Privacy Policy

This Privacy Policy sets out the manner in which the Yellow Card Scheme Website (www.yellowcard.mhra.gov.uk) and Yellow Card app processes personal data gathered from users. It outlines the importance of the data and explains your rights under both the General Data Protection Regulation 279/2016 (GDPR) and the Data Protection Act 2018 (DPA).

Please note that we do not accept responsibility or liability for any external websites that you may access via a link from this website. External websites will have their own privacy policies, which you should read.

Who we are

The Medicines and Healthcare products Regulatory Agency (MHRA) is an Executive Agency of the Department for Health and Social Care (DHSC). As such, the MHRA acts as the data controller for the personal data it processes for its own purposes.

If you have queries about how the MHRA protects and uses your personal data, please contact dataprotection@mhra.gov.uk in the first instance. You may also contact DHSC’s Data Protection Officer, George Menzies, at data_protection@dh.gsi.gov.uk. Alternatively, you can contact us in writing:

  • Date Protection Officer, MHRA, 10 South Colonnade, Canary Wharf, London, E14 4PU, or
  • Date Protection Officer, DHSC, 1st Floor North, 39 Victoria Street, London, SW1H 0EU

You will find further information about the MHRA and DHSC on www.gov.uk.

Red Ant is our data processor. They host and manage this website on MHRA’s behalf.

Why do we need your information?

The MHRA acts on behalf of the Ministers to protect and promote public health and patient safety by ensuring that medicines, healthcare products, medical equipment and e-cigarette devices and liquids are used safely and meet appropriate standards of safety, quality, performance and effectiveness. 

The Yellow Card Scheme enables the MHRA to monitor the safety of all healthcare products in the UK to ensure they are acceptably safe for patients and those that use them. You contribute to this by informing us of suspected side effects of medicinal products, medical devices and electronic cigarettes, counterfeit and defective products.

To submit a Yellow Card we require certain personal information. We ask for the reporter’s name and contact details so that we can get in touch if we need more information. We also require health and demographic details (such as age, sex, ethnicity etc) of the person affected by the incident to understand the impact on different populations.

The information you provide will be kept safely, securely and confidentially. We will not share personal identifiers with any person outside the MHRA without your explicit consent, unless we are required to do so by law. You can also ask someone else to send a report in about a suspected side effect if you do not wish to give us your name.   

What personal data do we collect?

When you visit the website

We capture certain online identifiers and information about your use of our website. For more information about this, please read our cookie policy. We may occasionally conduct surveys of users to help improve the user experience. 

When you register for an account

You may register with the Yellow Card website by providing your name and contact details, but registering is not essential. This information is requested for your convenience as registering will enable multiple report submissions without requiring multiple entry of your details. Once registered, you can also view previously submitted reports.

The MHRA may contact registered users about the Yellow Card Scheme, or the services you have used. We will not pass your personal data to other organisations for commercial or any other use except as identified in this policy. 

When you report a Yellow Card

We encourage reports from the individual affected, their friends and relatives, healthcare professionals and manufacturers of medical devices – anyone may submit a Yellow Card on their own or someone else’s behalf.

We collect information on the reporter and the individual affected; this will be the same person if you are reporting about yourself.

We collect the following personal information about the reporter:

  • Title, first name, last name
  • Contact details; email address, telephone number
  • Job title and organisation details if the reporter is a healthcare professional or manufacturer representative
  • IP address

We collect the following personal information and special category information about the individual affected:

  • We require at least one of the following characteristics: initials, age, sex, weight, height or a local identifier (excluding NHS number)
  • Ethnicity (optional)
  • Information about the suspected product and a description of the adverse incident
  • Health data, including medical history and medications

Your rights

Under the Data Protection Act and General Data Protection Regulation, you have the following rights:

  • right of access (if we can be confident that the information is your personal data) – you can ask us whether we are processing your personal data and if so, request a copy of it
  • right to have inaccuracies corrected
  • right to request erasure in certain circumstances
  • right to object to processing in specific circumstances

Legal basis

Our legal basis in processing your personal data is Article 6(1)(e) of the GDPR, where the Agency has a statutory obligation to perform these activities in the interest of public health. We also process special category data relating to health under Article 9(2)(i) of the GDPR, wherein processing is necessary for reasons of public interest in the area of public health.

