- is for people whose personal data we hold and use;
- applies to all personal data held by us or by third parties on our behalf;
- sets out our overall approach to data protection compliance;
- has been produced with clarity in mind.
We (the HCPC) are a ‘Data Controller’ as defined in the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018 (DPA). This means that if we collect and use personal and sensitive data about you we must comply with the requirements set out in the UK GDPR and DPA.
This policy also serves as a privacy notice under the UK GDPR.
- If you are applying for registration or are a registrant:
- If you are a graduate of a HCPC approved course
- If you raise a concern with us about a registrant
- If you are applying for a post or are a current or former employee or HCPC ‘partner’:
- If you are a member of the public:
- If you use the HCPC website or subscribe to our newsletter
8. Contact us
- We recognise that your privacy is important and that we have a responsibility to you when handling your personal data.
- We only use personal data to perform our functions as a statutory regulator of health and psychological professionals, for purposes related to those functions, and to enable analysis of those professions that we regulate.
- We take appropriate steps and put adequate technical measures in place to protect your personal data against misuse. We are ISO27001 certified, this is a best practice standard for data security.
- We will never provide your personal data to third parties for their marketing purposes.
- If we plan to make substantial changes to the way we use personal data or the personal data we collect, we will undertake a Data Protection Impact Assessment in accordance with the ICO's guidance.
- We will ensure your personal data is used according to the principles set out in UK GDPR and the DPA unless an exemption applies.
We are a statutory regulator, and our role is to protect the public. To do this, we keep a register of health and care professionals who meet our standards for their training, professional skills and behaviour.
Our primary purposes for processing personal data under the UK GDPR are ‘in the exercise of official authority’ as part of our ‘public task’, ‘in the public interest’, or .’to protect the vital interests of the data subject or other natural person’.
The law that sets out our functions and powers is the Health Professions Order 2001, which can be read here;
We also use personal data to:
- comply with legal obligations, for example sharing information with the tax authorities;
- fulfil our contractual obligations, for example using personal data to pay our employees;
- communicate with people who have asked us to provide them with information about regulation and our regulatory activities.
Our use of your personal data will depend on your relationship with us.
If you are applying for registration or are a registrant:
- processing and managing your application, including verifying the information you have provided. In doing so, we may share it with third parties (such as referees, education providers, plagiarism detection services, other regulators or employers);
- registrant data is held on the HCPC register;
- managing your registration, including maintaining the accuracy of the HCPC register and the information we hold about you;
- sending you registration renewal reminders and communicating with you for any other reason related to your registration;
- responding to public enquiries about your registration status;
- managing and developing our relationship with you, including inviting you to events that we are holding and sending you guidance and other information about professional practice;
- investigating complaints made about or by you and publishing the outcome of any investigation or hearing.
If you are a graduate of a HCPC approved course
- we are required by the Health Professions Order 2001 to make sure that HCPC registrants have the necessary qualifications and have received such qualifications within five years before their application for registration;
- when you pass your course on a HCPC approved course, your course provider will tell us so that we know you have the right qualification to register;
- The institution’s pass list will include your name, date of birth, email address, mode of study, programme name, date of qualification, prescribing rights (where applicable). This information is added to our database. We use this information to verify your qualification details when you apply for registration.
If you raise a concern with us about a registrant
- processing and managing your complaint, including sharing your complaint with relevant third parties during the course of any investigation;
- normally, if an investigation progresses, we will have to disclose your identity to the registrant you have raised a concern about. We will try to respect any request by you not to be identified, but it may not be possible for us to pursue your complaint on an anonymous basis;
- keeping your personal information on file as part of the record of your concern.
If you are applying for a post or are a current or former employee or HCPC 'partner':
- processing and managing your application, including verifying the information you have provided. In doing so, we may share it with third parties (such as referees, education providers, other regulators or employers);
- sharing with third parties who provide payroll services or pension administration services for us;
- creating and maintaining your personnel or partner file;
- managing and developing our relationship with you;
- investigating concerns raised about or by you in your capacity as an employee or partner;
- fulfilling legal or regulatory requirements if necessary.
If you are a member of the public:
- maintaining contact with you, managing and developing our relationship with you;
- responding to your enquiries and providing you with relevant information or services;
- investigating concerns raised by you about any of our services, employees or partners;
- obtaining further information in respect of any enquiry or complaint made by you and holding details on file in connection with this.
