The Community Pharmacy GDPR Working Party wanted to make the path towards compliance a little easier, so we have broken down it down into 13 steps, as followed by the guidance and the workbook developed for contractors. The steps are set out in the form of a mnemonic – DATAPROTECTED – to help you to remember them.
1. Decide who is responsible
2. Action plan
3. Think about and record the personal data you process
4. Assure your lawful basis for processing
5. Process according to data protection principles
6. Review and check with your processors
7. Obtain consent if you need to
8. Tell people about your processes: the Privacy Notice
9. Ensure data security
10. Consider personal data breaches
11. Think about data subject rights
12. Ensure privacy by design and default
13. Data Protection Impact Assessment
In the last few weeks several aspects of the GDPR and the associated (currently draft) UK Data Protection Act 2018 have been clarified. Let’s take a look at what that means for pharmacies as they work towards GDPR compliance.
Pharmacies should appoint one person to lead efforts to comply with the GDPR – this could be the Information Governance (IG) lead as there are some overlaps with that role. Template A of the GDPR Workbook provides you with somewhere to collate the names of relevant people involved with IG and the GDPR.
It is not mandatory for pharmacy contractors to appoint a registered Caldicott Guardian, though they may choose to do so if this makes sense for their organisation. There should be somebody at a high level within the organisation – which might be the IG Lead – who takes responsibility for protecting the confidentiality of service users’ health and care data and making sure that it is used appropriately.
All pharmacy businesses need to appoint a Data Protection Officer (DPO), not just those processing personal data on a large-scale; this has been confirmed recently and it may not be realistic to expect appointments to have been made for 25 May 2018. The appointment may be of somebody internal, a member of staff such as a pharmacist, or external and shared with other local pharmacies.
The DPO is, in effect, an advisor who is also potentially the first point of call for data subjects or patients because the DPO is named on the Privacy Notice. The DPO should not be a person who decides the data flows in the pharmacy.
To meet the DPO requirement, contractors can either appoint a member of staff or an external person, perhaps shared with other community pharmacies locally. The Community Pharmacy GDPR Working Party will issue further guidance, as will the NPA, which has agreed to lead on the issue for its members. For now, contractors should consider the following details provided by the Information Commissioner’s Office (ICO):
Generally, GDPR consent is not relevant to professional activities in community pharmacy but normal consent remains as important as ever.
Pharmacies already have a lawful basis for much of their data processing (as described in step 4), so are unlikely to need to seek consent for data processing. Note that consent for data processing is not the same as consent for service provision, which will still be needed, for example consent to administer a flu vaccination; or consent to the disclosure of health data where normal the normal common law duty of confidence (confidentiality) applies.
However, certain general business functions, such as direct marketing, may require consent. This consent must be GDPR compliant and you will need to have a record of it. Template F of the GDPR Workbook can be used to list details of any personal data held in filing systems where consent is the basis for obtaining the data.
Pharmacies will have policies and procedures in place to respond to and record any data breaches, but work through Template I of the GDPR Workbook, which provides a table to record any personal data breaches, and make sure you keep a copy of Template J for use if a data breach occurs.
Note that breaches likely to affect people’s rights and freedom, e.g. the loss of a prescription bundle in a public place, must also be reported to the ICO, and sometimes to the people affected.
Broadly, there are three outcomes to a personal data breach for a community pharmacy, which are in increasing severity and impact on the patient’s rights and freedoms:
Record the breach – e.g. if you send a patient’s health data to the wrong GP or similar controlled environment when confidentiality can be assured as part of professional requirements; or if a patient’s dispensed medicine has another patient’s repeat slip but the error is corrected quickly in the pharmacy or soon afterwards (subject always to the circumstances and not, for example, if particularly sensitive patient data has been disclosed to somebody who knows the patient).
Record the breach and notify the ICO – if the prescription bundle is lost on route to the NHS BSA and it is not thought to be lost in the courier’s warehouse
Record the breach, notify the ICO and tell the patient about the breach – if a prescription collected at the GP practice has been lost on the way back to the pharmacy and could be picked up by anybody locally.
The GDPR requires that a Data Protection Impact Assessment (DPIA) be carried out for certain data processing activities where there is a high risk to the rights and freedoms of individuals. Use Template M of the Workbook to help you consider which pharmacy activities may require a DPIA, then carry any necessary assessments out with the help of your DPO.
It was hoped that most smaller pharmacies would not need to undertake a DPIA, however because all community pharmacies must appoint a DPO, what is large-scale will not now be determined. Therefore, to be on the safe side, it is suggested that all pharmacies complete a DPIA.
The GDPR guidance and workbook can be downloaded from psnc.org.uk/GDPR
Gordon Hockey, director of operations and support at PSNC, is a pharmacist and leads PSNC’s work on regulatory matters related to NHS pharmaceutical services, such as the market entry provisions, and the terms of service.