Public consultation on Common Specification Requirements for In Vitro Diagnostic Devices

Data protection notice

Introduction

Over the month of May 2024, the Medicines and Healthcare products Regulatory Agency will seek the views of individuals and organisations through a public consultation, to inform amendments to the Medical Devices Regulations 2002 to include Common Specifications requirements for high risk in vitro diagnostic medical devices.

This notice sets out how data collected through this call for evidence will be used and respondents’ rights under Articles 13 and/or 14 the UK General Data Protection Regulation (GDPR).

The Medicines and Healthcare products Regulatory Agency (MHRA) is the data controller.

What personal data we collect

We will collect data on:

• whether you are responding as an individual or on behalf of an organisation.
• your occupation
• your name and name of your organisation
• the country and region you live in, or where your organisation provides services in the UK

If volunteered by you, we will also collect data on:

• your email address (if completing a paper survey and submitting it by email, or if responding on behalf of an organisation and confirming MHRA can contact you about your response)
• any other personal data you volunteer by way of evidence or example in your response to open-ended questions in the survey

How we use your data

We collect your personal data as part of the consultation process:

• for statistical purposes, for example, to understand how representative the results are and whether views and experiences vary across demographics
• so that MHRA can contact you for further information about your response (if you are responding on behalf of an organisation and have given your consent)

Legal basis for processing personal data

The legal basis for processing your personal data is to perform a task carried out in the public interest, or in the exercise of official authority vested in the controller.

Data processors and other recipients of personal data

All responses to the consultation will be seen by:

•  Professionals within MHRA who are working on this consultation.
•  MHRA’s third-party supplier (SocialOptic), who is responsible for running and hosting the online survey

No personally identifiable data will be shared. MHRA may also share your responses, when anonymised, with Department of Health and Social Care, Government Legal Department, Office for Life Sciences, and any other government body identified to be part of this consultation

International data transfers and storage locations

Storage of data by MHRA is provided via secure computing infrastructure on servers located in the UK. Our platforms are subject to extensive security protections and encryption measures.

Storage of data by SurveyOptic is provided via secure servers located in the United Kingdom (UK).

Retention and disposal policy

Personal data will be held by MHRA for 3 years and disposed of sooner if possible.

SurveyOptic will securely erase the data held on their system 5 years after the call for evidence online survey closes, or when instructed to do so by MHRA if the data has served its intended purpose (whichever happens earlier).

Data retention will be reviewed on an annual basis. Anonymised data may be kept indefinitely.

How we keep your data secure

MHRA use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.

SurveyOptic is Cyber Essentials certified.

Your rights

By law, you have rights as a data subject. Your rights under the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply. These rights are:

• the right to get copies of information – individuals have the right to ask for a copy of any information about them that is used
• the right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected
• the right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used
• the right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
• the right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case

Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should contact dataprotection@mhra.gov.uk. 

Anyone who is still not satisfied can complain to the Information Commissioner’s Office. Their website address is www.ico.org.uk.