I’m not surprised that the government rejected attempts by the Pharmaceutical Services Negotiating Committee (PSNC), and other pharmacy and healthcare representative bodies, to get the Data Protection Act 2018 amended so that pharmacies and other primary care providers would not be required to appoint a data protection officer (DPO).
However, even though I’m not surprised, I can’t help but observe that the government’s reasons for the decision make no sense at all.
The General Data Protection Regulation, which comes into force from May 25, says that two types of organisation need a DPO: public authorities – the definition of which includes any person providing NHS services – and any person who processes personal data on a large scale.
Last week, despite the lobbying efforts of PSNC and the National Pharmacy Association, the government refused to amend the legislation so that not all primary care providers are considered 'public authorities'. It also rejected the request to scrap the requirement for smaller pharmacies to appoint a data expert.
So what reason did the government give for rejecting amendments to the definition of a public authority, so as to exclude community pharmacies and healthcare providers? Speaking in the House of Commons earlier this month (May 9), Margot James, minister for digital and creative industries, said it was because “primary care providers process sizeable quantities of sensitive health data”.
There are two flaws in this reasoning. First, if healthcare providers process sizeable quantities of sensitive data (now called “special category data”), then according to the government’s position, they would need a DPO anyway, even if they were not a public authority.
The government’s approach was also flawed because it took a broad brush approach to the question of whether healthcare providers process “sizeable quantities of sensitive health data”.
GDPR expressly avoids such a lazy categorisation of what healthcare providers do, and says: “The processing of personal data should not be considered to be on a large scale if the processing concerns personal data from patients…by an individual physician [or] other health care professional.”
Whether healthcare professionals process large quantities of personal data depends on the circumstances. According to official EU guidance, those circumstances include the number of patients involved or the proportion of patients in a geographical area, the volume of different data being processed, and the geographical extent of the processing.
Unless they band together and share a DPO, it may be difficult for small businesses to find someone suitable to take on the role, because the individual must be independent of management. However, pharmacy owners now have no choice but to get on and appoint someone suitable.
David Reissner is a consultant with law firm Charles Russell Speechlys LLP