Health organisations hold more sensitive personal health data than ever. Personal data has provided the NHS and governments with evidence needed to keep the public safe in the fight against Covid-19. However, data protection compliance for any organisation is an ongoing journey.  

The Community Pharmacy GDPR Working Party, comprising organisations from across the sector and established when the General Data Protection Regulation first came into force, developed a useful mnemonic – DATAPROTECTED – to help pharmacies tackle data protection. 

The mnemonic sets out 13 key steps to personal data compliance. The UK has left the EU, but the GDPR has been retained in domestic law within a framework that allows for government review. These steps therefore continue to be relevant for pharmacies.

STEP 1

Decide who is responsible. Pharmacy business owners are responsible for data protection. This is likely to mean directors and officers of the business. An appointed person must understand the pharmacy and associated legal responsibilities the business has. In some instances, a data protection officer (DPO) may need to be appointed. 

STEP 2

Action Plan. Staff should be given regular data protection training. It is the pharmacy team’s responsibility to help implement data protection measures. Pharmacies will also need to pay an annual fee to the Information Commissioner’s Office (ICO).

STEP 3

Think about the personal data you process. Consider all filing systems that hold personal data – both written and electronic. Accurate records of processing activities need to be maintained and reviewed regularly.

STEP 4

Assure your lawful basis for processing. Data protection law requires all organisations to have a lawful basis for processing personal data. For pharmacies, this is likely to be “for the performance of a task carried out in the public interest.” Health data is a special category of data, so must be treated with additional sensitivity and requires an additional reason for processing; this is likely to be “for the provision of health or treatment.” 

STEP 5

Process according to data protection principles. Pharmacies are likely to be processing patient data in line with data protection principles, due to their information governance compliance obligations. However, records are important to document compliance to the regulator. 

STEP 6

Review and check with processors. Put agreements or guarantees in place with any organisation that processes personal data on your behalf. You may also need to give guarantees to other data controllers, if requested.

STEP 7

Obtain consent, if needed. Pharmacies are likely to be able to rely on the lawful basis of health for processing most personal data. However, some forms of processing (e.g. marketing communications) may require consent.

STEP 8

Tell people about your process. You must give individuals clear information about how their personal data is processed. This can be done via a Privacy Notice clearly displayed in pharmacy premises and on websites. 

STEP 9

Ensure data security. Steps include putting in information security measures to ensure that the confidentiality of data is maintained and the risk of a data breach is minimised. Staff should be trained on the importance of data security.

STEP 10

Consider personal data breaches.Policies and procedures must be in place to minimise the risk of a breach. Any breach must be recorded and reported to the ICO without delay. Pharmacies will need to show that they have learned from and responded to any personal data breach. 

STEP 11

Think about data subject rights.Under data protection law, patients have a number of rights about how they can access and seek to control processing of their personal data (a data subject access request). Pharmacies need to be aware of these and ready to respond. 

STEP 12

Ensure privacy by design and default. Data protection should be a key consideration in developing any new project. Pseudonymisation and aggregation is likely to be helpful in many situations. 

STEP 13

Data Protection Impact Assessment (DPIA). A DPIA must be carried out for activities where there is a high risk to the rights of individuals. Most smaller pharmacies will not need to do one for normal dispensing activities, but a DPIA will be needed by any pharmacy when introducing new technologies.

Aside from following the 13 steps, the ICO also recommends that pharmacies:

• Ensure all computers processing sensitive personal data are upgraded regularly
• Implement individual user logons for all systems that contain patient identifiable data to enable a full audit trail of customer records
• Ensure they have procedures in place to control the removal of personal data.

The above is a general overview and we recommend that independent legal advice is sought for your specific concerns.

Jonathan McDonald is a partner in data protection & privacy, Ilona Bateson is an associate in the commercial team at Charles Russell Speechlys  jonathan.mcdonald@crsblaw.com   ilona.bateson@crsblaw.com