Why should pharmacists care about data protection?
Breaching the UK GDPR could expose your business, customers and patients to significant harm. For example, the Information Commissioner’s Office (ICO) can fine you up to £17.5 million or 4 per cent of your global turnover, or you could experience reputational damage, which could lead to a loss of customers and patients.
There are a range of other enforcement actions available to the ICO, including assessment notices, warnings, reprimands, and enforcement notices. The ICO has imposed fines for serious breaches of the data protection legislation and has fined pharmacies for data breaches.
In December 2019, the ICO issued Doorstep Dispensaree with a fine of £275,000, which was reduced on appeal to £92,000, for breaching data protection legislation. The ICO found that the pharmacy had failed to process personal data in a way that would ensure its proper security. The ICO fined the company and issued an enforcement notice requiring Doorstep Dispensaree to improve its data protection practices within three months of the notice.
In July 2023, the ICO issued a reprimand to NHS Lanarkshire for sharing the personal data of patients via an unauthorised means. Also in July 2023, the Patient and Client Council was reprimanded for disclosing special category data by sending an email to 15 patients using carbon copy (CC) rather than blind carbon copy (BCC).
However, it is not only the ICO that can become involved when there is a data breach. In 2019, the General Pharmaceutical Council (GPhC) suspended a pharmacist for three months when they sent a large amount of private patient data to their own personal email address in breach of the data protection legislation. This situation could arise, for example, if a pharmacy manager of one business was looking to exit that company and set up a competing pharmacy and thought it might be a good idea to appropriate their employer’s patient medication record database in order to target those patients for their own commercial gain once they had set up their competing pharmacy.
Your customers and patients could also be negatively affected by a data breach. This might include experiencing identity theft, out of pocket costs, unwanted contacts from third parties and extra stress. It is of note that they could start legal action (such as compensation claims), and it is not uncommon to see class actions being formed.
In June 2023, Boots confirmed that the company that provided it with payroll services had suffered a cyber attack resulting in personal data, including financial information, being accessed. There is currently a call for those who were affected by the data breach to join a class action claim for compensation. Defending a claim can be time consuming and costly.
Types of data
Personal data: this is any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Special category personal data: includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a person’s sex life or sexual orientation
Health data: is personal data related to the physical or mental health of a person, including the provision of healthcare services.