Patient confidentiality and data protection are already a significant problem in pharmacy — in 2018 these issues entered the top five areas failed during pharmacy inspections for the first time. And the rules in this area are about to get even stricter. As part of the Data Protection Act 2018, the General Data Protection Regulation (GDPR) came into force on 25 May 2018. It outlines new legal formalities to be followed and increased obligations for anyone who collects and handles personal data in order to provide more protection for individuals. GDPR has particular significance for pharmacy practice.
While pharmacists and pharmacy owners should already be familiar with the importance of maintaining the confidentiality of patient data,, GDPR places existing professional obligations within a technical framework that requires a focus on detail and continuous observance of new requirements that can prove burdensome, with a risk of severe penalties for non-compliance. This article describes the new data protection laws and their significance for pharmacists, pharmacy professionals and business owners, as well as for pharmacy practice in general.
Key points to remember:
- Data protection officers (DPOs) should be appointed and trained. The Pharmaceutical Services Negotiating Committee (PSNC) has called for community pharmacy contractors to appoint a DPO.
- Pharmacy owners should ensure they have reviewed the data they hold and have established the lawful basis they rely on for processing the data.
- In the case of data derived from prescription forms (whether private or NHS), it would be sufficient to rely on the processing being necessary to comply with a legal obligation. The lawful basis should be documented.
- Policies for data retention should include regular reviews of whether there is continued justification for retention (for example, if the patient has died or if there are grounds for believing the patient no longer uses the pharmacy or no longer receives the treatment that is recorded).
- Access to patients’ data should be monitored and any inappropriate usage should be identified and dealt with. •All staff who process data should be made aware of the importance of patient confidentiality and the new legal requirements that supplement the professional obligations of pharmacy owners, pharmacists and pharmacy technicians. It may be appropriate to make staff who process data aware of the penalties for data breaches.
GDPR is concerned with personal data and it imposes legal obligations on data controllers and data processors. The broad definitions are:
- Personal data: any information relating to an identified or identifiable natural person (“data subject”);
- Data controller: decides what data to process and how;
- Processing: the collection, recording, organisation, structuring, storage, retrieval, consultation, use and disclosure of data.
Pharmacy owners will, therefore, be data controllers and any pharmacy employee or locum who deals with data will be a processor.
Data protection principles
All personal data must be processed in accordance with data protection principles, which means that, among other things, the data must be processed fairly and lawfully. Lawfulness is addressed in the following section. In terms of fairness, key requirements are:
- Processed data should not exceed what is needed for a specified lawful purpose;
- Data must be accurate and kept up to date;
- Data must not be kept for longer than necessary for the specified purpose;
- Appropriate measures must be taken against unauthorised or unlawful processing and against accidental loss;
- Data must not be transferred to a country outside the European Economic Area unless that country has adequate protection arrangements.
The key principles that pharmacy professionals should follow in order to make sure they comply with the GDPR requirements are outlined below.
GDPR Dos and Don’ts
- Do ensure that all staff in a pharmacy keep all prescription forms away from locations where they can be seen by patients and customers;
- Do check before inviting a patient or customer into a consultation room that no other patient’s information is visible, whether on prescription forms, on monitored dosage system (MDS trays) or on computer screens;
- Do make sure all pharmacy staff know that data protection is important in order to maintain patients’ confidentiality;
- Do explain to all staff that a patient’s data can only be accessed for reasons connected with the patient’s care – and it should be accessed only on a need-to-know basis;
- Don’t allow patient data to leave the premises without knowing exactly where it is going and that anyone allowed to remove it understands the importance of protecting confidentiality;
- Don’t call out patients’ addresses or ask them to give their addresses when other patients or customers could hear. If it is necessary to call out their names, ask them to confirm their addresses in a location where they cannot be overheard.
Lawful basis for processing
Anyone who processes personal data, including pharmacists, pharmacy employees and locums, must have a lawful basis for doing so. GDPR provides several possible bases and those of particular relevance to the data processed in a pharmacy include:
- The data subject has consented to the processing for a specific purpose;
- The processing is necessary for compliance with a legal obligation to which the controller is subject;
- The processing is necessary for the performance of a task carried out in the public interest;
- The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.
Pharmacy owners must decide which lawful basis they rely on, and be in a position to demonstrate that they are entitled to do so. Relying on a patient’s consent to process personal data is the least practical option because:
- Consent must be explicit and for a specified purpose;
- Patients must opt in – they cannot consent by default;
- When consent is obtained, the controller will be under an obligation to provide information to patients, including their right to withdraw consent.
Withdrawing consent must be as easy as it was to give consent in the first place. Any failure to satisfy these conditions will invalidate the consent.
It has been common practice for websites and apps to include words in their terms and conditions that tell patients that by clicking to accept, or by proceeding to the next page, they consent to a number of different things. Such consents are no longer valid if the patient has not been given the chance to consent individually to each specified purpose, or if answers purporting to give consent require the patient to opt out.
