Please note that we do not accept responsibility or liability for any external websites that you may access via a link from this website. External websites will have their own privacy policies, which you should read.
This page was last updated: January 2023
1. Who are we?
The Medicines and Healthcare products Regulatory Agency (the MHRA) is an Executive Agency of the Department of Health and Social Care (DHSC). The DHSC together with its Executive Agencies is a single legal entity (or ‘controller’) for the purposes of data protection law. The Agency carries out controller functions for the personal data for which it is responsible. These responsibilities include determining the purposes and means of processing the personal data.
You will find further information about the MHRA and DHSC on www.gov.uk.
2. Why do we need your information?
The MHRA acts on behalf of the Ministers to protect and promote public health and patient safety by ensuring that medicines and medical devices meet appropriate standards of safety, quality, performance and effectiveness.
The Yellow Card scheme is the UK system for collecting and monitoring information on suspected safety concerns or incidents involving: medicines, medical devices and e-cigarette devices and liquids. The scheme is run by the MHRA and currently relies on voluntary reporting of suspected safety concerns or incidents by healthcare professionals and members of the public (patients, users, or carers). The purpose of the scheme is to provide an early warning that the safety of a product may require further investigation.
The Yellow Card website and Yellow Card app allow reports to be made for suspected side effects to all medicines including vaccines, blood factors and immunoglobulins, herbal medicines and homeopathic remedies, as well as all adverse incidents associated with all medical devices (including software, apps and artificial intelligence) available on the UK market. Since 20 May 2016, the MHRA has also collected reports of safety concerns associated with e-cigarette products and their refills through the Yellow Card scheme. The Yellow Card app also allows reports to be made related to suspected side effects to medicines and medical device adverse incidents. Our purpose is to investigate these reports and take any necessary regulatory action in line with our statutory duties to monitor the safety of healthcare products in the UK.
We may occasionally conduct surveys of users of the Yellow Card website or Yellow Card app to help improve the user experience or get in touch with reporters to develop case studies to increase awareness about reporting to the Yellow Card scheme e.g. for use in campaigns.
The Yellow Card database holds information of value to public health and patient care; as a result, we may receive requests for the information contained in Yellow Card reports for academic research purposes that have potential scientific and / or significant public health value. However, the MHRA is conscious of the duty of confidentiality to patients and reporters. Therefore, all applications for research using Yellow Card data will be reviewed and approved by an independent advisory Committee to ensure patient and reporter confidentiality is respected, and that information from Yellow Card reports which may indirectly identify individuals are used appropriately.
Whenever we process personal data, we will ensure that we comply with the data protection principles, so that your personal data is:
processed fairly, lawfully and transparently
processed for specific and legitimate purposes
adequate, relevant and limited to what is necessary
accurate and kept up to date where necessary
kept in an identifiable form no longer than necessary for the purpose
processed securely – we will put in place appropriate technical and organisational measures to safeguard your information
3. Our lawful basis
Our lawful basis for processing your personal data is UK GDPR Article 6(1)(e), which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
Yellow Card reports require some information about the individual affected. If you are submitting a report about yourself, the information will relate to you and include some special category personal data, such as information about your health or ethnicity. The lawful bases we rely on to process special category personal data are Article 9(2)(i) of the UK GDPR and Schedule 1 part 1(3) of the DPA, both of which enable us to process such information when it is necessary for reasons of the public interest in the area of public health.
Where we share Yellow Card data for scientific or public health research purposes, we rely on UK GDPR Article 9(2)(j) as our lawful basis for processing special category personal data and Schedule 1 part 1(4) of the DPA. These bases permit us to process personal data for these purposes where it is in the public interest, subject to appropriate safeguards to protect your rights and freedoms.
4. Who do we collect data from?
We collect data from anyone who accesses the Yellow Card website or Yellow Card app. We also collect data when a Yellow Card report is submitted.
We encourage reports from the individual affected, their friends and relatives, healthcare professionals and manufacturers of medical devices – anyone may submit a Yellow Card on their own or someone else’s behalf.
The MHRA complies with the national data opt-out, for more information please see the NHS Data Matters webpage.
5. What personal data do we collect?
When you visit the website or app
When you register for an account
You may register with the Yellow Card website or Yellow Card app by providing your name and contact details, however registering is not essential for use. We provide this option as registering enables you to submit reports without requiring multiple entry of your details. Once registered, you can also view previously submitted reports.
