General Data Protection Regulation (GDPR)
The General Data Protection (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the council of the European Union and the European Commission intend to strengthen and unify data protections within the European Union (EU).
There are 6 general data protection regulation principles which govern how personal data should be handled. All personal data must be:
Principle 1 – Processed lawfully, fairly and in a transparent manner relating to individuals.
The Pharmacy Practice Leaflet is available on the website and can be sent to patients if requested. The leaflet contains a data protection statement which explains who is processing their personal data and the purposes for which their personal data will be used and disclosed.
You should either answer any queries personally or direct the customer to somebody who can deal with such queries or to other sources of information and you should provide appropriate support to people with disabilities.
Keeping patients informed of how data is used and recorded is important, but should be seen as an integral part of the service we provide. For example, always inform patients if you are going to record and details they have provided to you.
If a customer objects to a particular use or disclosure of his or her information, you should carefully explain the implications of objecting (including, if applicable, being unable to dispense their prescription) and record such objection and explore whether there is a practical way of addressing the customer’s concerns. You should not try to convince the customer that they should agree to disclose information or agree to a specific use as it is their choice whether to do so. You should however ensure that they are aware of the implications of their choice.
Principle 2 – Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Right of subject access:
Under the General Data Protection Regulation (GDPR) individuals have a right of access to personal data held about them, subject to certain exemptions.
A request must be made in writing (including email) but the individual does not have to give a reason for requesting the information. If you receive such a request, you should refer it to the Superintendent Pharmacist.
A third party may request information about a customer. In this scenario, whilst the General Data Protection Regulation (GDPR) may not apply, there may be obligations under the Freedom of Information Act 2000 (“FOIA”). The FOIA may apply in respect of information relating to the provision of pharmaceutical services. You should refer all requests under FOIA to the Superintendent Pharmacist as there is no standard way to handle such requests and legal advice may be required.
The pharmacy may receive a request from a customer for access to a deceased person’s records. The duty of confidentiality remains even after a person has died. You should refer all requests under FOIA to the Superintendent Pharmacist as there is no standard way to handle such requests and legal advice may be required.
Right to prevent direct marketing:
Customers have the right to ask the pharmacy to stop sending direct marketing information to them. If a customer indicates such objection, you should ensure that such objection is recorded on the Pharmacy PMR System and actioned. Always refer such requests to the Superintendent Pharmacist as they may wish to investigate why the customer has made this choice and ensure that no inappropriate marketing has been sent out.
Right to have information rectified:
Customers have a right to have inaccurate information held by the pharmacy corrected. If you receive a complaint from a customer in this respect, you should ensure that this is actioned promptly. Always refer such requests to the Superintendent Pharmacist as they may wish to investigate why incorrect information was recorded.
Other rights:
Customers also have certain rights in relation to asking The Pharmacy to stop processing that is likely to cause damage or distress to the customer or another person. If a notice of this nature is received from a customer, please refer to the Superintendent Pharmacist as soon as possible.
Principle 3 – Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
In accessing or using customer data for any particular purpose, you should only do so to the extent necessary to achieve the relevant purpose.
There may be a temptation to record all pieces of data, but excessive data storage (i.e. more than is reasonably required for the particular use) is not permitted. Data may also be anonymised where specific patient identifiers are not required.
Principle 4 – Accurate and where necessary, kept up to date;
You should record any customer data accurately. When contacting patients, you should confirm the accuracy of the data.
Principle 5 – Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Customer records should not be kept longer than is necessary.
The relevant retention periods are prescribed by the General Pharmaceutical Council (GPhC) website.
Principle 6 – Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destructions or damage, using appropriate technical or organisation measures.
Data should be protected so that it cannot be accidentally lost, altered or improperly accessed. See below “Data Security in the Pharmacy”.
Not transferred to countries outside of the European Economic Area without adequate protection.
Access to the patient medication record system must only take place by a registered pharmacist (or colleagues under his or her direct supervision who require access).
All staff must log into the patient medical record system (PMR system) using a specific ID number and password to gain access. You must not allow unauthorised colleagues (e.g. non-dispensing staff) to access the system. The password for accessing the pharmacy system should be changed on a regular basis and should not be easy to guess (e.g. a pharmacist’s date of birth).
