Skip to content
YellowCard
Coronavirus (COVID-19)

Privacy Policy

This Privacy Policy sets out the manner in which the Yellow Card scheme website (www.mhra.gov.uk/yellowcard) and Yellow Card app processes personal data gathered from users. It outlines the importance of the data and explains your rights under both the UK General Data Protection Regulation 2016/679 (UK GDPR) and the Data Protection Act 2018 (DPA).

Please note that we do not accept responsibility or liability for any external websites that you may access via a link from this website. External websites will have their own privacy policies, which you should read.

This page was last updated: November 2023

Version 5.0

1. Who are we?

The Medicines and Healthcare products Regulatory Agency (the MHRA) is an Executive Agency of the Department of Health and Social Care (DHSC). The DHSC together with its Executive Agencies is a single legal entity (or ‘controller’) for the purposes of data protection law. The Agency carries out controller functions for the personal data for which it is responsible. These responsibilities include determining the purposes and means of processing the personal data.

You will find further information about the MHRA and DHSC on www.gov.uk.

2. Why do we need your information?

The MHRA acts on behalf of the Ministers to protect and promote public health and patient safety by ensuring that medicines and medical devices meet appropriate standards of safety, quality, performance and effectiveness.

The Yellow Card scheme is the UK system for collecting and monitoring information on suspected safety concerns or incidents involving: medicines, medical devices and e-cigarette devices and liquids. The scheme is run by the MHRA and currently relies on voluntary reporting of suspected safety concerns or incidents by healthcare professionals and members of the public (patients, users, or carers). The purpose of the scheme is to provide an early warning that the safety of a product may require further investigation.

The Yellow Card website and Yellow Card app allow reports to be made for suspected side effects to all medicines, including vaccines, blood factors and immunoglobulins, herbal medicines and homeopathic remedies, as well as all adverse incidents associated with all medical devices (including software, apps and artificial intelligence) available on the UK market. Since 20 May 2016, the MHRA has also collected reports of safety concerns associated with e-cigarette products and their refills through the Yellow Card scheme. Our purpose is to investigate these reports and take any necessary regulatory action in line with our statutory duties to monitor the safety of healthcare products in the UK.

We may occasionally conduct surveys of users of the Yellow Card website or Yellow Card app to help improve the user experience or get in touch with reporters to develop case studies to increase awareness about reporting to the Yellow Card scheme e.g. for use in campaigns.

Whenever we process personal data, we will ensure that we comply with the data protection principles, so that your personal data is:

  • processed fairly, lawfully and transparently

  • processed for specific and legitimate purposes 

  • adequate, relevant and limited to what is necessary

  • accurate and kept up to date where necessary

  • kept in an identifiable form no longer than necessary for the purpose

  • processed securely – we will put in place appropriate technical and organisational measures to safeguard your information

Our lawful basis

Our lawful basis for processing your personal data is UK GDPR Article 6(1)(e), which allows us to process personal data when this is necessary to perform our public tasks as a regulator.

Yellow Card reports require some information about the individual affected. If you are submitting a report about yourself, the information will relate to you and include some special category personal data, such as information about your health or ethnicity. The lawful basis we rely on to process special category personal data are Article 9(2)(i) of the UK GDPR and Schedule 1, paragraph 3 of the DPA, both of which enable us to process such information when it is necessary for reasons of public interest in the area of public health.

Where we share Yellow Card data for scientific or public health research purposes, we rely on UK GDPR Article 9(2)(j) as our lawful basis for processing special category personal data and Schedule 1, paragraph 4 of the DPA. These bases permit us to process personal data for these purposes where it is in the public interest, subject to appropriate safeguards to protect your rights and freedoms.

4. Who do we collect data from?

We collect data from anyone who accesses the Yellow Card website or Yellow Card app. We also collect data when a Yellow Card report is submitted.

We encourage reports from the individual affected, their friends and relatives, healthcare professionals and manufacturers of medical devices – anyone may submit a Yellow Card on their own or someone else’s behalf.

The MHRA complies with the national data opt-out, for more information please see the NHS Data Matters webpage.

5. What personal data do we collect?

When you visit the website or app

Our cookies capture certain online identifiers and information when you visit our Yellow Card website or use the Yellow Card app. For more information about this or how to manage your preferences, please read our cookie policy.

When you register for an account

You may register with the Yellow Card website or Yellow Card app by providing your name and contact details, however registering is not essential for use. We provide this option as registering enables you to submit reports without requiring multiple entry of your details. Once registered, you can also view previously submitted reports.

