Data Protection Act & GDPR in Pharmacy

Questions and Answers

A pharmacy is expanding its dispensing area into the patient consultation room. Which action is MOST critical to maintain patient data protection?

• Removing all furniture from the consultation room to create more space.
• Implementing precautions to protect patient data and confidentiality in the consultation area. (correct)
• Informing the Information Commissioner's Office (ICO) of the change in space usage.
• Ensuring prescription forms are kept on the medicines counter to streamline dispensing.

According to the GDPR, which action is LEAST likely to be a legitimate reason for processing personal data?

• Processing data with the explicit consent of the data subject.
• Processing data to comply with a legal obligation.
• Processing data for purposes that override the rights and freedoms of the data subject. (correct)
• Processing data necessary for a task carried out in the public interest.

Which of the following pieces of information is MOST likely to be classified as 'Special Category Data' under the GDPR?

• A patient's religious beliefs. (correct)
• Details of routine medicines dispensed.
• A patient's name and address.
• A patient's age.

A patient requests access to all their personal data held by a pharmacy. According to individual rights under the GDPR, within what timeframe must this information be provided?

Within one calendar month. (C)

In which scenario is a pharmacy MOST likely required by law to disclose confidential patient information without patient consent?

When requested by a police officer presenting a legitimate reason. (C)

A pharmacy experiences a data breach involving the loss of unencrypted patient data. Under the GDPR, within what timeframe must the ICO be notified if the breach poses a risk to individuals' rights?

Within 72 hours of the breach. (C)

A pharmacy professional is unsure whether to disclose patient information in a complex situation. What is the MOST appropriate course of action?

Seek professional advice from an indemnity insurance provider or legal advisor. (A)

Which action by a pharmacy technician is MOST likely to be a breach of data security?

Leaving prescription forms visible in an area accessible to other customers. (A)

What is the PRIMARY role of the Data Protection Officer (DPO) in a pharmacy setting?

Providing expertise in data protection law and monitoring GDPR compliance. (C)

According to the GPhC, what is an essential element of maintaining patient confidentiality and privacy in a pharmacy?

Managing information responsibly and securely. (B)

Flashcards

GDPR

Ensuring data is processed lawfully, fairly, and transparently, giving individuals rights over how their personal data is used.

Data Processing

Collecting, recording, organizing, structuring, storing, using, and disclosing data.

Data Controller

A person with overall responsibility for deciding what data to process and how.

Personal Information (PI)

Name, address, phone number, email, medical details, NHS number, age or any information to identify someone.

"Special Category" Data

Health data, genetic data, biometric data, sexual orientation, race, religion, political opinions, trade union memberships.

Rights of Data Subjects

The right to be informed, access, rectification, erasure, restrict processing, data portability, object to processing.

GPhC Standards

GPhC core standards: Person-centered care, partnership working, effective communication, professional knowledge and skills, professional judgement and behaviour.

Lawful Disclosure

Agreement of the individual, legal requirement, public interest concerning a serious crime, serious risk.

Data Breach

Access by unauthorized third party, data sent to an incorrect person, alteration of data without.

Pharmacy Data Security Risks

Visibility of Rx forms, shouting out patient details, lost prescriptions, sending data insecurely.

Study Notes

• Data protection and confidentiality involves following the GPhC standards for pharmacy professionals
• Regulations in the GDPR and Data Protection Act 2018 set the aims for data protection.
• UK data rights are reinforced by the Information Commissioner.
• The law defines what terms can be used and what constitutes personal data.
• There are also laws describing how individual rights are applied to pharmacy.
• Consequences of unlawful disclosure of confidential information are set out in law.
• GPhC provides guidance on confidentiality for pharmacy professionals.
• It goes over consent and how it is obtained.

Data Protection Issues in Pharmacy

• Issues include prescription forms being left on counters and consultation rooms lacking data protections.

GDPR

• Focus is on how personal data is handled and processed.
• The purpose is to have data processed in a lawful, fair, and transparent way.
• Individuals are given new rights regarding how their personal data is used.
• A new Data Protection Act in May 2018 relates to personal information and how it is collected, stored, and used.
• The Information Commissioner overseas the Act.
• Anyone who records and uses personal information must register with the IC.

Important Definitions

• Data subject: An identified or identifiable living individual.
• Data processing: Includes collecting, recording, organising, storing, using, and disclosing data.
• Data processor: Someone who engages in data processing.
• Data Controller: Person responsible for deciding what data is processed and how.
• Data Protection Officer: Gives guidance and monitors compliance.
• ICO: An independent authority protecting UK information rights.

