The costs of a Data Protection Officer (DPO) are likely to be ‘disproportionate to the benefits’, the Pharmaceutical Negotiating Committee (PSNC) has said.
PSNC is concerned that the General Data Protection Regulation (GDPR) requirement for a DPO would be ‘inappropriate for smaller pharmacy businesses, where the costs of engaging a DPO are likely to be disproportionate to the benefits’.
As stated in the Data Protection Bill, all primary care providers – which are considered as public authorities – must appoint a DPO regardless of their size.
This is despite the GDPR only requiring a DPO appointment if an organisation’s core activities ‘consist of large scale processing of special categories of data’, including healthcare data, according to the UK’s independent authority Information Commissioner’s Office (ICO).
‘Avoiding quirk of legislation’
PSNC director of operations and support Gordon Hockey said that ‘we must avoid a quirk of legislation leading to unnecessary expense for community pharmacy’.
He continued: ‘It is reasonable to ask those processing health data on a large-scale to have a DPO, but not smaller community pharmacies.
‘This burden would also come at a time when many pharmacy owners are experiencing cost pressures following funding cuts and increases in medicine prices.’
‘Unreasonable and unnecessary burden’
In a letter – calling on the Government to exempt NHS primary care providers from having a DPO – the PSNC, the National Pharmacy Association, the British Dental Association and the Optical Confederation said that ‘the Bill would put an unreasonable and unnecessary burden on small NHS primary health care providers, which are also private businesses’.
They added: ‘The DPO requirement in Clause 7 of the Bill is unlikely to provide any practical benefit for patients – whether in terms of care or improving data security.’
A DPO’s tasks include providing advice on the carrying out of a data protection impact assessment, conducting audits and training staff involved in processing operations among others.
The changes to GDPR will come into force in UK law on 25 May.