Please note that we do not accept responsibility or liability for any external websites that you may access via a link from this website. External websites will have their own privacy policies, which you should read.
This page was last updated: May 2020
1. Who are we?
The Medicines and Healthcare products Regulatory Agency (the MHRA) is an Executive Agency of the Department of Health and Social Care (DHSC). The DHSC, together with its Executive Agencies is a single legal entity (or ‘controller’) for the purposes of data protection law. The Agency has three centres, MHRA,NIBSC and CPRD; and carries out controller functions for the personal data for which it is responsible. These responsibilities include determining the purposes and means of processing the personal data.
You will find further information about the MHRA and DHSC on www.gov.uk.
2. Why do we need your information?
The MHRA acts on behalf of the Ministers to protect and promote public health and patient safety by ensuring that medicines and medical devices meet appropriate standards of safety, quality, performance and effectiveness.
The Yellow Card Scheme is the UK system for collecting and monitoring information on suspected safety concerns or incidents involving: medicines, medical devices and e-cigarette devices and liquids. The Scheme is run by the MHRA and currently relies on voluntary reporting of suspected safety concerns or incidents by healthcare professionals and members of the public (patients, users, or carers). The purpose of the Scheme is to provide an early warning that the safety of a product may require further investigation.
The Yellow Card website and Yellow Card app allow reports to be made for all medicines including vaccines, blood factors and immunoglobulins, herbal medicines and homeopathic remedies, as well as all medical devices available on the UK market. Since 20 May 2016, the MHRA has also collected reports of safety concerns associated with e-cigarette products through the Yellow Card Scheme. The Yellow Card app also allows reports to be made related to suspected side effects to medicines. Our purpose is to investigate these reports and take any necessary regulatory action in line with our statutory duties.
We may occasionally conduct surveys of users of the Yellow Card website or Yellow Card app to help improve the user experience.
The Yellow Card database holds information of value to public health and patient care; as a result, we may receive requests for the information contained in Yellow Card reports for medicines for academic research purposes that have potential scientific and / or significant public health value. However, the MHRA is conscious of the duty of confidentiality to patients and reporters. Therefore, all applications for research using Yellow Card data will be reviewed and approved by an independent advisory Committee to ensure patient and reporter confidentiality is respected, and that information from Yellow Card reports which may indirectly identify individuals are used appropriately.
Whenever we process personal data, we will ensure that we comply with the data protection principles, so that your personal data is:
- processed fairly, lawfully and transparently
- processed for specific and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and kept up to date where necessary
- kept in an identifiable form no longer than necessary for the purpose
- processed securely – we will put in place appropriate technical and organisational measures to safeguard your information
3. Our lawful basis
Our lawful basis for processing your personal data is GDPR Article 6(1)(e), which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
Yellow Card reports require some information about the individual affected. If you are submitting a report about yourself, the information will relate to you and include some special category personal data, such as information about your health or ethnicity. The lawful bases we rely on to process special category personal data are Article 9(2)(i) of the GDPR and Schedule 1 part 1(3) of the DPA, both of which enable us to process such information when it is necessary for reasons of the public interest in the area of public health.
Where we share Yellow Card data for scientific or public health research purposes, we rely on GDPR Article 9(2)(j) as our lawful basis for processing special category personal data and Schedule 1 part 1(4) of the DPA. These bases permit us to process personal data for these purposes where it is in the public interest, subject to appropriate safeguards to protect your rights and freedoms.
4. Who do we collect data from?
We collect information from anyone who accesses the Yellow Card website or Yellow Card app. We also collect data when a Yellow Card report is submitted.
We encourage reports from the individual affected, their friends and relatives, healthcare professionals and manufacturers of medical devices – anyone may submit a Yellow Card on their own or someone else’s behalf.
The MHRA regulatory centre complies with the national data opt-out, for more information please see the NHS Data Matters webpage.
5. What personal data do we collect?
When you visit the website or app
When you register for an account
You may register with the Yellow Card website or Yellow Card app by providing your name and contact details, however registering is not essential for use. We provide this option as registering enables you to submit reports without requiring multiple entry of your details. Once registered, you can also view previously submitted reports.
