Skip navigation

HCPC data protection policy and privacy notice


This policy:

  • is for people whose personal data we hold and use;
  • applies to all personal data held by us or by third parties on our behalf;
  • sets out our overall approach to data protection compliance;
  • has been produced with clarity in mind.

We (the HCPC) are a 'Data Controller' under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). This means that if we collect and use your personal data we must comply with the requirements set out in the GDPR and DPA.

This policy also serves as a privacy notice under the GDPR.


1. Our commitment to data protection

2. Why we use personal data

3. How we use personal data

4. Data processors

5. Data protection principles

6. Your Information Rights

7. Contact us

8. Complaints

9. Definitions

1. Our commitment to data protection

  • We recognise that your privacy is important and that we have a responsibility to you when handling your personal data.
  • We only use your personal data to perform our role as a statutory regulator of health and psychological professionals.
  • We take appropriate steps and put adequate technical measures in place to protect your personal data against misuse. We are ISO27001 certified, this is a best practice standard for data security.
  • We will never provide your personal data to third parties for their marketing purposes.
  • If we plan to make substantial changes to the way we use personal data or the personal data we collect, we will undertake a Data Protection Impact Assessment in accordance with the ICO's guidance.
  • We will ensure your personal data is used according to the principles set out in the GDPR and the DPA unless an exemption applies.

2. Why we use personal data

We are a statutory regulator, and our role is to protect the public. To do this, we keep a register of health and care professionals who meet our standards for their training, professional skills and behaviour.

Our primary personal data processing purpose under the GDPR is 'in the exercise of official authority' or as part of our 'public task'.

The law that sets out our functions and powers is the Health Professions Order 2001, which can be read here;

Health Professions Order 2001

We also use personal data to:

  • comply with legal obligations, for example sharing information with the tax authorities;
  • fulfil our contractual obligations, for example using personal data to pay our employees;
  • communicate with people who have asked us to provide them with information about regulation and our regulatory activities.

3. How we use your personal data

How we use your data will depend on your relationship with us.

If you are applying for registration or are a registrant:
  • processing and managing your application, including verifying the information you have provided. In doing so, we may share it with third parties (such as referees, education providers, other regulators or employers);
  • managing your registration, including maintaining the accuracy of the HCPC register and the information we hold about you;
  • sending you registration renewal reminders and communicating with you for any other reason related to your registration;
  • responding to public enquiries about your registration status;
  • managing and developing our relationship with you, including inviting you to events that we are holding and sending you guidance and other information about professional practice;
  • investigating complaints made about or by you and publishing the outcome of any investigation or hearing.
If you raise a concern with us about a registrant
  • processing and managing your complaint, including sharing your complaint with relevant third parties during the course of any investigation;
  • normally, if an investigation progresses, we will have to disclose your identity to the registrant you have raised a concern about. We will try to respect any request by you not to be identified, but it may not be possible for us to pursue your complaint on an anonymous basis;
  • keeping your personal information on file as part of the record of your concern.
If you are applying for a post or are a current or former employee or HCPC 'partner':
  • processing and managing your application, including verifying the information you have provided. In doing so, we may share it with third parties (such as referees, education providers, other regulators or employers);
  • sharing with third parties who provide payroll services or pension administration services for us;
  • creating and maintaining your personnel or partner file;
  • managing and developing our relationship with you;
  • investigating concerns raised about or by you in your capacity as an employee or partner;
  • fulfilling legal or regulatory requirements if necessary.
If you are a member of the public:
  • maintaining contact with you, managing and developing our relationship with you;
  • responding to your enquiries and providing you with relevant information or services;
  • investigating concerns raised by you about any of our services, employees or partners;
  • obtaining further information in respect of any enquiry or complaint made by you.
If you use the HCPC website or subscribe to our newsletter
  • We will not contact you unless you specifically agree to be contacted for specified purposes at the time you submit your information on the site, or at a later time if you sign up specifically to receive such information.
  • Where you have opted-in to future communications, we will, on each subsequent communication, offer you an easily executable 'opt-out' option, which will allow you to remove yourself from any future mailings.

Further information about the personal data we use and how we use it can be found in:

Our entry in the register of data controllers on the ICO website;

ICO website

Our Data Retention Schedule - this tells you how long we will hold your personal data;

Data Retention Schedule

Our personal data map - this outlines the people whose data we hold, the types of data we hold, where we receive the data from, who we share it with and our legal basis for using it.

Personal data map

Our Fitness to Practise publication policy - this policy sets out our approach to publishing information about our fitness to practise hearings.

Fitness to Practise publication policy

4. Sharing your personal data

We will never provide your personal data to third parties for their marketing purposes.

We are required to make some information about our registrants publicly available on the register. The categories of information displayed for registrants found using the register search are as follows:

  • Name
  • Registration number
  • Location
  • Status
  • Period of registration

This information may be used by third parties in the provision of their services to validate persons employed as registrants of the HCPC.

We share information about whether a registrant is subject to an investigation under our fitness to practise procedures when it is necessary to assist organisations who have a legitimate or statutory interest in this information.

Public protection

We have signed a number of information sharing agreements, called memorandums of understanding (MoUs), with other public bodies. An MoU is an agreement by two or more organisations committing them to work together to support common goals.

All of our MoUs aim to protect the public through effective intelligence sharing. This can include sharing your personal data if this is necessary to achieve this aim. More information about our MoUs can be found at the following link;

Memoranda of understanding

We may also share information with government departments and government bodies that provide funding to HCPC or have an interest in HCPC's activities. Information is passed to government departments and government bodies for analysis purposes.

We will release your personal data when we are required to do so by law.