Controllers (pharmacy owners) may reasonably take the view that the processing of patient medication records is necessary for the performance of a task – the provision of healthcare services – carried out in the public interest. However, intuitively, this is not the most appropriate of the available lawful bases.
Maintaining patient medication records when dispensing prescriptions is a legal obligation. In the case of NHS prescriptions, failure to comply with this obligation may result in performance-related sanctions being imposed. In the case of private prescriptions, recording patient data is a legal obligation under the Human Medicines Regulations 2013 and breaching this requirement is an offence. For pharmacies that dispense both NHS and private prescriptions, relying on the lawful basis of a legal obligation avoids the need to rely and document one lawful basis (performing a task in the public interest) for NHS prescriptions and a different basis for private prescriptions.
Maintaining patient records is consistent with good patient care, and pharmacy owners who dispense private prescriptions have a legitimate interest in processing patient data in the interests of patient care. Pharmacy owners providing non-NHS services may therefore choose to rely on legitimate interest as the lawful basis for processing data – but this lawful basis is not available in the case of NHS services.
Whichever basis is relied on, it is important that it is documented and that the data processed are limited to what is necessary for patient care. If the existence of a legal obligation is relied on, this means that the data in question should be limited to what is derived from prescription forms and the records of supplies and any advice, interventions and referrals. These records can be made using the templates on the Pharmaceutical Services Negotiating Committee website.
Special category data
Personal data concerning health falls into a special category of data (previously classified as “sensitive personal data”). Processing data of this type is prohibited unless one of the following conditions applies:
- The data subject has given explicit consent to the processing for one or more specified purposes;
- Processing is necessary for the purpose of the provision of healthcare or treatment.
For the reasons explained above, relying on consent will involve time and effort on the part of the controller, which would be unnecessary when pharmacies can rely on the processing being necessary for the provision of healthcare or treatment. There is one condition for being able to rely on the exemption for the provision of healthcare and treatment: the processing must be under the responsibility of a professional. In terms of pharmaceutical care, this would require a registered pharmacist or registered pharmacy technician to be responsible for the processing (although this does not mean they have to do the processing personally).
Pharmacies may on occasions want to use patient data for purposes other than the provision of healthcare or treatment. Sometimes a fine line may exist between a health purpose and a commercial purpose — for example, if the controller wishes to contact a patient with an offer to sell an item such as a blood pressure monitor.
Controllers must know which exemption they rely on, and they will be expected to document this and demonstrate their compliance if called upon to do so. The most practicable way of documenting the exemption relied on will be through the use of recording templates.
If a pharmacy owner wishes to use special category data (or, indeed, to use personal data such as the patient’s email address) to communicate with a patient for reasons unrelated to the purpose for which the data were collected in the first place, the patient’s explicit consent would first be required.
Under GDPR, patients have several rights. These rights must be notified to them at the time their data is collected and must be in language that is clear, concise and easily accessible. Pharmacy owners must consider how the information is to be provided, with options including displaying notices in pharmacies and publishing the information in practice leaflets and on websites.
Among other things, patients have the right:
- To be told their data will be processed;
- To access their data free of charge;
- To the erasure of their data if it is no longer necessary for the purpose for which it was obtained or if there is no legitimate overriding interest in retaining these data;
- To withdraw consent to processing (if consent is the lawful basis relied on by the controller).
Data protection officers
The Data Protection Act 2018 defines any provider of NHS services as a public authority and every public authority must have a data protection officer (DPO). This is an important and potentially onerous requirement. Bodies representing healthcare practitioners — including pharmacy bodies, such as the PSNC and the National Pharmacy Association — submitted evidence to Parliament, and unsuccessfully sought an amendment to this provision in the Act before it became law. The UK government’s justification for not accepting the amendment was, according to Margot James, minister for digital and the creative industries, that “primary care providers process sizeable quantities of sensitive health data” and that “in the world of health, data protection is rightly paramount … it does not seem unreasonable that bodies who process those kinds of data should have a single point of contact on data protection matters”.
The contact details of the DPO must be provided to data subjects at the time data are collected (and the name and contact details of the data controller must be provided at the same time). The DPO should not be someone who makes decisions on how data are used, because this could give rise to conflicts of interest. If the data controller is a company, the DPO should have direct access to its board of directors in order to be able to perform his or her functions effectively.
DPOs have a number of obligations. Among other things, they must:
- Be knowledgeable about data protection law;
- Inform and advise employees who process data;
- Be a contact point for all data protection issues;
- Monitor compliance with GDPR and internal data protection obligations;
- Ensure non-compliance with GDPR is reported to the Information Commissioner’s Office (ICO) within 72 hours.
Since DPOs must have independence from their employer when carrying out their role, they cannot be dismissed or penalised for performing their tasks.