When you report a Yellow Card
To submit a Yellow Card report, we require certain personal information. We ask for the reporter’s name and contact details so that we can get in touch if we need more information. We also require health and demographic details (such as age, sex, ethnicity etc) of the person affected by the incident to understand the impact on different populations.
We collect information on the reporter and the individual affected; this will be the same person if you are reporting about yourself.
We may collect the following personal information about the reporter:
- title, first name, last name
- email address
- postal address and telephone number
- job title and organisation details if the reporter is a healthcare professional or manufacturer representative
We may collect the following information about the individual affected:
- at least one of the following characteristics: initials, age, sex, weight, height or a local identifier
- information about the suspected product and a description of the adverse incident
- health data, including medical history and medications
We may ask for NHS number on a voluntary basis. This is to enable linkage of datasets and records which may help evaluate your report. We may also ask for NHS number where we need to follow up with a different healthcare provider to seek further information relating to the incident or individual’s medical history. NHS linkage may be used on the data in the following ways:
1. Use data associated to NHS number to supplement your report
2. We may send the data you enter back into the patient record. This will ensure the patient record is complete.
3. Perform data analysis across the Yellow Card data and patient records to ensure individuals data are not duplicated in analyses and that we can maximise our understanding of the real world benefit risk balance of COVID-19 vaccines in different patients.
6. Your rights
Data Protection law gives you certain rights when we process your personal data. Some of these are restricted - how they apply depends upon the Agency’s legal basis in processing your data, and other factors. These rights are set out in GDPR Articles 12 - 23:
- right to be informed
- right of access
- right to rectification
- right to request erasure
- right to restrict processing
- right to request erasure
- right to object to processing
- right to lodge a complaint with the supervisory authority (ICO)
You can find out more about when these rights apply by visiting Your Data Matters at the Information Commissioner's Office website or see Section 11 to contact us for further information.
7. Our data processors
We use third party data processors who provide elements of services for us We have contracts in place with our data processors. This means that they cannot process your personal information unless we have instructed them to do so. They may not share your personal information with any other organisation. They will hold it securely and retain it for the period we instruct.
Red Ant hosts and manages the Yellow Card website and app under our instruction as our data processor. We also have processor contracts with other IT service providers. One IT service provider has offices in India. We have appropriate safeguards in place that contain enforceable data subject rights and effective legal remedies for the individuals whose data we are processing.
8. How long do we keep your personal data?
We only keep your personal information for as long as necessary to fulfil the purpose we collect it for, including reporting or legal requirements.
If you have registered on the Yellow Card website or Yellow Card app, we will retain your personal data as long as you are registered to use the services. You have the right to erase your registration details by closing your Yellow Card account. This can be done by emailing email@example.com. Please note that deleting your account will not delete any Yellow Card reports you may have submitted, given that these contain potential safety information about a medicine, medical device or e-cigarette. However, we may remove person identifiers from these reports if you request this under your right to erasure.
We keep Yellow Card reports for at least 15 years following withdrawal of the product from the market as per requirements under relevant legislation pertaining to medicines, medical devices and e-cigarette products.
9. Sharing your information
We will not share your information with any third parties for the purposes of direct marketing.
We do not share your identity with any person outside the MHRA without your explicit consent, unless we are required or permitted to do so by law. Examples include if we receive a court order to do so or if you are a healthcare professional reporting an adverse incident relating to a medical device, further details of which can be found below.. Exceptionally, we may share this where we have established a lawful basis for sharing personal data and can demonstrate that it is both necessary and proportionate to do so.
We may receive requests for Yellow Card report data under the Freedom of Information Act. While we are legally obliged to provide some of the requested information, we only provide high-level summary information with all person-identifiable data excluded.
We sometimes provide Yellow Card data for scientific or public health research purposes. Please see Section 2 for further information about this.
Regulation 3(3) of the Health Service Control of Patient Information Regulations 2002 does permit bodies such as ourselves to share confidential patient information for specific purposes that include recognising trends in communicable diseases, such as COVID-19, and monitoring and managing outbreaks of these.
