Please note that we do not accept responsibility or liability for any external websites that you may access via a link from this website. External websites will have their own privacy policies, which you should read.
This page was last updated: January 2022 Version 2.0
1. Who are we?
The Medicines and Healthcare products Regulatory Agency (the MHRA) is an Executive Agency of the Department of Health and Social Care (DHSC). The DHSC, together with its Executive Agencies is a single legal entity (or ‘controller’) for the purposes of data protection law. The Agency has three centres, MHRA, NIBSC and CPRD; and carries out controller functions for the personal data for which it isresponsible. These responsibilities include determining the purposes and means of processing the personal data.
You will find further information about the MHRA and DHSC on www.gov.uk.
2. Why do we need your information?
The MHRA acts on behalf of the Ministers to protect and promote public health and patient safety by ensuring that medicines and medical devices meet appropriate standards of safety, quality, performance and effectiveness.
One of the ways in which we monitor products is through the Yellow Card scheme which is vital in helping the MHRA monitor the safety of all healthcare products in the UK to ensure they are acceptably safe for patients and those that use them. The Yellow Card Vaccine Monitor is an extension to our normal data collection under the Yellow Card scheme and is a platform designed to strengthen regulatory monitoring of the safety of COVID-19 vaccine/s, once approved for supply to the public. The Yellow Card Vaccine Monitor is required to supplement current passive monitoring methods to gain insights into the public’s experiences with COVID-19 vaccines compared to data from clinical trials.
Background on the Yellow Card scheme
The Yellow Card scheme is the UK system for collecting and monitoring information on suspected safety concerns or incidents involving: medicines, medical devices and e-cigarette devices and liquids. The scheme is run by the MHRA and currently relies on voluntary reporting of suspected safety concerns or incidents by healthcare professionals and members of the public (patients, users, or carers). The purpose of the scheme is to provide an early warning that the safety of a product may require further investigation.
The Yellow Card website and Yellow Card app allow reports to be made for all medicines, including vaccines, blood factors and immunoglobulins, herbal medicines and homeopathic remedies, as well as all medical devices available on the UK market.
Our purpose is to investigate these reports and take any necessary regulatory action in line with our statutory duties.
We may occasionally conduct surveys of users of the Yellow Card Vaccine Monitor to help improve the user experience.
Yellow Card Vaccine Monitor data will hold information of value to public health and patient care; as a result, we may receive requests for the information contained in Yellow Card Vaccine Monitor submissions for academic research purposes that have potential scientific and / or significant public health value. However, the MHRA is conscious of the duty of confidentiality to patients and reporters. Therefore, all applications for research using Yellow Card Vaccine Monitor data will be reviewed and approved by an independent advisory Committee to ensure patient and reporter confidentiality is respected, and that information from Yellow Card Vaccine Monitor submissions which may indirectly identify individuals are used appropriately.
Whenever we process personal data, we will ensure that we comply with the data protection principles, so that your personal data is:
processed fairly, lawfully and transparently
processed for specific and legitimate purposes
adequate, relevant and limited to what is necessary
accurate and kept up to date where necessary
kept in an identifiable form no longer than necessary for the purpose
processed securely – we will put in place appropriate technical and organisational measures to safeguard your information
3. Our lawful basis
Our lawful basis for processing your personal data is UK GDPR Article 6(1)(e), which allows us to process personal data when this is necessary to perform our public tasks as a regulator.
Yellow Card Vaccine Monitor submissions require some information about the individual receiving a vaccination, the vaccinee. If you are registering yourself, the information will relate to you and include some special category personal data, such as information about your health or ethnicity. The lawful basis we rely on to process special category personal data are Article 9(2)(i) of the UK GDPR and Schedule 1 part 1(3) of the DPA, both of which enable us to process such information when it is necessary for reasons of the public interest in the area of public health.
Where we share Yellow Card Vaccine Monitor data for scientific or public health research purposes, we rely on UK GDPR Article 9(2)(j) as our lawful basis for processing special category personal data and Schedule 1 part 1(4) of the DPA. These bases permit us to process personal data for these purposes where it is in the public interest, subject to appropriate safeguards to protect your rights and freedoms.
4. Who do we collect data from?
We collect data from anyone who accesses or registers with the Yellow Card Vaccine Monitor. We also collect data when a Yellow Card Vaccine Monitor submission is sent to us.
We encourage registrations from the recipients of COVID-19 vaccines, however, friends and relatives may register and provide information to the Yellow Card Vaccine Monitor on someone else’s behalf, providing they have permission to do so.
The MHRA regulatory centre complies with the national data opt-out, for more information please see the NHS Data Matters webpage.
5. What personal data do we collect?
When you visit the website or app
When you register for an account or submit information
To participate in the Yellow Card Vaccine Monitor you will need to sign up. Once signed up, you can view previous submissions.
We ask for the reporter’s name and contact details so that we can get in touch if we need more information. We also require health and demographic details (such as age, sex, ethnicity etc) of the individual receiving the COVID-19 vaccine to understand the impact on different populations.
We collect the below information on the reporter and the vaccinee; this will be the same person if you are registering yourself.
We may collect the following personal information about the reporter:
title, first name, last name
postal address and telephone number
job title and organisation details if the reporter is a healthcare professional
We may collect the following information about the patient:
at least one of the following characteristics: initials, date of birth, sex, weight, height or a local identifier (NHS number)
information about the vaccination received and
if a suspected reaction occurs then we will ask for a description of the adverse incident
health data, including medical history and medications
We ask for the vaccinee’s NHS number on a voluntary basis. NHS linkage may be used on the data in the following ways.