GDPR Principles

• Information must be processed transparently, lawfully, and fairly.
• Collection must be for specific, legitimate, and explicit purposes.
• Relevant and limited to what's required for processing.
• Kept accurate and up to date.
• Kept in a form no longer than necessary for data subject identification.
• Data is processed securely.

Personal Information (PI)

• Includes names, addresses, phone numbers, email addresses, dispensed medicines details, NHS numbers, and ages.
• Any information can be PI if it could potentially identify an individual.

Personal Information Usage

• Organisations should be transparent about how PI is used
• Provide choices about PI use
• PI should be in a secure location
• Only collect the minimum amount of necessary PI to perform their role
• Only retain necessary PI
• All PI lost should be promptly reported
• Non-compliance results in severe penalties

Lawful Data Processing Reasons

• The Data Protection Regulation (GDPR) applies to data processing under the following conditions
• Consent needs to be given by the data subject
• Data processing must be done for performance of a contract
• Compliance with legal obligations, e.g a court order
• To protect the data subject's interests
• A task is only carried out in the public interest
• Data controller purposes, except where interests or rights are overridden by data subject's freedoms

Special Category Data

• There is especially sensitive personal information.
• Health data and genetic Data fall under special category
• Race, ethnic origin, religious, philosophical beliefs, and political opinions also fall under special category
• It also includes, biometric data, data related to sexual preferences, sex life, and/or sexual orientation, trade union memberships,
• Disclosing this type of data could impact individual rights and is potentially used for unlawful discrimination.

Special Category Data Processing Condition

• Unless one of the following applies:
• Explicit consent has been given
• Processing is necessary with healthcare or treatment
• Must be done under professional responsibility e.g healthcare professional

Individual Rights

• Right to be informed
• Right to access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object data processing
• Right to not be subject to automated decision-making
• Not all rights may be applicable and legislation may require pharmacy records.

Individual Rights in Pharmacy

• Pharmacy must show a 'fair processing notice' explaining how PI is handled
• The notice must be available on a website or in the pharmacy leaflet
• Individuals can request their information free of charge within 1 month
• There is a right to request and amend information. Some information should be retained even if incorrect
• The right to object requires a pharmacy to evaluate the need to continue processing against individual interests, rights, and freedoms

GPhC Standards

• Standards include person-centred care, partnership working, communication, professional knowledge, judgement, behaviour, confidentiality, privacy, and leadership

Confidentiality

• Protected by the Human Rights Act 1998, the Data Protection Act 1998, and GDPR
• Pharmacists must stay up to date with any changes

GPhC Standards

• Patient confidentiality is a professional obligation for all professionals
• It is an important aspect of maintaining good relationships with patients
• The GPhC 'Guidance on Patient Confidentiality' provides a useful source of information
• Accessing confidential information requires patient consent in most circumstances
• In some circumstances though, consent is not needed
• Complex area where legal counsel for legal situations is warranted especially if the data subject isn't the requester

Disclosing Confidential Information

• Maintaining confidentiality is an important duty for healthcare professionals
• A patient can agree for their information to be disclosed to others
• When it is in the public's interest to disclose the information
• Disclosing only the required information
• Whoever receives the data should be made aware of its information
• All records must be appropriately made
• A pharmacist must explain any action taken

Lawful Disclosures

• People making requests without the consent of the data subject
• Police or another enforcement, prosecuting or regulatory authority
• Healthcare regulator
• NHS counter-fraud officer, coroner, judge, or relevant court
• The above don't have automatic access to the data and must ensure the reason is legitimate

Public Interest Disclosures

• Confidential details are disclosed in the public interest without consent of the data subject
• Includes harm to the person receiving the care, serious risk to public health, and serious crime prevention
• Legal advice, for instance from health union, should be sought out to weigh the competing interests and to determine serious consquences

Data Security in Pharmacies

• Rx forms left in plain view
• PMR screens should not be visible to other people
• Never talk about clients inside and outside of work
• Keep physical security measures in the pharmacy
• Avoid errors dispensing, handing out and delivering prescriptions,
• Never shout out details about clients when they're collecting prescriptions
• Keep smart cards secure
• Secure sign on for PMR access
• Never loose prescriptions
• Be aware of who has keys and filing cabinet keys
• Avoid faxing data to the wrong number
• Always encrypt electronic data
• Never send emails with data to the wrong recipient

Data Breaches

• Occurs with,
• Access by unauthorized 3rd party
• Data sent to the incorrect recipient
• Changes to data without permission
• Losing a computing device that contains personal data
• Any action carried out by controller or processor
• Data breaches have to be well documented
• ICO has to be informed of any breaches in 72 hours so they can be addressed as soon as possible
• If it affects individuals then they should all be contacted and informed
• Controllers can be fined GDPR breaches to 4% of global turnover or 20 million Euros