Pharmacy law expert Noel Wardle gives pharmacists the run-down on what changes they need to make to their business before new data legislation comes into force in May

The Data Protection Bill is due to have its Second Reading in the House of Commons on 5 March. The Act will become law on 25 May, and – Brexit notwithstanding – will make the European Union’s (EU) General Data Protection Regulation (GDPR) part of UK law.

The law affects pharmacy owners in at least two ways – both as the processors of data relating to patients, and as processors of data relating to employees. I am going to focus here on the health records of patients.

Who is responsible for data?

A data controller is the person who decides how and why data is to be processed. Processing data means, among other things, collecting, recording, retrieving, consulting and using it.

There are a number of grounds on which data can be lawfully processed, and controllers must decide which ground they rely on. Data concerning health is a special category, and processing it is prohibited unless the data subject has given explicit consent or processing is necessary for the purposes of health care or treatment. To rely on this purpose, the data must be processed by or under the responsibility of a professional. This could be a pharmacist or a registered pharmacy technician.

What steps do I need to take?

If, for some reason, health data is not being processed for the purpose of health care, and the controller relies on having obtained the patient’s explicit consent, the controller must be in a position to prove that consent has been given either verbally or in writing. Valid consent must have been given freely and for a specific purpose. Any information given by the controller must have been clear, concise, transparent and easily accessible. Also, the patient must have been informed at the time of giving consent that the consent could be withdrawn – and withdrawal must be as easy as giving consent in the first place.

Pharmacy owners will have to show they comply with data protection law and have appropriate policies in place, including staff training. A key feature of the new law is the obligation on a controller to appoint a data protection officer (DPO) whose contact details are published. The DPO must monitor compliance with data protection law, and the controller’s compliance with procedures.

What happens if I don’t comply?

If the GDPR is contravened, a representative body can claim compensation on behalf of an affected person, and either the controller or the processor may be ordered to pay compensation for distress, even if no actual damage has been suffered.

Other key features of the new law include an obligation to report data breaches, such as accidental or unlawful loss of data within 72 hours. There is also a duty to notify any patient whose data has been lost. The financial penalties for breaching GDPR are severe.

Where a company commits an offence, any director or officer (which may include the superintendent pharmacist) who consents to the offence or neglects to prevent it will also be guilty.

It is important for all pharmacy owners to review now the data they hold and to put in place arrangements that will enable them to comply with GDPR when it becomes law.

Noel Wardle is Head of Pharmacy at law firm Charles Russell Speechlys LLP ([email protected])