To find out more, please contact our Data Protection Officer at dataprotection@mhra.gov.uk

Cookie Policy

To see the Yellow Card scheme’s cookie policy, click here.

Data storage and security

All information you provide, we collect, store and process are on our Yellow Card Scheme servers, some of which may lie outside the European Economic Area.

In accordance with the data protection legislation, we have adopted appropriate technical and organizational security measures to protect against any misuse, loss or corruption of your personal information.

Retention and disposal

We only keep your personal information for as long as necessary to fulfil the purpose we collect it for, including reporting or legal requirements.

As per the Pharmacovigilance Implementation Regulation 520/2012, Yellow Card reports relating to medicines are required to be kept for the lifetime of the product, and at least 15 years thereafter, while Yellow Card reports relating to medical devices are required to be kept for at least 20 years. Yellow Card reports related to e-cigarette products are required to be kept for the product lifetime and 15 years thereafter, while Yellow Card reports related to defective medicines are required to be kept for 20 years. Yellow Card reports relating to blood products cannot be disposed as per the Infected Blood Inquiry 2017.

If you have registered on the Yellow Card website, we will retain your personal data as long as you are registered to use the services. You have the right to close your Yellow Card account and your registration data will be removed accordingly. However, we may retain your information if required under applicable laws.

Sharing your information

Reports related to side effects to medicines

Under reporting requirements in the European Pharmacovigilance Legislation, Directive 2010/84/EU and Regulation (EU) 1235/2010, all Yellow Card reports about potential side effects to medicines are sent to the European Medicines Agency (EMA) with identifiable details removed. In line with the legislation, this information will also be made available by the EMA to the World Health Organisation’s Uppsala Monitoring Centre and pharmaceutical companies. We will also provide a copy of your report to your healthcare provider where you have requested this.  

Reports related to e-cigarette devices

As the responsible agency for e-cigarette devices and e-liquids, under the European Tobacco Products Directive 2014/14/EU (TPD), we may send information from a Yellow Card report related to these products to local Trading Standards, with identifiable details removed. This enables us to undertake law enforcement to investigate potentially non-compliant or unsafe products.

Reports related to medical devices

Yellow Card reports related to medical devices may be sent to the manufacturer to aid investigation in line with current European legislation:

  • Medical Devices Directive 93/42/EEC
  • Active Implantable Medical Devices Directive 90/385/EEC
  • In Vitro Diagnostic Medical Devices Directive 98/79/EC

And the new European Device Regulations:

  • Regulation (EU) 2017/745
  • Regulation (EU) 2017/746

If you are reporting as a manufacturer, we will not share commercially sensitive data that may identify you. If you are reporting as a member of the public, your personal contact will not be shared with the manufacturer, unless you have provided consent. If you are reporting as a healthcare professional, your organisational contact details will be provided to the manufacturer in line with the above Directives and Regulations.

We take all reasonable precautions to keep your personal information secure and require any third parties that handle or process your personal information to do the same in accordance with applicable data protection laws.

We do not share your information with any other organisation for the following purposes:

  • Marketing
  • Market research or commercial purposes
  • Sharing to other websites

Disclosing your information

Yellow Card report data may be requested under the Freedom of Information Act; while we are legally obliged to provide the requested information, all personal identifiable data is excluded from any information provided

We will also additionally disclose this information where we must enforce our terms of use and other agreements.

Changes in our policy

MHRA have the right to update and improve this privacy policy in accordance with the new data protection laws. We will inform you of any changes to this privacy policy if we believe the changes would impact on your rights or introduce a new purpose in processing your information.

Contacting Us

If you have any questions about this Privacy Policy, the practices of this site, or your dealings with this site please contact us at info@mhra.gov.uk

If you would like to make a complaint, please contact: mhra.complaints@mhra.gov.uk