about DHSC and the Agency and its three centres.
The MHRA regulatory centre complies with the national data opt-out, for more information please see the NHS Data Matters webpage.
Please note: CPRD have separate privacy notices that you can read on their website.
2. Contact our Data Protection Officer
If you have queries about how the Agency protects and uses your personal data, please contact firstname.lastname@example.org in the first instance. You may also contact the DHSC Data Protection Officer at email@example.com.
Alternatively, you can contact us in writing:
Data Protection Officer
10 South Colonnade
Data Protection Officer
1st Floor North
39 Victoria Street
3. Our commitment to you
Whenever we process personal data we will ensure that we comply with the data protection principles, so that your personal data is:
- processed fairly, lawfully and transparently
- processed for the legitimate purposes we tell you about
- adequate, relevant and limited to what is necessary
- accurate and kept up to date where necessary
- kept no longer than necessary for the purpose
- processed securely – we will put in place appropriate technical and organisational measures to safeguard your data
We will also:
- seek your consent before making your personal data available for commercial use
- make sure we have appropriate consent before offering information services to a child under 13 years of age
- let you know beforehand if we want to use your data for a different purpose
4. Who do we collect personal data from?
We process personal data about:
- members of the public
- employees and formers employees
- customers and clients
- advisers, consultants and other professional experts
- suppliers and service providers
- complainants and enquirers
- holders of public office
- applicants to committees
- members of advisory groups and committees
- legal representatives
- academics and researchers
- health and care professionals
- manufacturers and wholesalers of medicines and devices
- pharmaceutical and scientific organisations
- applicants for permits, licenses, certificate and permit holders
5. Why do we process your personal data?
We need your personal data to fulfil our regulatory functions to ensure that medicines, biological medicines and medical devices are safe, effective and of a high quality; answer your queries and continue to monitor and improve our services.
We collect your personal data when you use the Agency’s website or contact us through other channels.
We may use your data to:
- conduct our regulatory and scientific functions
- process general enquiries and requests for information (e.g. FOI)
- respond to complaints
- promote our policies, procedures, and services to the public
- conduct online surveys and gain feedback to improve our services
- fulfil our contractual obligations
6. What types of personal data do we process?
Personal data refers to any information relating to an identified living individual; or someone who could be identified by the combination of data we hold about them.
We collect, store, and use the following categories of personal data:
- personal contact details, such as your name, title, job title, address(es), telephone numbers, and email address
- dates of birth
- sex or gender
- passport details; number, address, name
- General Practitioner contact details
- CVs and cover letters
- educational/professional qualifications
- bank details
- IP address and location
We also process more sensitive types of personal data (also known as ‘special category data’):
- racial or ethnic origin
- political opinions, religious or philosophical beliefs
- genetic data or biometric data
- trade union membership
- health information
- sexual orientation or sex life
- criminal convictions and offences
7. Lawful basis for processing your personal data
We primarily process personal data where it is necessary for the effective performance of a task carried out in the public interest. There are six legal bases for processing that might apply, depending on the context. These are:
- legal obligation
- to protect someone’s life
- public task
- legitimate interests
These provisions are set out in Article 6 of the UK GDPR.
In limited circumstances we may rely on your consent to process your data. Where this is the case, you have the right to withdraw your consent, by contacting the Agency’s Data Protection Officer (see below).
8. Your rights
Data protection law gives you certain rights when we process your personal data. Some of these are restricted - how they apply depends upon the Agency’s legal basis in processing your data, and the context. The rights are to:
- be told that we are processing your data and why
- receive a copy of your data (subject access)
- ask for your data to be corrected
- ask us to erase your data
- restrict processing
- data portability
- object to the processing
- be told if we use automated decision making or profiling
If you would like to find out more about your rights, please contact our Data Protection Officer at firstname.lastname@example.org.
9. Subject access request
The UK GDPR gives you the right to obtain a copy of your personal data, as well as other supplementary information. This is known as a subject access request (SAR).
To find out if we hold your personal data, or to access it please email: email@example.com.
We will need evidence of your identity before searching our records; and will respond within one month of receiving this. If we need extra time, we will inform you within the month.
10. Disclosing your data (3rd parties)
We sometimes need to share the personal data we control (and our data processors may also share information) with other organisations. Where this is necessary we are required to comply with all aspects of data protection legislation. What follows is a description of the types of organisations we may need to share personal data we process for one or more reasons. Where necessary, required and within the law, we may share data with:
- other Government departments
- credit reference agencies
- suppliers and service providers
- debt collection and tracing agencies/ organisations
- financial organisations
- devolved Government departments
- health and care organisations
- trade, employer associations and professional bodies
- other statutory law enforcement agencies and investigative bodies
- health, social and welfare advisers or practitioners
- survey and research organisations
- police forces and other law enforcement organisations
- the Government Internal Audit Agency and other auditors as required
- the Civil Service Commission
- the Advisory Committee on Business Appointments
- the Office of the Commissioner for Public Appointments
- other regulators such as the Information Commissioner’s Office
- Her Majesty’s Revenue & Customs (HMRC)
- Trading Standards
- Serious Adverse Blood Reactions and Events (SABRE)
- Serious Hazards of Transfusion (SHOT)
- AGE (pre-employment)
- European Medicines Agency (EMA)
- NHS Improvement and Care Quality Commission
- Device Registrations (Device Online Registration System)
- device manufacturers
- pharmaceutical and scientific companies and organisations
We use third-party processors who provide services for us. We have contracts in place with our processors. This means that they cannot do anything with your personal data unless we have instructed them to do so. They will not share your personal data with any organisation apart from us.
They will hold it securely and retain it for the period we instruct. Where our processors are based outside the UK, we have arrangements in place that comply with the requirements of Chapter V of the UK GDPR.
11. Retention of your data
We keep your personal data for no longer than necessary to fulfil our purpose in processing it.
12. Changes to the terms of this privacy notice
We will update this privacy notice when applicable. If any change would result in us processing your personal data for a new purpose, we would inform you before we start using it for a new purpose.
13. Other websites
View the Department of Health and Social Care’s (DHSC) privacy notice
14. The Information Commissioner’s Office
For independent advice about data protection, privacy and data sharing issues you can contact the independent Information Commissioner’s Office at:
Tel: 0303 123 1113