In 42 such cases, the Information Commissioner’s Office (ICO) took “informal action” against the pharmacy in response to the breaches, which was recorded as “advice given”, according to data shared with C+D following a freedom of information (FOI) request.

Meanwhile, the seven remaining cases closed with “no further action” taken, with “remedial measures” having already been taken in one case and other pharmacies given advice.

C+D asked the data watchdog for information about any potential data breaches involving community pharmacies it handled after it fined London-based pharmacy Doorstep Dispensaree £275,000 for breaching data protection laws in December 2019.

But an ICO senior information access officer told C+D that while the regulator has dealt with 49 such cases between January 2021 and May 2022, it had not issued any fines “within the pharmaceutical sector since that of Doorstep Dispensaree in 2019”. 

 

Legal expert: Get a data protection officer

 

Commenting on the FOI results, David Reissner, chair of the Pharmacy Law & Ethics Association, said it is “concerning that there appears to be widespread ignorance, disregard or simply carelessness of data protection law”.

“Pharmacies handle the most sensitive data, and they should all have a data protection officer,” he stressed.

“The heavy penalties imposed on Pharmacy2U [in 2015] and Dispensaree [in 2019] should have made pharmacies aware of the importance of data protection and the risks pharmacies run if they fail to comply with the Data Protection Act and GDPR,” he warned.

 

Examples of breaches reported

 

The ICO shared details about the incident types related to community pharmacies that had been reported, which include:

• loss/theft of paperwork or data left in insecure location
• data posted or faxed to incorrect recipient
• failure to use bcc
• data emailed to incorrect recipient
• verbal disclosure of personal data.

 

Pharmacy contractors, like other providers of NHS services in England, must complete an online self-assessment every year to assure the NHS they are “practicing good data security” and handling patient data correctly.

Breaches that do not meet the ICO’s threshold for constituting a “high risk” to the individual’s rights and freedoms are reported via the NHS reporting toolkit and are not recorded on the ICO’s system, a spokesperson for the data regulator told C+D yesterday (June 16).

The ICO regularly carries out “analysis of a variety of different sectors, including community pharmacies and other healthcare groups, to establish which sectors may have a higher number of recorded data breaches and which less so”.

“We use this analysis to take necessary action where appropriate and provide guidance and advice,” they added.

However, it would be difficult for the ICO to “categorically say one sector is better than the other” due to the fact that “some sectors may not report every potential breach to us”, the watchdog commented.

“We continue to work closely with all sectors to ensure they are data compliant, implement high quality infrastructure to mitigate risks as well as educating them on what to look out for and how to report an incident to us,” the spokesperson added.