Skip to content
Medicines & Healthcare products Regulatory Agency
The National Institute for Biological Standards and Control

Confidence in biological medicines

  • Stay connected
  • Shopping Basket
  • Pay Now
  • Login / Register
  • Home
  • Products
  • Standardisation
  • Control testing
  • Science and research
  • Expert services
  • About us
  • QE2
  • Latest news
  • Worldwide impact of NIBSC
  • Mission and values
  • Careers
  • Quality and governance
  • Staff profiles
  • Contact us
  • Collaborations
  • Suppliers
  • Scientific Advisory Committee
  • Minutes of the Animal Welfare and Ethical Review Body
  • Our use of animals
  • Privacy notice
  • Home  /  
  • About us  /  
  • Privacy notice

Privacy Notice 

At the National Institute for Biological Standards and Control (NIBSC) we are committed to protecting and respecting your privacy.

This privacy notice describes how we collect and use your personal data, in accordance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) 2016/679.

This privacy notice applies to anyone (except staff) whose personal data we might process, for example, members of the public, manufacturers, wholesalers, and other authorities.

If you work at NIBSC, please refer to our intranet for details of how we process your personal data – ex-members of staff should contact: dataprotection@mhra.gov.uk.

NIBSC complies with the national data opt-out, for more information please see: https://www.nhs.uk/your-nhs-data-matters/

Who are we

NIBSC is one of the Medicines and Healthcare products Regulatory Agency’s (the Agency) three centres. The Agency is an executive agency of the Department of Health and Social Care (DHSC). DHSC and its executive agencies are a single legal entity (or controller) for data protection purposes.

You will find further information about DHSC, the Agency and its three centres on www.gov.uk and their related privacy notices are here: DHSC, the Agency, CPRD.




Contacting the Data Protection Officer

If you have queries about how the Agency or NIBSC protect and use your personal data, please contact dataprotection@mhra.gov.uk in the first instance. You may also contact the DHSC Data Protection Officer, at data_protection@dhsc.gov.uk. Alternatively, you can contact us in writing:

Data Protection Officer

Medicines and Healthcare products Regulatory Agency

10 South Colonnade

Canary Wharf

London

E14 4PU

Data Protection Officer

DHSC

1st Floor North

39 Victoria Street

London

SW1H 0EU

Our commitment to you

Whenever we process personal data we will ensure that we comply with the data protection principles, so that your personal data is:

  • processed fairly, lawfully and transparently
  • processed for the legitimate purposes that we have told you about in advance
  • adequate, relevant and limited to what is necessary
  • accurate and kept up to date where necessary
  • kept no longer than necessary for the purpose
  • processed securely – we put in place appropriate technical and organisational measures to safeguard your data

We will also:

  • seek your consent before making your personal data available for commercial use
  • make sure we have appropriate consent before offering information services to a child under 13 years of age
  • let you know beforehand if we want to use your data for a different purpose


Who do we collect personal data from?


We process personal information about:

  • members of the public
  • employees and former employees
  • customers and clients
  • attendees of conferences and workshops
  • university students and pupils
  • advisers, consultants and other professional experts
  • suppliers and service providers
  • complainants and enquirers
  • holders of public office
  • applicants to committees
  • members of advisory groups and committees
  • legal representatives
  • academics and researchers
  • health and care professionals
  • manufacturers and wholesalers of medicines and devices
  • pharmaceutical and scientific organisations
  • applicants for permits, licenses, certificate and permit holders

Why do we process your personal data

We need your personal data to fulfil our regulatory functions in assuring the quality of biological medicines through developing standards and reference materials, product control testing, and carrying out applied research; to answer your queries and continue to monitor and improve our services.

We collect your personal data when you use the NIBSC website or contact us through other channels.

We may use your information to:

  • conduct our regulatory and scientific functions
  • carry out collaborative work
  • let you know about our training events and workshops that you may wish to attend
  • fulfil our contractual obligations
  • provide you with information, products or services that you request from us
  • respond to general enquiries, complaints and Freedom of Information (FOI) requests
  • inform you of our policies, procedures, and services to the public, prospective customers, and partners
  • send you our newsletter/e-alerts (if requested) to let you know how and what we are doing as a regulatory science organisation
  • conduct online surveys and gain feedback to improve our services
  • notify you about changes to our services

If you visit our premises, we capture your image on a visitor’s pass or on CCTV for crime prevention and detection purposes and to ensure the health and safety of our staff and visitors.

