Strict governance procedures apply to transferring patient data. It's vital to understand what you can and can't do.

In a previous article we have discussed the issues that pharmacists should consider prior to using their patients’ data, for example when sending targeted emails or letters promoting self care or encouraging use of a relevant service.

Patient data will usually be held at the place it was created: in the pharmacy itself. However, while an individual pharmacy can of course contact its patients directly, it may wish to do so from a location other than where data is stored, such as a head office or even a third party communications company. There are important data protection principles to consider when moving data around in this way.

One key issue is whether the pharmacy holding patient data can legally remove it from the pharmacy and disclose it to another location. Generally speaking, if the owner of a chain of pharmacies can be considered one entity (such as a company) under the NHS Terms of Service, the requirement to keep and maintain records should allow data to be passed between the different pharmacies within the chain.

Under the Data Protection Act, if a company that is also the data controller owns all pharmacies in a chain, then data may be passed between those pharmacies without significant restriction. But passing patient data to an outside organisation will engage further provisions of the Data Protection Act and must be considered carefully. Explicit, informed consent by each patient will usually be required.

In addition, the law requires that only ‘authorised persons’ (broadly, those who have a legitimate need to do so and who owe a duty of confidentiality) can handle patient data.

It is also important to remember that patient data must always be kept securely. If data is being moved, even between related pharmacies, strict data governance procedures should be in place.