If you use the HCPC website or subscribe to our newsletter
- We will not contact you unless you specifically agree to be contacted for specified purposes at the time you submit your information on the site, or at a later time if you sign up specifically to receive such information.
- Where you have opted-in to future communications, we will, on each subsequent communication, offer you an easily executable 'opt-out' option, which will allow you to remove yourself from any future mailings.
Further information about the personal data we use and how we use it can be found in:
Our entry in the register of data controllers on the ICO website;
Our Data Retention Schedule - this tells you how long we will hold your personal data;
Our personal data map - this outlines the people whose data we hold, the types of data we hold, where we receive the data from, who we share it with and our legal basis for using it.
Our Fitness to Practise publication policy - this policy sets out our approach to publishing information about our fitness to practise hearings.
We will never provide your personal data to third parties for their marketing purposes.
We are required to make some information about our registrants publicly available on the register. The categories of information displayed for registrants found using the register search are as follows:
- Registration number
- Period of registration
This information may be used by third parties in the provision of their services to validate persons employed as registrants of the HCPC.
We share information about whether a registrant is subject to an investigation under our fitness to practise procedures when it is necessary to assist organisations who have a legitimate or statutory interest in this information.
We have signed a number of information sharing agreements, called memorandums of understanding (MoUs), with other public bodies. An MoU is an agreement by two or more organisations committing them to work together to support common goals.
All of our MoUs aim to protect the public through effective intelligence sharing. This can include sharing your personal data if this is necessary to achieve this aim. More information about our MoUs can be found at the following link;
Data sharing with public bodies
We may also share information with government departments and government bodies that provide funding to HCPC or have an interest in HCPC's activities. Information is passed to government departments and government bodies for analysis purposes. We will only share your data where a specific data sharing agreement or memoranda of understanding is in place, in order to respect the security of your personal data and treat it in accordance with the law.
If you are registered on our register of health and care professionals, we may share your name, nationality, contact ID, HCPC registration number (PIN), registration status, the date you were first registered with us, the date your registration lapsed (if no longer active), your registration profession, modality, year of birth, gender, practice outcode (the first half of your postcode) qualifications leading to registration and your recorded qualification, and institutions where those qualifications were obtained and/or where you completed your studies, with Health Education England (‘HEE’). We share that data to enable HEE to undertake analysis of trends in the workforce of allied health professional (‘AHPs’) that HCPC regulates, to develop better workforce planning and modelling, and monitoring progress against HEE’s national mandate of growing the AHP workforce (including monitoring progress against the national target for AHPs returning to practice)
We have contracts with suppliers (data processors) to carry out certain activities or services on our behalf. These include providers of legal support, translation, research and monitoring services, plagiarism detection services, printers, transcribing services and bulk mail delivery.
Sometimes in order to perform these services our suppliers require access to some of the personal data the HCPC holds.
If we provide a supplier with your personal data, we will ensure an appropriate contract is in place that specifies how the supplier must handle your personal data and restricts any further use of the data which we have not permitted.
We will ensure the supplier has adequate technical and organisational measures in place to protect your data and we will specify how your personal data should be returned or disposed of when the service ends.
We conduct and commission research which is relevant to our regulatory functions and in the public interest.
We process personal data in carrying out research for the purpose of our public task, only when that it is necessary for the exercise of the HCPC’s statutory functions and is carried out in the public interest. Where the processing includes special category data, it is also on the basis that this processing is necessary for our public task.
We share personal data with researchers if it is necessary to do so for our public task. We make sure that any such third parties to whom data is provided sign an agreement which includes appropriate confidentiality and data protection clauses. We only share what is necessary for the research, using secure methods.
Where possible we provide researchers with anonymised or pseudonymised data for research purposes.
The UK GDPR requires us to ensure that any personal data we hold is:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date, having regard to the purposes for which they are processed, and erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
- processed in an appropriately secure manner which protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures
The UK GDPR provides you with the following general information rights:
- the right to be informed;
- the right of access;
- the right to rectification;
- the right to erasure;
- the right to restrict processing;
- the right to data portability;
- the right to object;
- rights in relation to automated decision making and profiling.
Some of these rights do not apply or may be limited where we use your data to help us undertake a task in the exercise of our official authority or in the public interest
Your right to be informed
- We will be transparent about our use of your personal data.
- We will inform you of the reasons why we use your data and our legal basis for using your data.
- We will provide you with specific information when we collect your data if you apply for registration or raise a concern about a HCPC registrant.
