Data Protection and Privacy Information
Updated 26 June 2022
1. Introduction
You can read the MHRA Privacy Notice to find out in general terms the types of personal data we process and why; as well as information about your rights and how to raise concerns.
This privacy notice sets out the approach to this consultation that the MHRA will take to handle information appropriately and to comply with information legislation.
This privacy notice covers documents gathered and created during this consultation and anything in which information of any description is recorded, whether in paper or electronic form.
2. Legal requirements for information management and privacy
The consultation complies with data protection legislation including the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).
We rely on UK GDPR Article 6(1)(e) as our legal basis for processing your personal data. This allows us to process personal data when this is necessary for the performance of our public tasks in our capacity as a regulator.
Information provided to the MHRA may include some special category personal data. Our lawful basis for processing such information is set out in UK GDPR Article 9(2)(i) and the Data Protection Act Schedset ule 1, Part 1(3). Both relate to situations where the processing is necessary for reasons of public interest in the area of public health.
3. Lawful basis and purpose of processing personal information
The consultation may collect and use personal information for the purpose of gathering views to inform our approach to regulating medical devices in the UK in future.
Individuals whose personal information is held by the MHRA for purposes of the consultation have given their consent to use their information for the purpose of the consultation. In the case of personal information, the purpose is to read and analyse the information provided to improve understanding of the key considerations raised by individuals and organisations for our future regime for medical devices.
The information may also be used to help explore issues and direct further areas of research.
4. Security and confidentiality
Only members of the MHRA Devices Future Regulation Working Group and authorised personnel from SurveyOptic Ltd (the online survey platform) will have access to personal information. Those who do are aware of their obligations and responsibilities when handling personal and confidential information. They are subject to employment, contractual and other professional obligations regarding confidential and official information, both during the review and afterwards.
All personal and confidential information is stored securely to prevent loss or inappropriate access.
5. Sharing information
The MHRA will hold the personal information you provide in this consultation and use it for the purpose of informing the approach to regulating medical devices in the UK in future. We will not sell your personal data and don’t intend to share your personal data with any third party other than our data processors who act only upon our instructions. We will handle any specific requests from a third party for us to share your personal data with them in accordance with data protection law.
Information published in response to this consultation, including personal information, may be published or disclosed in accordance with the access to information regimes. These are primarily the Freedom of Information Act 2000 (FOIA), the Data Protection Act 2018 (DPA), the General Data Protection Regulation 2016 (GDPR) and the Environmental Information Regulations 2004.
If you wish the information you provide to be treated as confidential it would be helpful if you could explain to us why you regard the information you have provided as confidential. Any information not published, including personal information, may still be subject to disclosure in accordance with the Freedom of Information Act. If we receive a request for disclosure of such unpublished information, we will take full account of your explanation, but we cannot give an assurance that confidentiality can be maintained in all circumstances. We will not take a standard confidentiality statement included in an email message as a specific request for non-disclosure.
The MHRA will process your personal data in accordance with the DPA and GDPR and in the majority of circumstances this will mean that your personal data will not be disclosed to third parties. However, the information you send us may need to be published in a summary of responses to this consultation.
6. Retention and destruction of documents
We will retain the responses to this consultation until our work on the future regulation of medical devices is complete.
Following the consultation, a response to the consultation will be published outlining its findings and recommendations. It is anticipated that the final response will not include any personal data. The contributions will be retained for a period of 2 years after the final consultation response has been published.
7. Rights
You have several rights which are outlined in the (MHRA Privacy Notice](https://www.gov.uk/government/publications/mhra-privacy-notice). For greater detail on when they apply please refer to the Information Commissioner’s website If you wish to exercise any of your rights, or have any questions or concerns, please contact our Data Protection Officer at dataprotection@mhra.gov.uk.