When you report a Yellow Card

To submit a Yellow Card report, we require certain personal data. We ask for the reporter’s name and contact details so that we can get in touch if we need more information. We also require health and demographic details (such as age, sex, ethnicity etc) of the person affected by the incident to understand the impact on different populations.

We collect data on the reporter and the individual affected; this will be the same person if you are reporting about yourself.

We may collect the following personal data about the reporter:

  • title, first name, last name

  • email address

  • postal address and telephone number

  • job title and organisation details if the reporter is a healthcare professional or manufacturer representative

We may collect the following personal data about the individual affected, including special category data:

  • at least one of the following characteristics: initials, age, sex, weight, height or a local identifier

  • ethnicity 

  • information about the suspected product and a description of the adverse incident

  • health data, including medical history and medications

We collect NHS Numbers on a voluntary basis. This number, and other data, such as postal address, may be used to link the Yellow Card submissions to electronic healthcare record data as set out below.

NHS number linkage may be used in the following ways.

With your permission, we may collect information, such as product brand and batch, from your NHS patient record to auto-populate the report. This will simplify the user journey as well as ensure complete and accurate data.

Perform data analysis across Yellow Card reports and patient records to ensure individuals’ data is not duplicated in analyses and that we can maximise our understanding of the real-world benefit risk balance of medicinal products.

We may contact reporters to request further information where it would be helpful in our assessment of the Yellow Card report. We may share a Yellow Card report with a patient’s healthcare professional, where contact details and permission has been provided. If it would also be helpful in our assessment of the Yellow Card report we may request further information from a patient’s healthcare professional, where contact details and permission has been provided.

We may contact reporters to invite them to participate in our Yellow Card Biobank pilot; a research project investigating genetic risk factors associated with development of adverse drug reactions. To find out more information, please visit the following site https://yellowcard.mhra.gov.uk/biobank

Registered users are asked about their preferences for receiving communications. These communications relate to promotional activities or sharing of information and are unrelated to the collection of follow-up information or acknowledgement when an account deletion request has been received. Where a follow-up request is required we will try to contact you regardless of communication preferences. This is to ensure the MHRA can fulfil our duties under our Public Task as a regulator.

6. Your rights

Data protection law gives you certain rights when we process your personal data. Some of these rights are restricted - how they apply depends upon the Agency’s legal basis in processing your data, and other factors. These rights are set out in UK GDPR Articles 12 - 23: 

  • right to be informed

  • right of access 

  • right to rectification

  • right to erasure 

  • right to restrict processing

  • right to data portability

  • right to object

  • rights related to automated decision making including profiling

You can find out more about when these rights apply by visiting Your Data Matters at the Information Commissioner's Office website or see Section 11 below to contact us for further information.

7. Our data processors

We use third party data processors who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot process your personal data unless we have instructed them to do so. They may not share your personal data with any other organisation. They will hold it securely and retain it for the period we instruct.

Our third party processor hosts and manages the Yellow Card website and Yellow Card app under our instruction as our data processor. We also have processor contracts with other IT service providers. One IT service provider has offices in India. We have appropriate safeguards in place that contain enforceable data subject rights and effective legal remedies for the individuals whose data we are processing.

8. How long do we keep your personal data?

We only keep your personal data for as long as necessary to fulfil the purpose we collect it for, including reporting or legal requirements.

If you have registered on the Yellow Card website or Yellow Card app, we will retain your personal data as long as you are registered to use the services. You have the right to erase your registration details by closing your Yellow Card account. This can be done by emailing yellow.card@mhra.gov.uk. Please note that deleting your account will not delete any Yellow Card reports you may have submitted, given that these contain potential safety information about a medicine, medical device or e-cigarette. However, we may remove personal identifiers from these reports if you request this under your right to erasure. 

We keep Yellow Card reports for the retention period provided below.

Medicines and Vaccine side effects

  • Retention period: At least 10 years following withdrawal from the market

  • Relevant legislation: Human Medicines Regulations 2012 Schedule 12A paragraph 16(3)

Defective medicines and vaccines

  • Retention period: At least 10 years following withdrawal from the market

  • Relevant legislation: Human Medicines Regulations 2012 Schedule 12A paragraph 16(3)

E-cigarette side effects

  • Retention period: At least 10 years following withdrawal from the market

  • Relevant legislation: As e-cigarettes can be licenced as medicines, the Human Medicines Regulations 2012 Schedule 12A paragraph 16(3) applies

Device incidents

  • Retention period: At least 10 years following withdrawal from the market

  • Relevant legislation: Retention derived from similar data held, in discussion with Data Protection team and divisional advice.

