Skip to content

Data Privacy Notice

1. Introduction

You can read the MHRA Privacy Notice to find out in general terms the types of personal data we process and why; as well as information about your rights and how to raise concerns.

This notice sets out how data collected for your expression of interest to join the Patient and Public Community will be used and your rights under Articles 13 and/or 14 of the UK General Data Protection Regulation (GDPR).

2. Legal requirements for information management and privacy

The collection of information for your expression of interest to join the Patient and Public Community complies with data protection legislation including the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

The Medicines and Healthcare products Regulatory Agency (MHRA) is the data controller.

3. Lawful basis and purpose of processing personal information

The expression of interest form to join the Patient and Public Community will collect and use personal information for the purpose of supporting our patient involvement and engagement activities.

We rely on UK GDPR Article 6(1)(a) Consent as our legal basis for processing your personal data.

Information provided to the MHRA may include some special category personal data. Our lawful basis for processing such information is set out in UK GDPR Article 9(2)(a) Explicit Consent.

Individuals whose personal information is held by the MHRA for purposes of the joining the Patient and Public Community will use their information for the objective of MHRA’s patient involvement and engagement activities. In the case of personal information, the purpose is to identify who the application belongs to and understand the demographics of the Patient and Public Community.

4. What personal data we collect

We will collect data on:

  • whether you are signing up as an individual or on behalf of an organisation
  • your role or occupation held for networks or charities
  • your title, name and or name of your organisation (if representing an organisation)
  • your age group, gender
  • your email address
  • your telephone number(s)
  • where you live in the UK
  • whether you participate as a carer, a patient advocate or representative in a forum or committees run by other health system agencies
  • what health condition(s)/disease area(s) you have lived experience for or are interested in for medicine(s) and/or medical device(s)
  • whether we can share your contact details with other Forum contacts or MHRA staff, where relevant to the work of the PPSE team
  • any other personal data you volunteer.

5. How we use your data

We collect your personal data as part of the expression of interest to support our patient involvement and engagement activities:

  • so that MHRA can contact you if we require any further information about your response
  • so that MHRA can keep you updated about patient involvement or engagement opportunities for you or your organisation
  • so that MHRA can invite you to contribute to or attend relevant events, meetings or other activities which may also occasionally be for or run in collaboration with another organisation (e.g. the Department of Health and Social Care or Office of Life Sciences etc).

The legal basis for processing your personal data is to perform a task carried out in the public interest, or in the exercise of official authority vested in the controller.

6. Data processors and other recipients of personal data

All responses to the questions will be seen by:

The MHRA Patient, Public and Stakeholder Engagement Team

MHRA’s third-party supplier (SocialOptic), who is responsible for running and hosting the online survey.

No personally identifiable data will be shared. MHRA may also share your responses, when anonymised, with business areas within the MHRA if relevant to a piece of work MHRA thinks may benefit from your involvement

7. International data transfers and storage locations

Storage of data by MHRA is provided via secure computing infrastructure on servers located in the UK. Our platforms are subject to extensive security protections and encryption measures.

Storage of data by SurveyOptic is provided via secure servers located in the United Kingdom (UK).

8. Retention and disposal policy

Personal data will be held by MHRA for 3 years and disposed of sooner if possible.

SurveyOptic will securely erase the data held on their system 5 years after you register, or when instructed to do so by MHRA if the data has served its intended purpose (whichever happens earlier).

Data retention will be reviewed on an annual basis. Anonymised data may be kept indefinitely.

9. How we keep your data secure

MHRA use appropriate technical, organisational and administrative security measures to protect any information we hold in our records from loss, misuse, unauthorised access, disclosure, alteration and destruction. We have written procedures and policies which are regularly audited and reviewed at a senior level.

SurveyOptic is Cyber Essentials certified.

10. Your rights

By law, you have rights as a data subject. Your rights under the UK General Data Protection Regulation and the UK Data Protection Act 2018 apply. You can learn more about your rights from the Information Commissioner’s Office website - For the public | ICO.

Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should contact dataprotection@mhra.gov.uk.

Anyone who is still not satisfied can complain to the Information Commissioner’s Office. Their website address is https://ico.org.uk/.