Your right of access
- You can request to receive a copy of the personal information we hold about you. This is called a subject access request. There is usually no charge for making a request. But we have the right to request a fee if the request is unfounded or excessive.
- You can make a subject access request by writing to the Data Protection Officer using the details given at the end of this policy.
- We may need to ask you to confirm your identity in order to protect your data from unauthorised disclosure.
- If your request is manifestly unfounded or excessive, in particular because it is repetitive, we can refuse to respond. We will always advise you if we take this decision.
Your right to rectification
- You can request that we correct your personal data if you believe the data we hold is inaccurate.
- Your request can be made orally or in writing.
- If you are a registrant, partner or employee, you are able to update your personal contact details through the relevant online portal at any time.
- We will require documented official evidence to make changes.
Your right to erasure
- This right is also known as 'the right to be forgotten'.
The right to erasure does not apply if your data is used to help us undertake a task carried out in the exercise of our official authority or in the public interest.
Your right to restrict processing
- If you raise a concern about our processing of your data, you can restrict the way that we use your data while we consider your concern.
- You will need to explain your reason for wanting the restriction. This may be because you believe it is inaccurate and have requested that we rectify this.
- If our processing of your data is restricted, we can still store your data, but we cannot use it.
- Restrictions on our processing will normally only be temporary, while we consider your request for rectification or your concern about our processing.
Your right to data portability
- This right allows consumers to easily switch between service providers by obtaining their personal data in an easily re-useable format.
This right only applies when data processing is carried out by automated means. As we do not process your personal data in this way, this right does not apply to the data we hold.
Your right to object
- If you do not want us to process your data any more, you can request that we stop.
- You will need to explain to us your reason for wanting the processing to stop.
- We are required by law to undertake certain tasks in the public interest. If processing your data is needed to perform these tasks it is likely that we will be unable to agree to stop processing your data.
- We may also refuse to stop processing your data if we can demonstrate that our reasons for processing your data are more compelling than your reasons for wanting us to stop.
If we do refuse to stop, we will explain our reasons to you.
Your rights in relation to automated decision making and profiling
- You have a right to stop your personal data being used to make decisions about you without human involvement.
We do not use your data to carry out any profiling or automated decision-making.
If you choose to exercise any of your rights, we will respond to your request within one calendar month.
If your request is particularly complex or large, we may extend this timeframe by a further two months. We will inform you if we need to extend our response time.
Our designated Data Protection Officer is our Head of Governance. You can contact us regarding your information rights, or other parts of this policy, using the contact details below;
Data Protection Officer
184 Kennington Park Road
Tel: 0207 840 1743
You can contact the Information Commissioner’s Office (ICO) to discuss any concerns you have about our processing of your personal data.
Information Commissioner's Office
Tel: 0303 123 1113
We keep our privacy notice under regular review. This privacy notice was last reviewed on 14 September 2023.
A controller determines the purposes and means of processing personal data. The HCPC is a data controller.
A processor is responsible for processing personal data on behalf of a controller according to clear instructions. They are not able to use the data for any other purpose.
Data Protection Act 2018 (DPA)
The Data Protection Act 2018 is the UK’s implementation of the EU GDPR in primary legislation. It sits alongside and supplements the UK GDPR for example by providing exemptions.
Data Protection Officer
A Data Protection Officer is the lead for Data Protection within an organisation. They have specialist knowledge and act as a source of advice on Data Protection issues.
An individual who is the subject of personal data. If the data is yours, you are the data subject.
UK General Data Protection Regulations (UK GDPR)
The UK General Data Protection Regulation (UK GDPR) is a legal framework that sets rules for the collection and processing of personal information of individuals within the UK. It came into effect on 1 January 2021 and is based on the EU GDPR.
Information Commissioners Office (ICO)
The ICO is the UK regulator of Data Protection rights. You can contact them if you have concerns about how your personal data is being used or how your rights have been respected. They also regulate access to public information (Freedom of Information).
Any information relating to an identifiable person who can be directly or indirectly identified by that data or that data combined with other data.
Almost anything you do to personal data can be called processing. This includes, recording, storing, sharing, amending or destroying data.
Special Category Personal Data
Special category data is personal data which the UK GDPR says is more sensitive, and so needs more protection.
The UK GDPR defines special category personal data as personal data that reveals any of the following about an individual: racial or ethnic origin; political opinions; religious or philosophical beliefs; or trade union membership.
Personal data that consists of genetic data; biometric data used for the purpose of identifying an individual; data concerning health; or data concerning an individual’s sex life or sexual orientation.