You must ensure that the log-in terminal for the internal pharmacy system is located in an area of the pharmacy that cannot be accessed by anybody other than authorised persons and that the screen cannot be viewed by anybody other than authorised persons. You should ensure that you make appropriate use of a password-protected screen-saver to prevent others being able to view customer information and you should clear customer information from the screen before accessing another patient medical record.
All manual files relating to customers of the pharmacy should be kept in a secure location under lock and key when unattended and keys should be held in a secure place.
When collecting health data from a customer over the telephone, you should be aware that you may be overheard and if necessary take additional steps to protect the customer’s privacy, for example, by taking the conversation into a separate consultation room, where available (or at least out of earshot of other employees).
All pharmacy customer data is confidential and must not be discussed with/or disclosed to any other individual who is not involved with the customer’s care.
Before allowing third party service providers to access customer data (e.g. third parties providing maintenance services in respect of the internal pharmacy system), you should refer the matter to the Superintendent Pharmacist – this is to ensure that an appropriate contract is put in place with the relevant service provider dealing with confidentiality and data protection obligations.
When disposing of confidential information (including spare dispensing labels), you need to do so in such a manner that the customer can no longer be identified, for example, by shredding it.
You should not send customer identifiable information by fax if it can be avoided. However, if patient identifiable information is to be sent by fax, you should ring ahead to tell the recipient you are sending a fax and confirm the correct fax number.
Disclosing Customer Data
Customer data is confidential and at no point should it be divulged other than as set out in the data protection statement in the Pharmacy Practice Leaflet or with the customer’s express (usually written) prior consent.
Decisions about disclosing confidential information can be complex. In most situations, you do not have to disclose information immediately. However, there will be limited situations where to delay is not practical, for example if this may cause risk to another person. You should take the necessary steps to satisfy yourself that any disclosure sought is appropriate and meets the legal requirements covering confidentiality.
Maintaining confidentiality is an important duty, but there are circumstances when it may be appropriate to disclose confidential patient information.
These are:
- when you have the patient’s consent;
- when the law says, you must;
- when it is in the public interest to do so.
In the course of your professional practice you may receive requests for confidential patient information from a variety of people (for example patient’s relative, partner or carer) or organisations (for example the police or a healthcare regulator). You should make decisions about disclosing information on a case-by-case basis and fully consider all relevant factors.
If a patient with capacity refuses to give consent for information to be shared with other healthcare professionals involved in providing care, it may mean that the care they can be provided is limited. You must respect their decision, but inform the patient of the potential implications on their care or treatment.
You must respect the wishes of a patient with capacity who does not consent to information about him or her being shared with others, unless the law says you must disclose the information or it is in the public interest to make such a disclosure.
If you decide to disclose confidential patient information you should:
- code the information, or make it anonymous, if you do not need to identify the patient, get the patient’s consent to share their information.
But you do not need to do this if:
- disclosure is required by law;
- the disclosure can be justified in the public interest;
- to do so is impracticable, would put you or others at risk of serious harm, or would prejudice the purpose of the disclosure;
- disclose only the information needed for the particular purpose.
Make sure that, if you disclose confidential information, the people receiving the information know that it is confidential and is to be treated as such make appropriate records to show:
- who the request came from;
- whether you obtained the patient’s consent, or your reasons for not doing so;
- whether consent was given or refused; and
- what you disclosed.
Be prepared to justify your decisions and any actions you take, release the information promptly once you are satisfied what information should be disclosed and have taken all necessary steps to protect confidentiality.
Disclosing information with consent:
You should get the patient’s consent to share their information unless that would undermine the purpose of disclosure
Make sure the patient understands:
- what information will be disclosed;
- why information will be disclosed;
- who it will be disclosed to;
- the likely consequences of disclosing and of not disclosing the information.
When the reason for sharing confidential patient, information is for a purpose that the patient would not reasonably expect, you must get their explicit consent before disclosure.
If you are not sure whether you have the patient’s consent to share their information, you should contact them and obtain their consent.
Disclosing information without consent:
You should make every effort to get consent to disclose confidential information. However, if that would undermine the purpose of disclosure (for example when there is risk to others) or is not practicable, you should use the guidance in this section.
Before you disclose information without the consent of the patient, you should:
- be satisfied that the law requires you to disclose the information or that disclosure can be justified as being in the public interest;
- ask for clarification from the person making the request if you are unsure about the basis for the request for confidential information;
- ask for the request in writing;
- personal information must not be transferred to other countries without adequate protection.