Providers of non-NHS services will also be required to appoint a DPO if they process special category data on a large scale. The definition of “large scale” will depend on the circumstances. However, GDPR draws a distinction between a hospital, which will inevitably process data on a large scale, and processing of patient data by an individual physician or other healthcare professional, which does not constitute large-scale processing. In fact, ministers implied in Parliament on 9 May 2018 that all primary care providers process personal data on a large scale.
Unlike superintendent pharmacists, who can only currently be responsible for a single company, a DPO can have responsibility for more than one business. Therefore, businesses may choose to share a DPO, which may lighten the burden, especially for small pharmacy businesses that might otherwise struggle to find an appropriate member of staff to carry out the role.
Pharmacy owners should ensure that all staff who process personal data know who the DPO is and, indeed, it would be part of the role of the DPO to make themselves and their contact details known to data processors.
The cross-sector Community Pharmacy GDPR Working Party group has developed materials that cover each of the different elements of the GDPR and how they apply to community pharmacy. The guidance provides support for community pharmacy organisations in England and Wales to help them plan and prepare their strategy on how to comply with the GDPR,. Community Pharmacy Scotland has developed its own GDPR resources to help community pharmacies in Scotland work towards GDPR compliance.
In order to comply with the GDPR requirements, data controllers should:
- Regularly review what data are held;
- Consider whether data are still needed;
- Delete what is no longer needed for the lawful purpose relied on;
- Monitor who is accessing which data.
Pharmacy owners should consider scheduling regular reviews of data held and ensure they have the means to identify who has accessed data. They should also audit when data has been accessed, looking out for any potentially inappropriate access. In addition to reporting any breaches of data protection that are uncovered (see following section), any breach that calls into question the fitness to practise of a pharmacist or pharmacy technician should be reported to the General Pharmaceutical Council (GPhC).
All data breaches must be recorded, whether or not they have to be reported. Personal data breaches that are likely to result in a risk to people’s rights must be reported to the ICO within 72 hours. Since patients have a right to confidentiality, the obligation to report will apply to many of the breaches that occur in a pharmacy. If there is a high risk that a breach is likely to affect the rights of individuals, the individuals affected must also be informed.
The ICO website states that a breach is defined as:
“The accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data”.
Inadvertent breaches of data protection can occur in many ways in a pharmacy business, and the consequences can be serious because of the sensitive nature of the data and the effect on a patient’s privacy.
Delivering medication to the wrong patient would be considered a breach, if the unintended recipient becomes aware of the medication that a different patient has been prescribed. There is also a risk of a data breach if patients are asked to confirm their names or addresses at a pharmacy counter within earshot of others, or if delivered medicines are left with a neighbour. Box 1 outlines some useful ‘dos and don’ts’ that pharmacy professionals should follow in order to make sure they comply with the GDPR requirements.
Removing personal data from pharmacies and breaches
According to a 2017 ICO study, there had been “several reports that there are not proper procedures and controls in place over removing personal data from pharmacies. While details were not provided, loss of data while in transit remains one of the most common breaches likely to lead to significant reputational damage or fines”.
The study found that there were many examples of good practice, but smaller pharmacy businesses were less likely to have a data retention policy than large multiples, and this would have an impact on the obligation not to retain data longer than necessary. It also found that faxes remain a high risk area for inappropriate disclosure of sensitive personal information.
Deliberate breaches do sometimes occur. In 2015, the ICO imposed a fine of £130,000 on Pharmacy2U after the company sold patient lists to commercial enterprises that might take advantage of vulnerable people. There have also been instances of pharmacists and technicians being prosecuted by the ICO and of fitness to practise cases being brought by the GPhC for deliberate breaches of data protection. For example, in 2014, a pharmacist was prosecuted by the ICO for accessing the health records of family members and friends. The individual was convicted and fined £1,000 in the magistrates’ court. The GPhC’s Fitness to Practise Committee later suspended the individual from practice for 12 months.
Compensation and penalties for breaches
GDPR itself gives the subject of a data breach the right to claim damages for distress, without having to prove that the breach caused any actual financial loss. As an illustration of the level of compensation a court might award for distress, the supermodel Naomi Campbell was awarded damages of £3,500 against the Daily Mirror in 2004 after it published a photograph of her leaving a Narcotics Anonymous meeting.
Breaches of data protection will not automatically result in a fine but the ICO has the power to impose penalties for non-compliance with GDPR of up to €20m (£17.6m) or 4% of global turnover, whichever is highest. Financial penalties must be proportionate and must take into account all the circumstances. Inadvertent breaches will be treated less seriously than deliberate breaches, and steps to repair damage and prevent repetition will be taken into consideration when determining the level of any penalty. However, with a risk of severe penalties for non-compliance, pharmacies must take GDPR seriously and ensure that every necessary effort is made to achieve compliance.