When you report a Yellow Card
To submit a Yellow Card report, we require certain personal data. We ask for the reporter’s name and contact details so that we can get in touch if we need more information. We also require health and demographic details (such as age, sex, ethnicity etc) of the person affected by the incident to understand the impact on different populations.
We collect data on the reporter and the individual affected; this will be the same person if you are reporting about yourself.
We may collect the following personal data about the reporter:
title, first name, last name
postal address and telephone number
job title and organisation details if the reporter is a healthcare professional or manufacturer representative
We may collect the following data about the individual affected:
at least one of the following characteristics: initials, age, sex, weight, height or a local identifier
information about the suspected product and a description of the adverse incident
health data, including medical history and medications
We collect NHS Numbers on a voluntary basis. This number, and other data, such as postal address, may be used to link the Yellow Card submissions to electronic healthcare record data as set out below.
NHS number linkage may be used in the following ways.
With your permission, we may collect information, such as product brand and batch, from your NHS patient record to auto-populate the report. This will simplify the user journey as well as ensure complete and accurate data.
Perform data analysis across Yellow Card reports and patient records to ensure individuals’ data is not duplicated in analyses and that we can maximise our understanding of the real-world benefit risk balance of medicinal products.
We may contact reporters to request further information or share Yellow Card reports with healthcare professionals, where permission has been provided, where it would be helpful in our assessment of the Yellow Card report.
6. Your rights
Data Protection law gives you certain rights when we process your personal data. Some of these are restricted - how they apply depends upon the Agency’s legal basis in processing your data, and other factors. These rights are set out in UK GDPR Articles 12 - 23:
right to be informed
right of access
right to rectification
right to erasure
right to restrict processing
right to data portability
right to object
rights related to automated decision making including profiling
You can find out more about when these rights apply by visiting Your Data Matters at the Information Commissioner's Office website or see Section 11 to contact us for further information.
7. Our data processors
We use third party data processors who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot process your personal data unless we have instructed them to do so. They may not share your personal data with any other organisation. They will hold it securely and retain it for the period we instruct.
Red Ant hosts and manages the Yellow Card website and app under our instruction as our data processor. We also have processor contracts with other IT service providers. One IT service provider has offices in India. We have appropriate safeguards in place that contain enforceable data subject rights and effective legal remedies for the individuals whose data we are processing.
8. How long do we keep your personal data?
We only keep your personal data for as long as necessary to fulfil the purpose we collect it for, including reporting or legal requirements.
If you have registered on the Yellow Card website or Yellow Card app, we will retain your personal data as long as you are registered to use the services. You have the right to erase your registration details by closing your Yellow Card account. This can be done by emailing firstname.lastname@example.org. Please note that deleting your account will not delete any Yellow Card reports you may have submitted, given that these contain potential safety information about a medicine, medical device or e-cigarette. However, we may remove person identifiers from these reports if you request this under your right to erasure.
We keep Yellow Card reports for at least 15 years following withdrawal of the product from the market as per requirements under relevant legislation pertaining to medicines, medical devices and e-cigarette products.
9. Sharing your information
We will not share your information with any third parties for the purposes of direct marketing.
We do not share your identity with any person outside the MHRA without your explicit consent unless we are required or permitted to do so by law. Examples include if we receive a court order to do so or if you are a healthcare professional reporting an adverse incident relating to a medical device, further details of which can be found below. Exceptionally, we may share this where we have established a lawful basis for sharing personal data and can demonstrate that it is both necessary and proportionate to do so.
We may receive requests for Yellow Card report data under the Freedom of Information Act. While we are legally obliged to provide some of the requested information, we only provide high-level summary information with all person-identifiable data excluded.
We sometimes provide Yellow Card data for scientific or public health research purposes. Please see Section 2 for further information about this.
Data may be published in an aggregated format in accordance with the Human Medicines Regulation, Regulation 178(d) and Medicines and Medical Devices Act 2021 paragraph 39. These regulations provision the MHRA to make data available to the public on medicines and medical devices, subject to ensuring requirements of data protection legislation are met, where it is in the public interest to do so.
We may also share anonymised reports, where possible, with other government departments or public health bodies, such as datasets with our regional Yellow Card Centres, or subsets of data with local Medication Safety Officers and Medical Device Safety Officers, who have a responsibility for promotion of reporting and educating reporters locally, where the report is relevant to the work of the department for patient safety learning or if they have been commissioned by the MHRA. This is shared to support safety monitoring activities and regulatory decisions.
