The General Data Protection Regulation (GDPR) – which the EU said aims “to protect all [its] citizens from privacy and data breaches in an increasingly data-driven world” – will come into force on May 25.
The GDPR requires “public authority organisations” to appoint a data protection officer (DPO) to “assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice…and act as a contact point”, according to the Information Commissioner’s Office (ICO).
Despite lobbying efforts from the Pharmaceutical Services Negotiating Committee (PSNC) and the National Pharmacy Association (NPA) to amend the legislation so that not all primary care providers are considered 'public authorities', and to scrap the requirement for smaller pharmacies to appoint a data expert, “we now find ourselves in the position that we must advise contractors to appoint a DPO”, the negotiator said.
“Highly personal” patient data
In a debate in the House of Commons on Wednesday (May 9), minister for digital and creative industries Margot James said as “primary care providers…process sizeable quantities of sensitive health data” – including “an individual’s mental health status, the fact they are pregnant, or details of their prescription for a terminal illness” – “it does not seem unreasonable that bodies who process that kind of data should have a single point of contact on data protection matters”.
Responding to the exchange, PSNC director of operations and support Gordon Hockey said: “It appears that the [data legislation] is likely to deem all community pharmacies to be public authorities (even though they are not).”
“PSNC is disappointed by the current stance the government is taking on this issue and so will continue to work with representatives of other primary care contractors to lobby against this.”
PSNC said it “considers the requirement for a DPO to be inappropriate for smaller pharmacy businesses, where the costs of engaging a DPO are likely to be disproportionate to the benefits”.
“Very little time”
It warned that “there is now very little time before” the May 25 deadline, but said “informally...those involved with GDPR...are not expecting everybody to be fully compliant” by this time.
PSNC referenced a blog from information commissioner Elizabeth Denham in which she said: “If you can demonstrate that you have the appropriate systems and thinking in place, you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world.”
To meet the requirement, pharmacies “can either appoint a member of staff or an external person, perhaps shared with other community pharmacies locally”, who should have “knowledge of the particular community pharmacy and ‘expert’ knowledge of data protection and the… associated legislation” (see more here).