Fake medical products

  • Retention period: At least 10 years following withdrawal from the market

  • Relevant legislation: Human Medicines Regulations 2012 Schedule 12A paragraph 16(3)

9. Sharing your information

Sharing of personal data in Yellow Card reports

We will not share your information with any third parties for the purposes of direct marketing.

We will not share your personal data with any person outside the MHRA unless we are required or permitted to do so by law.

We may share your personal data if we receive a court order to do so. We may also receive requests for Yellow Card report data under the Freedom of Information Act 2000. While we are legally obliged to respond to those requests, disclosure of personal data would breach data protection principles and accordingly, we rely on exemptions in the Freedom of Information Act 2000 that allow us to routinely withhold personal data information from a requester.

Sharing Yellow Card reports for research and learning purposes

The Yellow Card database holds information of value to public health and patient care and as a result we may receive requests for the information contained in Yellow Card reports for academic research purposes that have potential scientific and / or significant public health value. All applications for research using Yellow Card data will be reviewed and approved by an independent advisory Committee to ensure patient and reporter confidentiality is respected, and that information from Yellow Card reports which may indirectly identify individuals is used appropriately.

Data may be published in an aggregated format in accordance with Regulation 178(d) of the Human Medicines Regulations 2012, and section 39(2) of the Medicines and Medical Devices Act 2021. These provisions allow the MHRA to make data available to the public about potential safety concerns with medicines and medical devices, subject to ensuring requirements of data protection legislation are met. We may also share anonymised reports with other government departments or public health bodies, for example where the report is relevant to the work of the department for patient safety learning or if they have been commissioned by the MHRA.

This may include sharing datasets with our regional Yellow Card Centres, or sharing subsets of data with local Medication Safety Officers and Medical Device Safety Officers who have a responsibility for promotion of reporting and educating reporters locally. Sharing this data supports safety monitoring activities and regulatory decisions.

Where sharing of reports with personal data is required in order to fulfil our public task, this will be done in line with UK GDPR requirements or Control of patient information (COPI) notice requirements.

We may also provide a copy of your report to your healthcare provider where you have requested this. 

Sharing Yellow Card reports with other stakeholders

Reports related to side effects to medicines

UK reports (excluding Northern Ireland)

UK reports (excluding those from Northern Ireland) are subject to Part 11 and Schedule 12A of the Human Medicines Regulations 2012, which requires MHRA to share all Yellow Card reports about potential side effects to medicines with the World Health Organisation’s Uppsala Monitoring Centre and pharmaceutical companies. Reporters of Yellow Cards are responsible for taking reasonable steps to protect personal information against unauthorised disclosure. Reporters should not include personal data within a Yellow Card report outside of fields where it is specifically requested.

HMR was amended from EU Law post Brexit and so the HMR should be viewed in association with a document called the Exceptions and modifications to the EU guidance on good pharmacovigilance practices that apply to UK marketing authorisation holders and the licensing authority.

Northern Ireland reports

Reports are identified as being from Northern Ireland (NI) if the reporter’s postcode begins with ‘BT’. According to the Northern Ireland Protocol, NI remains under European Pharmacovigilance Legislation, and therefore Directive 2001/83/EU and Regulation (EU) 726/2004 apply, which requires MHRA to share all Yellow Card reports about potential side effects to medicines with the European Medicines Agency (EMA). In line with this legislation, the EMA also makes this information available to the World Health Organisation’s Uppsala Monitoring Centre and pharmaceutical companies.

Reporters of Yellow Cards are responsible for taking reasonable steps to protect personal information against unauthorised disclosure. Reporters should not include personal data within a Yellow Card report outside of fields where it is specifically requested.

Reports related to defective medicines

Reports related to potentially defective medicines will be sent to the pharmaceutical company who holds the license for the medicine. We remove any personal data before providing the information, unless the reporter gave consent for us to share their contact details when they submitted the report. If the reporter has provided an image of the product or packaging, we will remove any personal data from the image before sharing. Reporters of Yellow Cards are responsible for taking reasonable steps to protect personal information against unauthorised disclosure. Reporters should not include personal data within a Yellow Card report outside of fields where it is specifically requested.

