Privacy policy

Data protection

The GPhC is registered as a data controller under the Data Protection Act 1998 (the DPA). This means we are an organisation that controls how we collect, store, and use personal data. The register of data controllers is held by the Information Commissioner’s Office

Under the DPA, ‘personal data’ is information about an identifiable living person. The person the personal data refers to is called a ‘data subject’.

The DPA says that any organisation collecting personal data must make sure that it is:

  • processed fairly and lawfully
  • processed for specific and lawful purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate and, where necessary, kept up to date
  • not kept for longer than is necessary
  • processed in accordance with data subjects’ legal rights
  • kept secure
  • not transferred outside the UK without adequate protection.

Pharmacists, pharmacy technicians and pre-registration trainees

How we will use your personal data

The GPhC uses personal data to support its work as the regulatory body for pharmacists, pharmacy technicians and registered pharmacies in Great Britain. We may process personal data for reasons including :

  • updating the register
  • administering and maintaining registration
  • administering examinations
  • processing and investigating complaints
  • compiling statistics and research

When we will publish your personal data

As a regulator, we publish personal data in some circumstances:

  • names and registation details of pharmacists and pharmacy technicians on the GPhC registers
  • outcomes of fitness to practise action as set out in our Publication and Disclosure Policy
  • names of pharmacy graduates who pass on the GPhC registration assessment

Sharing personal data with other organisations

We will not share your personal data on a commercial basis with any third party.

We share information with other organisations in carrying out our statutory aims, objectives, powers and responsibilities under the Pharmacy Order 2010, the rules made under the Order and other legislation.

Sharing information means that organisations can improve client services, protect the public and respond to statutory requirements. We will only share information with other organisations to further our statutory role and responsibilities, while respecting the confidentiality of our registrants.

We may pass information to organisations that have a legitimate interest. These would include other regulatory and enforcement authorities, NHS trusts, employers, the Department of Health, universities and research institutions. Futher information about when we disclose information to other organisations is given in our Publication and Disclosure Policy.

We recognise the importance of having clear guidelines to follow and making sure that this information is shared in a secure and confidential manner and in line with the law, including the common law duty of confidence, the Data Protection Act 1998, the Human Rights Act 1998 and other related legislation and guidance.

You can find links to the data-sharing agreements we have with other organisations on our website . In these agreements we make sure that:

  • organisations only get the minimum amount of information they need to carry out the activity or service
  • they agree not to use the information they get from us for any reasons other than those we have agreed
  • they have proper systems in place to protect personal data.
  • both parties to the agreement publish a copy of the agreement on their websites. This is to promote openness and transparency and to make sure that the profession and the public are aware of what information is shared and the reasons for this.

CCTV Policy

If you are visiting our offices this is our CCTV policy.

If you want to see any footage, details on obtaining personal data are below.

Asking to see your personal data

If you want  to see personal data that we may hold about you, you have to make a subject access request. Please send your request in writing to the Governance team, describing the information you want. It would be helpful if you could mark your email  or envelope ‘Subject Access Request’.

We are allowed to charge a fee of up to £10 for sending you the information. Under the DPA there are some types of information that we are unable togive you, but if this is the case, we will explain why. You may also be asked to supply proof of your identity.

Please contact:

Governance Team
General Pharmaceutical Council
25 Canada Square
E14 5LQ


Contact with the GPhC

It is our policy to send personal and sensitive information securely to reduce the risk of data loss. If you contact us to ask for personal information, we will carry out security checks.

Contact from the Professionals Regulation (Fitness to Practise) Team

It is the Professional Regulation (Fitness to Practise) Team's policy that all electronic correspondence containing sensitive or personal information such as registrants’ or witnesses’ addresses or medical information are password protected or encrypted to ensure that that e-mail correspondence reaches its intended recipient. 

We will send paper documents of this nature by a recorded mail service so that correspondence reaches its intended recipient.        

It is the policy of the Professional Regulation Team to ask security questions to all callers making enquiries about the progression of cases.

Further information

You can find out more about the Data Protection Act and its principles from the Information Commissioner's Office.


When we provide services, we want to make them easy, useful and reliable. Where services are delivered on the internet, this sometimes involves placing small amounts of information on your device (such as your computer or mobile phone). These include small files known as cookies. They cannot be used to identify you personally.

These pieces of information are used to improve services for you through, for example:

  • enabling a service to recognise your device so you don't have to give the same information several times during one task
  • recognising that you may already have given a username and password so you don't need to do it for every web page requested
  • measuring how many people are using services, so they can be made easier to use and there's enough capacity to ensure they are fast

You can manage these small files yourself and learn more about them through Internet browser cookies - what they are and how to manage them.

Our use of cookies

This is a list of cookies that may be stored on your device when visiting this website:

Google Analytics

Google Analytics will set a cookie to help us accurately estimate the number of visitors to the website and volumes of usage.

Name: _utma
Typical content: randomly generated number
Expires: 2 years

Name: _utmb
Typical content: randomly generated number
Expires: 30 minutes

Name: _utmc
Typical content: randomly generated number
Expires: when user exits browser

Name: _utmz
Typical content: randomly generated number + info on how the site was reached (e.g. directly or via a link, organic search or paid search)
Expires: 6 months

For further details on the cookies set by Google Analytics, please refer to the Google Code website.


We use ClickTale to help us understand how visitors use our website.

Typical content: anonymously identify a visitor of the Website for the purpose of enabling the ClickTale software to track such visitor’s actions across the client’s website.
Expires: 1 year

Name: __CT_Data
Typical content: Count the number of pageviews or visits of the anonymous visitor for the purpose of enabling the ClickTale software to track the number of pageviews or visits a visitor made on the client’s website.
Expires: 1 year

For further details on the cookies set by ClickTale, please refer to the ClickTale website.


We use the SmartSurvey tool for consultations. This will set a cookie to prevent the survey from displaying for users who have already completed it.

Name: s_sess
Typical content: encoded text string of current user survey status
Expires: when you close the browser

Name: s_pers
Typical content: encoded text string of current user survey status
Expires: 3 years

Name: P_nnnnnnnn (where n is a number)
Typical content: number
Expires: 8 months

Other Cookies

Name: gphc_active_menu
Typical content: Record a visitor's most recently visited 'quick link' menu, located at the footer of the website
Expires: 1 Month

Name: has_js
Typical content: Records whether a visitors browser has JavaScript enabled.
Expires: when you close the browser

Name: gphc_css_size
Typical content: Used to remember a visitor's chosen text size
Expires: 1 month