We will also provide a copy of your report to your healthcare provider where you have requested this.
Reports related to side effects to medicines
UK reports (excluding Northern Ireland)
UK reports (excluding those from Northern Ireland) are subject to Human Medicines Regulations 2012, Part 11, and Schedule 12A, which requires MHRA to share all Yellow Card reports about potential side effects to medicines with the World Health Organisation’s Uppsala Monitoring Centre and pharmaceutical companies, however we remove all the person identifiers before sharing the reports. Post 31st December 2020 this legislation should be viewed in association with the Exceptions and modifications to the EU guidance on good pharmacovigilance practices that apply to UK marketing authorisation holders and the licensing authority.
Northern Ireland reports
Reports are identified as being from Northern Ireland (NI) if the reporter postcode begins with ‘BT’. According to the Northern Ireland Protocol, NI remain under European Pharmacovigilance Legislation, and therefore Directive 2010/84/EU and Regulation (EU) 1235/2010 apply, which requires MHRA to share all Yellow Card reports about potential side effects to medicines with the European Medicines Agency (EMA), however we remove all the person identifiers before sharing the reports. In line with the legislation, the EMA also makes this information available to the World Health Organisation’s Uppsala Monitoring Centre and pharmaceutical companies.
Reports related to defective medicines
Reports related to potentially defective medicines will be sent to the pharmaceutical company who holds the license for the medicine. We remove any person identifiers before providing the information, unless the reporter has given explicit consent for us to share their contact details. If the reporter has provided an image of the product or packaging, we will remove any person identifiers from the image before sharing.
Reports related to counterfeit or fake medicines
We may send reports related to potentially counterfeit or fake medicines to a number of regulatory agencies with the consent of the reporter as part of our investigation of potential criminality. Such agencies may include the General Medical Council, Nursing and Midwifery Council, General Pharmaceutical Council, National Crime Agency, Police Forces and Action Fraud. If the reporter has provided an image of the product or packaging, we will remove any person identifiers from the image before sharing.
Reports related to e-cigarettes
MHRA is the responsible agency for nicotine-containing e-cigarettes and refill containers (e-liquids) under the Tobacco and Related Products Regulations 2016 (TRPR). We may send anonymised information from a Yellow Card report related to these products to other government and law enforcement agencies, including the Department of Health and Social Care, Public Health authorities and local Trading Standards. This enables us to undertake safety assessments and for Trading Standards to carry out its law enforcement function by investigating potentially non-compliant or unsafe products. It also enables us to share information where the suspected product falls outside the MHRA’s remit.
Reports related to medical devices
UK reports (excluding Northern Ireland)
The regulations in force in England, Scotland, Wales are the Medical Devices Regulations 2002 (SI 2002 No 618, as amended).
Northern Ireland reports
The regulations in force in Northern Ireland are:
the EU Medical Devices Regulation (2017/745),
the Medical Devices (Northern Ireland Protocol) Regulations 2021 (SI 2021 No 905),
the Medical Devices Regulations 2002 (SI 2002 No 618, as amended) for In Vitro Diagnostic Medical Devices until 25 May 2022 and the EU in vitro Diagnostic Medical Device Regulation (2017/746) from 26 May 2022.
Current UK and EU legislation requires the MHRA to send Yellow Card reports related to medical devices to the manufacturer to aid investigation.
If you are reporting as a healthcare professional, your organisational contact details will be provided to the manufacturer for the purpose to aid an incident investigation with your consent. If you are reporting as a member of the public, we will only share your name and contact details with the manufacturer if you provide consent. This will allow the manufacturer to contact you for further details about the device to support their investigation if required.
11. Contacting Us
If you have any queries about your Yellow Card report or wish to exercise your rights under UK GDPR, please contact the MHRA at email@example.com.
If you have queries or concerns about how the MHRA protects and uses your personal data, please contact us at firstname.lastname@example.org in the first instance. You may also contact DHSC’s Data Protection Officer, email@example.com. Alternatively, you can contact us in writing:
The Medicines and Healthcare products Regulatory Agency Data Protection Officer 10 South Colonnade Canary Wharf London E14 4PU
Department of Health and Social Care Data Protection Officer 39 Victoria Street London SW1H 0EU
12. The Information Commissioner’s Office
If you have concerns about how we are processing your personal data and are unable to resolve them with us, you can seek independent advice from, or make a complaint to, the Information Commissioner’s Office. Please see their website for details of the ways in which you can contact them: https://ico.org.uk/global/contact-us/.