Health and Care Professions Council logo HCPC - Health and Care Professions Council
Park House, 184 Kennington Park Road, London, SE11 4BU
+44 (0)300 500 6184

HCPC data protection policy and privacy notice


This policy:

We (the HCPC) are a 'Data Controller' under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA). This means that if we collect and use your personal data we must comply with the requirements set out in the GDPR and DPA.

This policy also serves as a privacy notice under the GDPR.


1. Our commitment to data protection

2. Why we use personal data

3. How we use personal data

4. Data processors

5. Data protection principles

6. Your Information Rights

7. Contact us

8. Complaints

9. Definitions

1. Our commitment to data protection

2. Why we use personal data

We are a statutory regulator, and our role is to protect the public. To do this, we keep a register of health and care professionals who meet our standards for their training, professional skills and behaviour.

Our primary personal data processing purpose under the GDPR is 'in the exercise of official authority' or as part of our 'public task'.

The law that sets out our functions and powers is the Health and Social Care Professions Order 2001, which can be read here;

Health and Social Work Professions Order 2001

We also use personal data to:

3. How we use your personal data

How we use your data will depend on your relationship with us.

If you are applying for registration or are a registrant:

If you raise a concern with us about a registrant

If you are applying for a post or are a current or former employee or HCPC 'partner':

If you are a member of the public:

If you use the HCPC website or subscribe to our newsletter

Further information about the personal data we use and how we use it can be found in:

Our entry in the register of data controllers on the ICO website;

ICO website

Our Data Retention policy - this policy tells you how long we will hold your personal data;

Data Retention policy

Our personal data map - this outlines the people whose data we hold, the types of data we hold, where we receive the data from, who we share it with and our legal basis for using it.

Personal data map

Our Fitness to Practise publication policy - this policy sets out our approach to publishing information about our fitness to practise hearings.

Fitness to Practise publication policy

4. Sharing your personal data

We will never provide your personal data to third parties for their marketing purposes.

Public protection

We have signed a number of information sharing agreements, called memorandums of understanding (MoUs), with other public bodies. An MoU is an agreement by two or more organisations committing them to work together to support common goals.

All of our MoUs aim to protect the public through effective intelligence sharing. This can include sharing your personal data if this is necessary to achieve this aim. More information about our MoUs can be found at the following link;

Memoranda of understanding

We may also share information with government departments and government bodies that provide funding to HCPC or have an interest in HCPC's activities. Information is passed to government departments and government bodies for analysis purposes.

We will release your personal data when we are required to do so by law.

Data processors

We have contracts with suppliers (data processors) to carry out certain activities or services on our behalf. These include providers of legal support, translation, research and monitoring services, printers, transcribing services and bulk mail delivery.

Sometimes in order to perform these services our suppliers require access to some of the personal data the HCPC holds.

If we provide a supplier with your personal data, we will ensure an appropriate contract is in place that specifies how the supplier must handle your personal data and restricts any further use of the data which we have not permitted.

We will ensure the supplier has adequate technical and organisational measures in place to protect your data and we will specify how your personal data should be returned or disposed of when the service ends.

5. Data protection principles

The GDPR requires us to ensure that any personal data we hold is:

6. Your information rights

The GDPR provides you with the following general information rights:

Some of these rights do not apply or may be limited where we use your data to help us undertake a task in the exercise of our official authority or in the public interest

Your right to be informed

Your right of access

Your right to rectification

Your right to erasure

Your right to restrict processing

Your right to data portability

Your right to object

Your rights in relation to automated decision making and profiling

Our response

If you choose to exercise any of your rights, we will respond to your request within one calendar month.

If your request is particularly complex or large, we may extend this timeframe by a further two months. We will inform you if we need to extend our response time.

7. Contact us

You can contact our designated Data Protection Officer regarding this policy or your information rights using the contact details below;

Data Protection Officer
184 Kennington Park Road
SE11 4BU

Tel: 0207 840 9710

8. Complaints

You can contact the Information Commissioner’s Office (ICO) to discuss any concerns you have about our processing of your personal data.

Information Commissioner's Office
Wycliffe House
Water Lane

Tel: 0303 123 1113

We keep our privacy notice under regular review. This privacy notice was last updated on 25 May 2018.

9. Explanation of key terms

Data Controller

A data controller determines the purposes and means of processing personal data. The HCPC is a data controller.

Data Processor
A data processor is responsible for processing personal data on behalf of a data controller. A data processor must act on the clear instructions of data controller and must not use the data for any other purpose.

Data Protection Act 2018 (DPA)
The DPA supplements the GDPR in the UK and sets out UK-specific requirements not covered by the GDPR.

Data Protection Officer
A Data Protection Officer is the lead person for data protection within an organisation. They have specialist knowledge and act as a source of advice on data protection issues.

Data Subject
An individual who is the subject of personal data. If the data is yours, you are the data subject.

General Data Protection Regulation (GDPR)
The GDPR is the European Union (EU) legal framework for the collection and processing of personal data (personal information about individuals)

Information Commissioners Office (ICO)
The ICO is the UK regulator of data protection rights. You can contact them if you have concerns about how your personal data is being used or how your rights have been respected. They also regulate access to public information (Freedom of Information).

Personal Data
Any information relating to an individual who can be directly or indirectly identified from that data or from that data when combined with other data.

Almost anything done to personal data is regarded as processing. This includes, recording, organising, storing, transmitting, sharing, amending or destroying data.

Special Category Personal Data
Special category data is personal data which the GDPR says is more sensitive, and so needs more protection.

Also see:

Use of cookies