The Patient Safety Commissioner (PSC) acts as a champion for patients and works to drive improvement in the safety of medicines and medical devices.
Dr Henrietta Hughes, the PSC, is an independent point of contact for patients, giving voice to their concerns with regard to medicines and medical devices. She will support the NHS and government to better understand what they can do to put patients first, promote the safety of patients, and the importance of the views of patients and other members of the public.
The PSC is the data controller. The PSC is registered with the Information Commissioner’s Office with reg. number ZB532470.
What personal data the PSC collects
In order to fulfil her role as a voice for patients, the PSC will need to collect personal data. This will vary depending on the nature of her interactions with patients, but may include:
- date of birth
- mobile or home phone number
- email address
- geographical location
- nationality or immigration status
- information relating to the individual’s physical or mental health condition
- information relating to the individual’s sex life or sexual orientation
- information which relates to the ethnic origin of the individual
- information relating to the individual’s religion or other beliefs.
The website also collects information relating to usage and may place certain essential and optional cookies on your device. Cookies are small files to enable a site or service provider’s systems to recognise your browser and capture and remember certain information.
You can view a list of cookies and other information we collect for technical purposes, and opt-out of any non-essential cookies: https://patientsafetycommissioner.org.ukd/data-and-cookies
How the PSC uses your data (purposes)
The PSC and her staff need to collect and hold personal data to understand the views of patients with regards to medicines and medical devices. While the PSC will not act on behalf of individuals, it is their insight that helps her understand what improvements patients wish to see with regards to medicines and medical devices, and to convey that understanding and her recommendations for improvement to the health system.
Legal basis for processing personal data
Under Article 6 of the United Kingdom General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
(e) Necessary task in the public interest or controller’s official authority.
This is in line with the PSC’s functions as outlined in Part 1 of the Medicines and Medical Devices Act 2021.
Under Article 9 of the UK GDPR, the lawful bases we rely on for processing special category data are:
(h) Necessary for the purposes of preventive or occupational medicine, the provision of health or social care or treatment or the management of health or social care systems and services.
Data processors and other recipients of personal data
While we do not envision the requirement to share identifiable data with other organisations (such as other government departments or healthcare organisations) in order for the PSC and her staff to carry out their duties as described above, there may be circumstances where this is required, including (but not limited to):
- where there is a business need to do so, should we use any third parties to process data on our behalf (such as consultation exercises)
- where we are under a duty to do so in order to comply with a legal obligation, or we are permitted to do so to protect the rights, property, or safety of others (such as sharing with police forces and other law enforcement organisations)
- where our nominated website support supplier (STCS Limited) requires access to our database and/or systems to provide technical maintenance and support. Such access is governed by a contract between the PSC and STCS Limited, including data protection clauses.
Where this is necessary, we will ensure all aspects of data protection legislation are complied with, including (where appropriate) the requirement to inform data subjects.
International data transfers and storage locations
All personal data that the PSC’s Office processes is securely stored within the UK.
Retention and disposal policy
Any personal data processed by the PSC’s Office will only be held for as long as is required for the PSC to fulfil her statutory functions.
How the PSC keeps your data secure
The PSC and staff are required by government to complete mandatory information security and data protection training as required. All data is processed and stored securely on servers based in the UK and is only accessed by those authorised to do so by the PSC.
Your rights as a data subject
By law, data subjects have a number of rights, and this processing does not take away or reduce these rights under the EU General Data Protection Regulation (2016/679) and the UK Data Protection Act 2018 applies.
These rights are:
- the right to get copies of information – individuals have the right to ask for a copy of any information about them that is used
- the right to get information corrected – individuals have the right to ask for any information held about them that they think is inaccurate, to be corrected
- the right to limit how the information is used – individuals have the right to ask for any of the information held about them to be restricted, for example, if they think inaccurate information is being used
- the right to object to the information being used – individuals can ask for any information held about them to not be used. However, this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
- the right to get information deleted – this is not an absolute right, and continued use of the information may be necessary, with individuals being advised if this is the case
Comments or complaints
Anyone unhappy or wishing to complain about how personal data is used as part of this programme, should contact in the first instance: [email protected].
Anyone who is still not satisfied can complain to the Information Commissioner’s Office.
Information Commissioner’s Office
Automated decision-making or profiling
No decision will be made about individuals solely based on automated decision-making (where a decision is taken about them using an electronic system without human involvement) which has a significant impact on them.
Changes to this policy
This privacy notice is kept under regular review, and new versions will be available on our privacy notice page on patientsafetycommissioner.org.uk. This privacy notice was last updated on 2 May 2023.