Privacy Notice - Disclosure

The privacy notice applies to all data about transfers of value – payment or benefits in kind -  that the ABPI receives from pharmaceutical companies in connection with the Disclosure UK transparency initiative.

This privacy notice explains:

Who is the ABPI?

In this policy when you see the words, “we”, “us, “our” or “ABPI”, it refers to the Association of the British Pharmaceutical Industry (“ABPI”). 

The ABPI represents innovative research-based pharmaceutical companies, large, medium and small in the UK.  The ABPI manages Disclosure UK, the publicly accessible database that shows transfers of value from pharmaceutical companies that are signatories to The ABPI Code of Practice for the Pharmaceutical Industry (“ABPI Code”), made to healthcare professionals and other relevant individuals, and healthcare organisations.

The ABPI is a company limited by guarantee with registration number 09826787 and its registered office at 7th Floor Southside, 105 Victoria Street, London SW1E 6QT. For the purposes of EU data protection law, the ABPI is a “data controller”.

What is personal data?

In this policy the words, “personal data” means any information that identifies you, for example, your name and address. It also includes transfers of value made to you by a pharmaceutical company(s) for activities that you have been engaged in with them.

How we keep your data secure

We have put appropriate organisational safeguards and security measures in place to protect your data from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal data to those employees, representatives and third parties who have a business need to know it. They are only permitted to access your data on our instructions and will always be subject to a duty of confidentiality.

Any third party who is contracted to process your personal data on our behalf must have security measures in place to protect your data. We have put in place procedures to deal with any suspected personal data breach. We do not allow third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

If you would like more information about the third parties that the ABPI works with in order to deliver the Disclosure UK database, please contact us using the contact details below.

The data we collect about you

The following groups of personal data are collected and processed by the ABPI:

  • Contact Data – your title, full name, specialty, role, principal practicing address;
  • Transfer of Value – The amount – in payment or benefit in kind - received from pharmaceutical companies.

The following types of personal data (additional ‘Contact Data’) may also be collected by the ABPI, on an optional basis, to support operational processing and are not published on Disclosure UK:

  • Email address – the email address that may be used to contact you about disclosures relating to you on Disclosure UK;
  • Third party IDs – IDs provided from approved commercial databases are used to support data matching.

We also collect, use and share aggregated data, such as statistical data. Aggregated data is derived from your personal data but it is not considered to be personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate transfers of value data for all healthcare professionals and other relevant individuals shown in the publicly accessible database, to provide an overall picture of how the pharmaceutical industry is working with them.

How we collect your data

Your personal data is provided to us by the pharmaceutical company(s) that you have worked with.

The legal basis for processing your personal data

The law requires us to inform you of the legal basis for collecting and processing your personal information where we are the data controller. The grounds that are most likely to be applicable to our processing of your personal data are:

Legitimate Interests: The ABPI has a legitimate interest in processing the personal data that we receive from pharmaceutical company(s) in order to administer our business, which includes running the Disclosure UK platform and meeting the transparency objectives of the ABPI Code.

Pharmaceutical companies also have a legitimate interest in the relevant data being published on the Disclosure UK platform, in order to increase transparency in the industry and ensure that patients and the public can have confidence that the relationship between pharmaceutical companies and individuals is open and ethical.

Furthermore, society as a whole has a legitimate interest in understanding the financial relationships that healthcare professionals and other relevant individuals may have with the pharmaceutical industry.

Legal obligation: We may also process your personal data where we have a legal obligation to do so, for example where we receive a statutory request from a regulator or from law enforcement.

Please note that individual pharmaceutical companies may rely on other legal bases, such as consent, for sharing your data with us. For further information, please see the Privacy Notice of the relevant pharmaceutical company.

How we use your data

Transfers of value that you have received from different pharmaceutical companies are collated and published on Disclosure UK – a publicly accessible database managed by the ABPI.

In order to validate and collate your personal data for publication on the database, the ABPI uses your personal data to contact you, confirm your identity, provide you with information and to respond to any queries that you may raise with us through the disclosure process. 

As explained above, your personal data is also aggregated with the data of other healthcare professionals and other relevant individuals for statistical analysis purposes.

We will only use your personal data for the purposes for which we collect it.

For how long will your personal data be kept?

The ABPI Code requires that disclosure information must remain in the public domain for at least three years from the time of first disclosure. After this time, the ABPI securely destroys the dataset that is older than three years and instructs its service providers to do the same.

Please note, that your data may be held for longer periods by the pharmaceutical companies with whom you have worked. Specifically, the ABPI Code requires that companies must document all disclosures and retain their records for at least five years after the end of the calendar year to which they relate.

How we share your data

We may share your personal data with the parties set out below for the purpose of collating and managing the Disclosure UK database:

  • The pharmaceutical company that made a transfer of value to you, so that the company can validate the information to be shown on the database;
  • Third party service providers that we use to support the operation of the Disclosure UK database.

When the process of validation is complete, your personal data is published on Disclosure UK – a publicly accessible database.

Your rights

Under certain circumstances, you have the rights set out below under data protection laws in relation to your personal data:

  • Access to Personal Information – You have a right to obtain access to the personal information that we hold about you.
  • Change Inaccurate Information – You have a right to correct inaccurate personal information and to update incomplete personal information.
  • Request to Delete Your Information – You have a right to request that we delete your personal information if you believe that we no longer need your information for the purposes for which it was provided; or we are not using your information in a lawful manner; or we have requested your permission to process your personal information and you wish to withdraw your consent. Please note that if you request us to delete your information, we may have to stop engaging with you.
  • Request to Restrict the Processing of Your Information – You have a right to request that we restrict the processing of your personal data if you believe that any of the information that we hold about you is inaccurate; we no longer need your information for the purposes for which it was provided but you require the information to establish, exercise or defend legal claims; or we are not using your information in a lawful manner. Please note that if you request us to delete your information, we may have to stop engaging with you.
  • Request Your Personal Data in a Portable Format – You may have the right to ask us to provide your personal information in a portable format.
  • Object to the Processing of your Personal Information – You may have a right to object to the processing of your personal information where that processing is based on a legitimate interest, unless we can demonstrate compelling and legitimate grounds for the processing.
  • Withdraw Consent – Where we rely on your permission to process your personal information, you have a right to withdraw your consent at any time.
  • Make a Complaint - You have a right to lodge a complaint with your national data protection regulator, the Information Commissioner’s Office, if you feel that your personal data has been unlawfully processed.

How to contact us

If you have any questions on this policy or wish to exercise any of these rights, please contact us here: info@disclosureuk.org.uk.  

We will try to respond to your request within one month, although occasionally, it may take us longer than a month if your request is particularly complex or if you have made a number of requests, in this case we will notify you and keep you updated.

We may need to request specific information from you in order to help us to confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request.

Last updated: 1 February 2022