© Crown copyright 2019
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: firstname.lastname@example.org.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/mhra-privacy-notice/mhra-privacy-notice
At the Medicines and Healthcare products Regulatory Agency (the Agency) we are committed to protecting and respecting your privacy.
This Privacy Notice applies to anyone (except staff) whose personal data we might process, for example, members of the public, manufacturers, wholesalers, and other authorities.
If you work for the Agency, please refer to our intranet for details of how we process your personal data – ex-members of staff should contact: email@example.com.
1. Who are we?
The Medicines and Healthcare products Regulatory Agency (the Agency) is an executive agency of the Department for Health and Social Care (DHSC). As such, the Agency acts as the data controller for the personal data it processes for its own purposes.
The MHRA regulatory centre complies with the national data opt-out, for more information please see the NHS Data Matters webpage.
Please note: CPRD has a separate Privacy Notice that you can read on their website.
2. Contact our Data Protection Officer
If you have queries about how the Agency protects and uses your personal data, please contact firstname.lastname@example.org in the first instance. You may also contact the DHSC Data Protection Officer at email@example.com.
Alternatively, you can contact us in writing:
Data Protection Officer
10 South Colonnade
Data Protection Officer
1st Floor North
39 Victoria Street
3. Our commitment to you
Whenever we process personal data we will ensure that we comply with the data protection principles, so that your personal data is:
- processed fairly, lawfully and transparently
- processed for the legitimate purposes we tell you about
- adequate, relevant and limited to what is necessary
- accurate and kept up to date where necessary
- kept no longer than necessary for the purpose
- processed securely – we will put in place appropriate technical and organisational measures to safeguard your information
We will also:
- seek your consent before making your personal information available for commercial use
- make sure we have appropriate consent before offering information services to a child under 13 years of age
- let you know beforehand if we want to use your data for a different purpose
4. Who do we collect personal data from?
We process personal information about:
- members of the public
- employees and formers employees
- customers and clients
- advisers, consultants and other professional experts
- suppliers and service providers
- complainants and enquirers
- holders of public office
- applicants to committees
- members of advisory groups and committees
- legal representatives
- academics and researchers
- health and care professionals
- manufacturers and wholesalers of medicines and devices
- pharmaceutical and scientific organisations
- applicants for permits, licenses, certificate and permit holders
5. Why do we process your personal data?
We need your personal data to fulfil our regulatory functions to ensure that medicines, biological medicines and medical devices are safe, effective and of a high quality; answer your queries and continue to monitor and improve our services.
We collect your personal data when you use the Agency’s website or contact us through other channels.
We may use your information to:
- conduct our regulatory and scientific functions
- process general enquiries, Freedom of Information (FOI) requests and similar
- respond to complaints
- promote our policies, procedures, and services to the public
- conduct online surveys and gain feedback to improve our services
- fulfil our contractual obligations
6. What types of personal data do we process?
Personal data refers to any information relating to an identified living individual; or someone who could be identified by the combination of data we hold about them.
We collect, store, and use the following categories of personal information:
- personal contact details, such as your name, title, job title, address(es), telephone numbers, and email address
- dates of birth
- sex or gender
- passport details; number, address, name
- General Practitioner contact details
- CVs and cover letters
- educational/professional qualifications
- bank details
- IP address and location
We also process more sensitive types of personal information:
- racial or ethnic origin
- political opinions, religious or philosophical beliefs
- genetic data or biometric data
- trade union membership
- health information
- sexual orientation or sex life
- criminal convictions and offences
7. Lawful basis for processing your personal data
We primarily process personal data where it is necessary for the effective performance of a task carried out in the public interest. There are six legal bases for processing that might apply, depending on the context. These are:
- legal obligation
- to protect someone’s life
- public task
- legitimate interests
These provisions are set out in Article 6 of the General Data Protection Regulation.
In limited circumstances we may rely on your consent to process your data. Where this the case, you have the right to withdraw your consent, by contacting the Agency’s Data Protection Officer (see below).
8. Your rights
Data Protection law gives you certain rights when we process your personal data. Some of these are restricted - how they apply depends upon the Agency’s legal basis in processing your data, and the context. The rights are to:
- be told that we are processing your data and why
- receive a copy of your data (subject access)
- ask for your data to be corrected
- ask us to erase your data
- restrict processing
- data portability
- object to the processing
- be told if we use automated decision making or profiling
If you would like to find out more about your rights, please contact our Data Protection Officer at firstname.lastname@example.org.
9. Subject Access Request
The Data Protection Act allows you to find out what information we hold about you on computer and in some paper records. This is known as a subject access request (SAR).
To find out if we hold your personal data, or to access it please email: email@example.com.
We will need evidence of your identity before searching our records; and will respond within one month of receiving this. If we need extra time we will inform you within the month.
10. Disclosing your information (3rd parties)
We sometimes need to share the personal data we control (and our data processors may also share information) with other organisations. Where this necessary we are required to comply with all aspects of Data Protection legislation. What follows is a description of the types of organisations we may need to share personal information we process for one or more reasons. Where necessary, required and within the law, we may share information with:
- other Government Departments
- credit reference agencies
- suppliers and service providers
- debt collection and tracing agencies/ organisations
- financial organisations
- devolved Government departments
- health and care organisations
- trade, employer associations and professional bodies
- other statutory law enforcement agencies and investigative bodies
- health, social and welfare advisers or practitioners
- survey and research organisations
- police forces and other law enforcement organisations
- the Government Internal Audit Agency and other auditors as required
- the Civil Service Commission
- the Advisory Committee on Business Appointments
- the Office of the Commissioner for Public Appointments
- other regulators such as the Information Commissioner’s Office
- Her Majesty’s Revenue and Customs (HMRC)
- Trading Standards
- Serious Adverse Blood Reactions and Events (SABRE)
- Serious Hazards of Transfusion (SHOT)
- AGE (pre-employment)
- European Medicines Agency (EMA)
- NHS Improvement and Care Quality Commission
- Device Registrations (Device Online Registration System)
- device manufacturers
- pharmaceutical and scientific companies and organisations
We use third-party processors who provide services for us. We have contracts in place with our processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us.
They will hold it securely and retain it for the period we instruct. Where our processors are based outside the EEA, we have arrangements in place that comply with the requirements of Chapter V of the General Data Protection Regulation.
11. Retention of your data
We keep your personal data for no longer than necessary to fulfil our purpose in processing it.
12. Changes to the terms of this Privacy Notice/Policy
13. Other websites
14. The Information Commissioner’s Office
For independent advice about data protection, privacy and data sharing issues you can contact the independent Information Commissioner’s Office at:
Tel: 0303 123 1113