If the situation arises, we would only share confidential patient information if we were satisfied that the disclosure is essential for the purpose described above and we would ensure that:
- We share the minimum information required to achieve the purpose
- Access to the information is limited to healthcare professionals or those who owe an equivalent duty of confidentiality to a healthcare professional
- Those who would have access to the confidential information are involved in the proposed relevant processing and are fully aware of the purpose
- Appropriate technical and organisational measures were in place to prevent unauthorised processing of the information
Reports related to side effects to medicines
The European Pharmacovigilance Legislation, Directive 2010/84/EU and Regulation (EU) 1235/2010, require us to share all Yellow Card reports about potential side effects to medicines with the European Medicines Agency (EMA), however we remove all the person identifiers before sharing the reports. In line with the legislation, the EMA also makes this information available to the World Health Organisation’s Uppsala Monitoring Centre and pharmaceutical companies.
We may also share anonymised reports with other government departments or Public Health bodies where the report is relevant to the work of the department. This is shared to support safety monitoring activities and regulatory decisions.
We will also provide a copy of your report to your healthcare provider where you have requested this.
Reports related to defective medicines
Reports related to potentially defective medicines will be sent to the pharmaceutical company who holds the license for the medicine. We remove any person identifiers before providing the information, unless the reporter has given explicit consent for us to share their contact details. If the reporter has provided an image of the product or packaging, we will also remove any person-identifiable information from the image before sharing.
Reports related to counterfeit or fake medicines
We may send reports related to potentially counterfeit or fake medicines to a number of Regulatory Agencies with the consent of the reporter, as part of our investigation of potential criminality. Such Agencies may include General Medical Council, Nursing and Midwifery Council, General Pharmaceutical Council, National Crime Agency, Police Forces and Action Fraud. If the reporter has provided an image of the product or packaging, we will remove any person identifiers before sharing the image.
Reports related to e-cigarettes
MHRA is the responsible agency for nicotine-containing e-cigarettes and refill containers (e-liquids) under the Tobacco and Related Products Regulations 2016 (TRPR). We may send anonymised information from a Yellow Card report related to these products to other government and law enforcement agencies, including the Department of Health and Social Care, Public Health authorities and local Trading Standards. This enables us to undertake safety assessments and for Trading Standards to carry out its law enforcement function by investigating potentially non-compliant or unsafe products. It also enables us to share information where the suspected product falls outside the MHRA’s remit.
Reports related to medical devices
Current European and UK legislation require the MHRA to send Yellow Card reports related to medical devices to the manufacturer to aid investigation. This legislation is listed below:
- Medical Devices Directive 93/42/EEC
- Active Implantable Medical Devices Directive 90/385/EEC
- In Vitro Diagnostic Medical Devices Directive 98/79/EC
UK Medical Device Regulations:
- Regulation on Medical Devices 2017/745
- Regulation on In Vitro Diagnostics Medical Devices 2017/746
If you are reporting as a manufacturer, we will not share commercially sensitive data that may identify you. If you are reporting as a healthcare professional, your organisational contact details will be provided to the manufacturer in line with the above Directives and Regulations.
If you are reporting as a member of the public, we will not share your name or contact details with the manufacturer without your consent. Where you have specifically provided consent, we will share your personal contact details with the manufacturer; this will allow the manufacturer to contact you for further details about the device to support their investigation if required.
11. Contacting Us
If you have any queries about your Yellow Card report or wish to exercise your rights under GDPR, please contact the MHRA at firstname.lastname@example.org.
If you have queries or concerns about how the MHRA protects and uses your personal data, please contact us at email@example.com in the first instance. You may also contact DHSC’s Data Protection Officer, firstname.lastname@example.org. Alternatively, you can contact us in writing:
The Medicines and Healthcare products Regulatory Agency
Date Protection Officer
10 South Colonnade
London E14 4P
Department of Health and Social Care
Data Protection Officer
39 Victoria Street
London SW1H 0EU
12. The Information Commissioner’s Office
If you have concerns about how we are processing your personal data and are unable to resolve them with us, you can seek independent advice from, or make a complaint to, the Information Commissioner’s Office. Please see their website for details of the ways in which you can contact them: https://ico.org.uk/global/contact-us/.