We also use Google Analytics which captures information about your use of our website. This enables us to tailor our communications accordingly and present information in the most effective way for you. For details of this please refer to our cookie information.

What types of personal data do we process

Personal data refers to any information relating to an identified, or identifiable, living individual.

We process the following categories of personal data:

  • personal contact details, such as your name, title, job title, address(es), telephone numbers, and email address
  • date of birth
  • sex or gender
  • age
  • passport details; number, address, name
  • CVs and cover letters
  • educational/professional qualifications
  • bank details
  • IP address and location
  • CCTV video footage and photographs

We sometimes also process more sensitive types of personal information (also known as ‘special category data’):

  • racial or ethnic origin
  • political opinions, religious or philosophical beliefs
  • genetic data or biometric data
  • trade union membership
  • health information
  • sexual orientation or sex life

Lawful basis for processing your personal data

Article 6 of the GDPR sets out the six legal bases for processing that might apply, depending on the context. These are:

  • consent
  • contract
  • legal obligation
  • to protect someone’s life
  • public task
  • legitimate interests

We use the following lawful grounds for processing personal information to support our work:

When we carry out processing in pursuit of our statutory functions laid out in Section 57 of the Health and Social Care Act 2012, our lawful basis for processing your personal information falls under public task. This is where the processing is necessary for us to perform a task in the public interest and the task or function has a clear basis in law.

Our statutory functions relate to the standardisation and control of biological medicines to ensure their safety and efficacy. Depending upon the relationship you have with us, we have outlined the purposes for which we might process your personal data.

We rely on a contractual obligation to process your data when you purchase products or contact us with an enquiry. Without it we would be unable to respond appropriately.  

We may rely on your consent for some communications such as direct marketing purposes. Where this is the case, you have the right to withdraw your consent, by contacting the Agency’s Data Protection Officer (see below).

Sometimes we have a legal obligation to disclose personal information to a third party, for example, to the police for crime prevention or detection purposes.

Your rights

Data Protection law gives you certain rights when we process your personal data. Some of these are restricted – how they apply depends upon the Agency’s legal basis in processing your data, and the context. The rights are to:

  • be told that we are processing your data and why
  • receive a copy of your data (right of access)
  • ask for your data to be corrected
  • ask us to erase your data
  • restrict processing
  • data portability
  • object to the processing
  • be told if we use automated decision making or profiling

If you would like to find out more about your rights, please contact our Data Protection Officer at dataprotection@mhra.gov.uk.

Subject access request

The UK GDPR gives you the right to obtain a copy of your personal data, as well as other supplementary information. This is known as a subject access request (SAR).

To find out if we hold your personal data, or to access it please email: dataprotection@mhra.gov.uk.

We will need evidence of your identity before searching our records and will respond within one month of receiving this. If we need extra time, we will inform you within the month.

Disclosing your information (3rd parties)

We sometimes need to share the personal data we control (and our data processors may also share information) with other organisations. Where this is necessary, we are required to comply with all aspects of data protection legislation. What follows is a description of the types of organisations we may need to share personal data we process for one or more reasons. Where necessary, required and within the law, we may share data with:

  • the individual whose data is being processed
  • other Government Departments, Executive Agencies and Arms Length Bodies
  • credit reference agencies
  • suppliers and service providers
  • debt collection and tracing agencies/organisations
  • financial organisations
  • health and care organisations
  • trade, employer associations and professional bodies
  • other statutory law enforcement agencies and investigative bodies
  • health, social and welfare advisers or practitioners
  • survey and research organisations
  • police forces and other law enforcement organisations
  • the Government Internal Audit Agency and other auditors as required
  • the Civil Service Commission
  • the Advisory Committee on Business Appointments
  • the Office of the Commissioner for Public Appointments
  • other regulators, such as the Information Commissioner’s Office
  • event organisers
  • pharmaceutical, device and scientific companies and organisations

Retention of your data

We keep your personal data for no longer than necessary to fulfil our purpose in processing it for business requirements, legal obligation, statutory or regulatory obligations and transactional purposes, in line with our Retention and Disposal Schedule.

Changes to the terms of this Privacy Notice

We will update this privacy notice when applicable. If any change would result in us processing your personal data for a new purpose, we would inform you before we start using it in the new way.

The Information Commissioner’s Office

For independent advice about data protection, privacy and data sharing issues you can contact the Information Commissioner’s Office at: https://ico.org.uk/global/contact-us/

 
 
 
  • Careers
  • Terms and conditions
  • Accessibility
  • Privacy notice
  • Cookies
  • Sitemap