The General Data Protection Regulation (GDPR) will come into force across the European Union (EU) on May 25. The EU says the aim of the regulation is “to protect all [its] citizens from privacy and data breaches in an increasingly data-driven world”. So what are community pharmacists' most common questions about the legislation?
How will GDPR affect community pharmacy?
Under GPDR, pharmacy owners will become data “controllers” – and will decide what patient information to process and how to process it. As data controllers, pharmacy owners must be clear about the legal basis for processing patient data – which includes collecting, recording, retrieving, consulting and using data.
What fines could pharmacies who don’t comply face?
The fine imposed on an organisation if they fail to comply with the GDPR requirements will be determined by the type of infringement. The EU has outlined the following fine structure:
- A fine of up to €10 million, or 2%, of the organisation’s global turnover (whichever is higher), for infringements including the failure to notify the Information Commissioner’s Office (ICO) of a data breach, and the failure to follow data controller or processor obligations.
- A fine of up to €20m, or 4% of the organisation’s global turnover (whichever is higher), for infringements including non-compliance of orders from the ICO, failure to follow the basic principles for processing (including consent), and infringement of an individual’s rights.
These fines can be imposed solely, or in addition, to certain measures – including warnings issued by the ICO. The decision about whether to impose a fine, and the amount, will be assessed on a case-by-case basis, and will depend on factors such as:
- The duration, gravity and nature of the infringement
- Whether the infringement was intentional or due to neglect
- The action taken by the data controller or processor to mitigate any damages caused
- The categories of personal data involved.
What types of data breaches do I need to report, and who to?
There will be a duty for all organisations to report certain data breaches to the ICO, and in some cases, report the data breaches to the affected individual(s). Examples of data breaches which must be reported include:
- Damage to reputation
- Financial loss
- Loss of confidentiality
- Other economic/social disadvantages.
In these instances, you must notify the ICO if the data breach is likely to result in a risk to the rights and freedoms of an individual, and notify the affected individual(s) if the data breaches are likely to result in a ‘high risk’ to the individual’s rights and freedoms.
The ICO considers a data breach to be ‘high risk’ when “the threshold for informing individuals is higher than for notifying the ICO”. This means a pharmacy will need to assess “both the severity of the potential or actual impact on individuals as a result of a breach, and the likelihood of this occurring”.
Furthermore, the ICO can compel a pharmacy to report the breach to the affected individual(s) if it has not already done so.
There are also some instances when NHS England is required to be notified. The NHS (Pharmaceutical and Local Pharmaceutical Services) Regulations 2013 (also known as the NHS terms of service) require NHS-contracted pharmacists to ensure compliance with NHS England’s requirements regarding data security, and to investigate the cause of a breach, and evaluate the response to it.
Currently, this includes updating a pharmacy's standard operating procedures, providing staff training to prevent reoccurrence, and completing the information governance toolkit annually.
Any patient identifiable data which is incorrectly submitted breaches the NHS terms of service, and if this occurs you must notify regulatory bodies, for example, the General Pharmaceutical Council (GPhC), and the police, where required.
Do I need to obtain consent from each patient who presents a prescription?
No. Under GDPR, consent does not need to be obtained from each patient presenting a prescription for dispensing, because consent is not the lawful basis for processing.
A patient provides implied consent to enable the pharmacy to process their personal data for the purpose of dispensing a prescription. Therefore the pharmacy’s lawful basis for processing the personal data present on the prescription is that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
If a GP surgery asks for a prescription to be delivered urgently to a patient, but the pharmacy does not have consent from the patient, should I get consent once the medicines have been delivered?
No. A pharmacy cannot deliver prescription items to a particular patient and obtain consent afterwards. ICO guidance states: “If you would still process the personal data without consent, asking for consent is misleading and inherently unfair.” In this scenario, it needs to be highlighted that consent is not the lawful basis for processing.
This is because the requirement to urgently deliver medication is coming from the patient’s surgery, and not the patient themselves. So the lawful basis for processing the patient’s personal data for the purpose of urgent delivery, in this case, is that “processing is necessary in order to protect the vital interests of the data subject or of another natural person”.
In this situation, it is advisable that the pharmacy clearly documents the lawful basis of this processing on the patient’s medication record (PMR). If the patient wishes to receive future deliveries of prescription items following this initial urgent delivery, the pharmacy would need to obtain GDPR compliant consent – as further deliveries would require consent as a lawful basis.
If an adult lacks the capacity to provide consent, can their representative give consent on their behalf?
An adult patient who lacks capacity, understanding, or is unable to make their own decisions, cannot give valid consent – and no one else can do so on their behalf – unless they have a lasting or enduring (applicable in Northern Ireland) power of attorney, or are appointed as a deputy by the court with authorisation to make service or treatment decisions on behalf of the patient. Further information can be found in the National Pharmacy Association’s resources.
What happens if an adult has the capacity to provide consent, but cannot give it?
Where personal health data is to be processed for an adult with capacity to give consent, but consent cannot be obtained – for example, if a patient has a physical disability and cannot sign the form – the pharmacy will be required to choose another lawful basis. This could be:
- That “processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent”.
- That “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
Under the Equality Act 2010, a pharmacist is required to make reasonable adjustments within the pharmacy to overcome obstacles which prevent a person with a disability from receiving goods and services. This could mean liaising with appropriate healthcare professionals involved with the patient’s care, and making clear records of any decisions made without written consent, for a clear audit trail.
What is a data protection officer and what do they do in the pharmacy?
The GDPR introduces a duty for organisations that carry out data processing activities to appoint a data protection officer (DPO), to “assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice…and act as a contact point”, according to the ICO.
The ICO has stated that an organisation’s DPO can be an existing employee of an organisation, or the role can be contracted out externally to another organisation. This individual's professional duties should be compatible with their DPO duties, and there must be no conflicts of interests.
A pharmacy’s information governance (IG) lead can potentially act as the DPO, as long as the above criteria are fulfilled. This concept is similar to how the IG lead can currently be the pharmacy superintendent pharmacist, while acting independently.
If a pharmacy’s DPO is a GPhC registrant, they must additionally abide by the standards for pharmacy professionals. Standard six states: “Pharmacy professionals must behave in a professional manner”... and “act with honesty and integrity”.
This further re-emphasises the possibility of an existing pharmacy professional (such as the superintendent pharmacist) potentially acting as the DPO, even if they are in charge of setting pharmacy procedures or complying with GPhC-registered premises standards.
Does the DPO need to undertake any training?
No training is required for the role of a DPO; however, the ICO has stated that they must be an expert in data protection. They are therefore expected to have adequate knowledge of data protection law.
Leyla Hannbeck is chief pharmacist at the National Pharmacy Association (NPA)
Download the Pharmaceutical Services Negotiating Committee's own GDPR guidance here