The General Data Protection Regulation (GDPR) will be enforced in Europe on 25 May to ‘harmonise data privacy law across Europe, protect and empower all EU citizens data privacy and reshape the way organisations across the region approach data privacy’.
Data protection already affects contractors, as pharmacies process personal data such as prescriptions information and advanced services.
GDPR is an evolution of the existing law and builds on the work contractors already do. It’s a ‘step change’ – what was best practice becomes mandatory.
While guidance is still being issued, The Pharmacist outlined the 13 steps contractors should take to comply with GDPR, as explained by Pharmaceutical Services Negotiating Committee (PSNC) director of operations and support Gordon Hockey during the negotiator’s webinar on GDPR.
All templates mentioned can be found in the community pharmacy GDPR Working Party guidance.
STEP 1. Decide who is responsible
Contractors are responsible for data protection and security within their premises as well as compliance with the GDPR.
It is recommended to appoint one person responsible for the GDPR implementation, who could be the information governance (IG) lead.
Under the regulation, businesses processing large-scale special category data should appoint a data protection officer (DPO) – essentially a GDPR adviser.
At the moment, it is not clear what ‘large scale’ refers to. Mr Hockey argues that owning 30 or more pharmacies might be considered large scale business.
What to do next? Complete template A in the workbook and hold fire until we have more information about DPO appointment.
STEP 2. Action plan
Everybody in the pharmacy is responsible for the protection and confidentiality of patients’ data.
You need to think about staff training on GDPR – which can be carried out as updates in team meetings or formally, if necessary – and be ready to answer questions and guide them.
You will still have to pay an annual fee to the Information Commissioner Office (ICO).
What to do next? Complete template B and train your staff appropriately.
STEP 3. Think about and record the personal data you process
You must record personal data you process in your pharmacy and clearly indicate how you collect, store and use it.
Replacing a patient name with a key or number identification, for example, might be useful.
PSNC suggests reviewing your record of all the filing systems held in your pharmacy at least once a year.
What to do next? Complete template C.
STEP 4. Assure you have a lawful basis for processing data
The GDPR requires every organisation to have a lawful basis for processing personal data.
Pharmacies already have a lawful basis for much of their data processing, which is ‘for the performance of a task carried out in the public interest’. A lawful basis makes clear that processing is not under consent.
Under the GDPR, personal health data is further protected. Pharmacies must have one of the stated reasons for processing data, which include ‘the provision of healthcare or treatment’.
You also need to consider your employees’ personal data and provide people with information about how it is processed through the pharmacy’s privacy notice.
Health data procession for health and management purposes should be under the responsibility of the appropriate person, such as the pharmacist or the pharmacy technician, subject to regulation.
What to do next? Complete template C.
STEP 5. Process according to data protection principles
Largely, these principles are the same as the ones under the Data Protection Act 1998, with one or two minor changes.
All personal data must be processed in line with data protection principles. This process must be documented through policies and records.
Pharmacies should already be broadly compliant with data protection principles as part of their ongoing IG requirements.
What to do next? Complete the workbook and refer to template D.
STEP 6. Review and check with your processors
The GDPR makes contractors to some extent responsible for what happens to processed data that is passed to another person, such as the PMR supplier.
You have to make sure that they process data according to your instructions, the data is secured and they comply with your requirements under the Data Protection Act. If there is a breach, they must notify you so you can in turn notify the patient within the time frame.
What to do next? Complete template E and speak with your processors to check whether existing contractual terms comply with the GDPR requirements.
STEP 7. Obtain consent if you need to
Hopefully, this step will not be relevant for most contractors, as processing won’t be under consent (see STEP 4) unless you carry out direct marketing or own a bigger pharmacy carrying out other sort of engagement with customers.
By 25 May, the consent you have must be GDPR compliant and recorded. Note that consent for data processing is not the same as consent for service provision, which will still be needed.