Data processors

We have contracts with suppliers (data processors) to carry out certain activities or services on our behalf. These include providers of legal support, translation, research and monitoring services, printers, transcribing services and bulk mail delivery.

Sometimes in order to perform these services our suppliers require access to some of the personal data the HCPC holds.

If we provide a supplier with your personal data, we will ensure an appropriate contract is in place that specifies how the supplier must handle your personal data and restricts any further use of the data which we have not permitted.

We will ensure the supplier has adequate technical and organisational measures in place to protect your data and we will specify how your personal data should be returned or disposed of when the service ends.

5. Data protection principles

The GDPR requires us to ensure that any personal data we hold is:

    • processed lawfully, fairly and in a transparent manner in relation to individuals;
    • collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
    • adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
    • accurate and, where necessary, kept up to date, having regard to the purposes for which they are processed, and erased or rectified without delay;
    • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
    • processed in an appropriately secure manner which protects against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures

6. Your information rights

The GDPR provides you with the following general information rights:

    • the right to be informed;
    • the right of access;
    • the right to rectification;
    • the right to erasure;
    • the right to restrict processing;
    • the right to data portability;
    • the right to object;
    • rights in relation to automated decision making and profiling.

Some of these rights do not apply or may be limited where we use your data to help us undertake a task in the exercise of our official authority or in the public interest

Your right to be informed

  • We will be transparent about our use of your personal data.
  • We will inform you of the reasons why we use your data and our legal basis for using your data.
  • We will provide you with specific information when we collect your data if you apply for registration or raise a concern about a HCPC registrant.

Your right of access

  • You can request to receive a copy of the personal information we hold about you. This is called a subject access request and is free of charge.
  • You can make a subject access request by writing to the Data Protection Officer using the details given at the end of this policy.
  • We may need to ask you to confirm your identity in order to protect your data from unauthorised disclosure.
  • If your request is manifestly unfounded or excessive, in particular because it is repetitive, we can refuse to respond. We will always advise you if we take this decision.

Your right to rectification

  • You can request that we correct your personal data if you believe the data we hold is inaccurate.
  • Your request can be made orally or in writing.
  • If you are a registrant, partner or employee, you are able to update your personal contact details through the relevant online portal at any time.

Your right to erasure

  • This right is also known as 'the right to be forgotten'.

    The right to erasure does not apply if your data is used to help us undertake a task carried out in the exercise of our official authority or in the public interest.

Your right to restrict processing

  • If you raise a concern about our processing of your data, you can restrict the way that we use your data while we consider your concern.
  • You will need to explain your reason for wanting the restriction. This may be because you believe it is inaccurate and have requested that we rectify this.
  • If our processing of your data is restricted, we can still store your data, but we cannot use it.
  • Restrictions on our processing will normally only be temporary, while we consider your request for rectification or your concern about our processing.

Your right to data portability

  • This right allows consumers to easily switch between service providers by obtaining their personal data in an easily re-useable format.

    This right only applies when data processing is carried out by automated means. As we do not process your personal data in this way, this right does not apply to the data we hold.

Your right to object

  • If you do not want us to process your data any more, you can request that we stop.
  • You will need to explain to us your reason for wanting the processing to stop.
  • We are required by law to undertake certain tasks in the public interest. If processing your data is needed to perform these tasks it is likely that we will be unable to agree to stop processing your data.
  • We may also refuse to stop processing your data if we can demonstrate that our reasons for processing your data are more compelling than your reasons for wanting us to stop.

    If we do refuse to stop, we will explain our reasons to you.

Your rights in relation to automated decision making and profiling

  • You have a right to stop your personal data being used to make decisions about you without human involvement.

    We do not use your data to carry out any profiling or automated decision-making.

Our response

If you choose to exercise any of your rights, we will respond to your request within one calendar month.

If your request is particularly complex or large, we may extend this timeframe by a further two months. We will inform you if we need to extend our response time.

7. Contact us

You can contact our designated Data Protection Officer regarding this policy or your information rights using the contact details below;

Data Protection Officer
184 Kennington Park Road
SE11 4BU

Tel: 0207 840 9710

8. Complaints

You can contact the Information Commissioner’s Office (ICO) to discuss any concerns you have about our processing of your personal data.

Information Commissioner's Office
Wycliffe House
Water Lane

Tel: 0303 123 1113

We keep our privacy notice under regular review. This privacy notice was last updated on 31 March 2020.

9. Explanation of key terms

Data Controller
A data controller determines the purposes and means of processing personal data. The HCPC is a data controller.

Data Processor
A data processor is responsible for processing personal data on behalf of a data controller. A data processor must act on the clear instructions of data controller and must not use the data for any other purpose.

Data Protection Act 2018 (DPA)
The DPA supplements the GDPR in the UK and sets out UK-specific requirements not covered by the GDPR.

Data Protection Officer
A Data Protection Officer is the lead person for data protection within an organisation. They have specialist knowledge and act as a source of advice on data protection issues.

Data Subject
An individual who is the subject of personal data. If the data is yours, you are the data subject.

General Data Protection Regulation (GDPR)
The GDPR is the European Union (EU) legal framework for the collection and processing of personal data (personal information about individuals)

Information Commissioners Office (ICO)
The ICO is the UK regulator of data protection rights. You can contact them if you have concerns about how your personal data is being used or how your rights have been respected. They also regulate access to public information (Freedom of Information).

Personal Data
Any information relating to an individual who can be directly or indirectly identified from that data or from that data when combined with other data.

Almost anything done to personal data is regarded as processing. This includes, recording, organising, storing, transmitting, sharing, amending or destroying data.

Special Category Personal Data
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.

Also see:

Tudalen wedi'i diweddaru ymlaen: 10/07/2018