Reports related to counterfeit or fake medicines

We may send reports related to potentially counterfeit or fake medicines to a number of regulatory or law enforcement bodies as part of our investigation of potential criminality as it us our Public Task to do, as outlined in Article 6(1)(e) of the UK GDPR. Such bodies may include the General Medical Council, Nursing and Midwifery Council, General Pharmaceutical Council, National Crime Agency, Police Forces and Action Fraud. If the reporter has provided an image of the product or packaging, we will remove any personal data from the image before sharing.  Reporters of Yellow Cards are responsible for taking reasonable steps to protect personal information against unauthorised disclosure. Reporters should not include personal data within a Yellow Card report outside of fields where it is specifically requested.

Reports related to e-cigarettes

MHRA is responsible for nicotine-containing e-cigarettes and refill containers (e-liquids) under Part 6 of The Tobacco and Related Products Regulations 2016 (TRPR). We may send anonymised information from a Yellow Card report related to these products to other government and law enforcement agencies, including the Department of Health and Social Care (DHSC), Public Health authorities and Trading Standards who we work with to enforce the TRPR. This enables us to undertake safety assessments and for Trading Standards to carry out its law enforcement function by investigating and removing potentially non-compliant or unsafe products. We may also share information for the purpose of protecting the public’s health where the suspected product falls outside the MHRA’s remit.

Reports related to tobacco products will be shared with DHSC’s Office for Health Improvement and Disparities who are responsible for these products under TRPR.

Reports related to the sale of unnotified e-cigarette products and safety concerns related to potential e-cigarette device faults may be shared with Trading Standards to investigate and carry out any enforcement actions.

Reports related nicotine-free e-cigarette products may be shared with Trading Standards who are responsible for these products under the General Product Safety Regulations.

We remove any personal identifiers data before providing the information, unless the reporter has given explicit consent for us to share their contact details. Reporters of Yellow Cards are responsible for taking reasonable steps to protect personal information against unauthorised disclosure. Reporters should not include personal data within a Yellow Card report outside of fields where it is specifically requested.

Reports related to medical devices

The MHRA sends Yellow Card reports related to medical devices to the manufacturer to aid investigation into the safety of the devices.

The contact details provided in your report will be provided to the manufacturer for the purpose of aiding an incident investigation if you provide your consent. This will allow the manufacturer to contact you for further details about the device to support their investigation, if required.

We may share Yellow Card data with devolved administrations about reports that have been received from their territory.

The contact details provided in your report will be provided to the devolved administrations for the purpose of aiding an incident investigation, if you provide your consent. Reporters of Yellow Cards are responsible for taking reasonable steps to protect personal information against unauthorised disclosure. Reporters should not include personal data within a Yellow Card report outside of fields where it is specifically requested.

UK reports (excluding Northern Ireland)

The regulations in force in England, Scotland, Wales are the Medical Devices Regulations 2002 (SI 2002 No 618, as amended).

Northern Ireland reports

The regulations in force in Northern Ireland are:

the EU Medical Devices Regulation (2017/745),

the Medical Devices (Northern Ireland Protocol) Regulations 2021 (SI 2021 No 905),

the EU in vitro Diagnostic Medical Device Regulation (2017/746)

the Medical Devices Regulations 2002 (SI 2002 No 618, as amended)

10. Changes in our privacy policy

We will update this privacy policy when applicable to keep it up to date. If any change would result in us processing your personal data for a new purpose, we will inform you before we start using it in the new way.

11. Contacting Us

If you have any queries about your Yellow Card report or wish to exercise your rights under UK GDPR, please contact the MHRA at yellow.card@mhra.gov.uk.

If you have queries or concerns about how the MHRA protects and uses your personal data, please contact us at dataprotection@mhra.gov.uk in the first instance. You may also contact DHSC’s Data Protection Officer, data_protection@dhsc.gov.uk. Alternatively, you can contact us in writing:

The Medicines and Healthcare products Regulatory Agency Data Protection Officer 10 South Colonnade Canary Wharf London E14 4PU

Department of Health and Social Care Data Protection Officer 39 Victoria Street London SW1H 0EU

12. The Information Commissioner’s Office

If you have concerns about how we are processing your personal data and are unable to resolve them with us, you can seek independent advice from, or make a complaint to, the Information Commissioner’s Office. Please see their website for details of the ways in which you can contact them: https://ico.org.uk/global/contact-us/.