The Pharmacists’ Defence Association has raised concerns that LloydsPharmacy recently breached the privacy of some employees – but the multiple is adamant that no reportable data breach took place.
The PDA, which is seeking union recognition for Lloyds pharmacists through a process overseen by the Central Arbitration Committee, said on Friday October 9 that there have recently been “two significant breaches of data protection legislation [in which] the company sent personal information about all pharmacists employed by Lloyds to the PDA and the CAC”.
As part of its recognition campaign, the union says it should have received anonymised data regarding pharmacists, job titles and the number of employees at each place of work affected by any potential future bargaining agreement. However, it says that LloydsPharmacy in error sent information that could be used to identify individual pharmacists.
The PDA commented: “More than 2,000 individuals had their personal data inappropriately shared, although that as far as we are currently aware the union was the only unauthorised recipient of the data, and as we immediately took steps to delete it and the consequences of the data breach is therefore minimal.
“The PDA has notified the company superintendent to ensure any regulatory consequences can be considered and confirmed we will cooperate with any information commissioner investigations into how these two data breaches occurred.”
The incident raises “serious concerns about how Lloyds are managing the data of all their pharmacists,” said the PDA.
When approached by Pharmacy Network News, a spokesperson for Lloydspharmacy responded: “When sharing data with the PDA and CAC, as a legal and mandatory part of the current application process, some additional data was securely provided that we subsequently realised was not required. This data was password-protected and sent only to two named individuals in the PDA and the CAC.
“These individuals were contacted by our team and confirmed that they had immediately and securely deleted the data. All internal processes were followed in terms of this error. It was determined by the Data Protection Officer that this was not a reportable data breach.
“We take all potential data breaches very seriously and are fiercely protective of our colleagues personal data.”