1. We may collect information, such as vaccination brand and batch, from your NHS patient record to auto-populate the Yellow Card Vaccine Monitor. This will simplify the user journey as well as ensure complete and accurate data.
2. We may send the data you enter back into your patient record. This will ensure your patient record is complete.
3. Perform data analysis across the Yellow Card Vaccine Monitor and patient records to ensure individuals’ data are not duplicated in analyses and that we can maximise our understanding of the real world benefit risk balance of COVID-19 vaccines in different patients.
6. Your rights
Data Protection law gives you certain rights when we process your personal data. Some of these are restricted - how they apply depends upon the Agency’s legal basis in processing your data, and other factors. These rights are set out in GDPR Articles 12 - 23:
right to be informed
right of access
right to rectification
right to erasure
right to restrict processing
right to data portability
right to object
rights related to automated decision making including profiling
You can find out more about when these rights apply by visiting the ICO website at Your Data Matters or see section 11 to contact us for further information.
7. Our data processors
We use third party data processors who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot process your personal information unless we have instructed them to do so. They may not share your personal information with any other organisation. They will hold it securely and retain it for the period we instruct.
Red Ant hosts and manages the Yellow Card Vaccine Monitor website and app under our instruction as our data processor. We also have processor contracts with other IT service providers. One IT service provider has offices in India. We have appropriate safeguards in place that contain enforceable data subject rights and effective legal remedies for the individuals whose data we are processing.
8. How long do we keep your personal data?
We only keep your personal information for as long as necessary to fulfil the purpose we collect it for, including reporting or legal requirements.
If you have registered on the Yellow Card Vaccine Monitor website or app, we will retain your personal data as long as you are registered to use the services. You have the right to erase your registration details by closing your Yellow Card Vaccine Monitor account. This can be done by emailing firstname.lastname@example.org. Please note that deleting your account will not delete any information you may have submitted, given that these contain potential safety information about a vaccine. However, we may remove person identifiers from these reports if you request this under your right to erasure.
We will keep Yellow Card Vaccine Monitor submissions for at least 15 years following withdrawal of the product from the market as per requirements under relevant legislation pertaining to medicines.
9. Sharing your information
We will not share your information with any third parties for the purposes of direct marketing.
We do not share your identity with any person outside the MHRA without your explicit consent unless we are required or permitted to do so by law. Examples include if we receive a court order. Exceptionally, we may share this where we have established a lawful basis for sharing personal data and can demonstrate that it is both necessary and proportionate to do so.
We may receive requests for Yellow Card Vaccine Monitor data under the Freedom of Information Act. While we are legally obliged to provide some of the requested information, we only provide high-level summary information with all person-identifiable data excluded.
We sometimes may need to provide Yellow Card Vaccine Monitor data for scientific or public health research purposes. Please see Section 2 for further information about this.
Regulation 3(3) of the Health Service Control of Patient Information Regulations 2002 does permit bodies such as ourselves to share confidential patient information for specific purposes that include recognising trends in communicable diseases, such as COVID-19, and monitoring and managing outbreaks of these.
If the situation arises, we would only share confidential patient information if we were satisfied that the disclosure is essential for the purpose described above and we would ensure that:
We share the minimum information required to achieve the purpose
Access to the information is limited to healthcare professionals or those who owe an equivalent duty of confidentiality to a healthcare professional
Those who would have access to the confidential information are involved in the proposed relevant processing and are fully aware of the purpose
Appropriate technical and organisational measures are in place to prevent unauthorised processing of the information
Reports related to side effects to medicines
UK reports (excluding Northern Ireland)
UK reports (excluding those from Northern Ireland) are subject to Human Medicines Regulations 2012, Part 11, and Schedule 12A, which requires MHRA to share all Yellow Card reports about potential side effects to medicines with the World Health Organisation’s Uppsala Monitoring Centre and pharmaceutical companies, however we remove all the person identifiers before sharing the reports. Post 31st December 2020 this legislation should be viewed in association with the Exceptions and modifications to the EU guidance on good pharmacovigilance practices that apply to UK marketing authorisation holders and the licensing authority.
Northern Ireland reports
Reports are identified as being from Northern Ireland (NI) if the reporter postcode begins with ‘BT’. According to the Northern Ireland Protocol, NI remain under European Pharmacovigilance Legislation, and therefore Directive 2010/84/EU and Regulation (EU) 1235/2010 apply, which requires MHRA to share all Yellow Card reports about potential side effects to medicines with the European Medicines Agency (EMA), however we remove all the person identifiers before sharing the reports. In line with the legislation, the EMA also makes this information available to the World Health Organisation’s Uppsala Monitoring Centre and pharmaceutical companies.
We may also share anonymised reports with other government departments or public health bodies where the report is relevant to the work of the department. This is shared to support safety monitoring activities and regulatory decisions.
We will also provide a copy of your report to your healthcare provider where you have requested this.
11. Contacting Us
If you have any queries about your Yellow Card report or wish to exercise your rights under UK GDPR, please contact the MHRA at email@example.com.
If you have queries or concerns about how the MHRA protects and uses your personal data, please contact us at firstname.lastname@example.org in the first instance. You may also contact DHSC’s Data Protection Officer, email@example.com.
Alternatively, you can contact us in writing:
The Medicines and Healthcare products Regulatory Agency
Data Protection Officer
10 South Colonnade
London E14 4P
Department of Health and Social Care
Data Protection Officer
39 Victoria Street
London SW1H 0EU
12. The Information Commissioner’s Office
If you have concerns about how we are processing your personal data and are unable to resolve them with us, you can seek independent advice from, or make a complaint to, the Information Commissioner’s Office. Please see their website for details of the ways in which you can contact them: https://ico.org.uk/global/contact-us/.