OSPAP MPHM15: GDPR and Data Protection

Questions and Answers

What is the primary aim of the GDPR and Data Protection Act?

To ensure that personal data is processed lawfully, fairly, and in a transparent manner in relation to individuals.

What constitutes personal information (PI)?

Personal Information (PI) can encompass various types of information that could identify a person. Name and address, telephone number, email address, details of dispensed medicines, NHS number, and age are commonly considered PI.

What are the key roles and responsibilities of a Caldicott Guardian?

Caldicott Guardians are tasked with ensuring the highest ethical and legal standards for processing patient and users' confidential information, ensuring confidentiality.

What is the significance of the Summary Care Record (SCR) in healthcare?

The SCR provides a concise and secure electronic record of essential patient information, including allergies, current medication, and previous adverse reactions, accessible to healthcare professionals.

Which of these is NOT a key principle of the Caldicott Principles?

Access to confidential information should be available to all

The GDPR distinguishes between consent for a service provision and consent for processing the associated data.

True

Which of the following is NOT a data breach scenario?

Sharing patient data with a close friend for a good reason

Which of the following circumstances does NOT typically require the patient's consent before accessing their SCR?

When a patient is receiving urgent treatment in an emergency

It is acceptable for a staff member to use their personal smartphone to access a patient's PMR.

False

Study Notes

OSPAP Programme: Non-Pharmaceutical Legislation Affecting Pharmacy (Part 2)

• The programme covers Data Protection, Confidentiality, and Consent.
• The materials were presented by John Sherwood MRPharmS on January 15th, 2025.
• The presentation is part of the OSPAP MPHM15 course on General Data Protection Regulation.

Learning Outcomes

• Students will understand the aims of the GDPR and Data Protection Act.
• They will be able to describe the role of the Information Commissioner.
• Key terms used in the law and what constitutes personal data will be defined.
• The function of a Caldicott Guardian and the Caldicott Principles are part of the course.
• The data protection principles and the rights of individuals will be covered, with particular emphasis on how these apply to pharmacy.
• Students will be able to define consent.
• The presentation outlines how confidential information can legally be disclosed and the possible consequences of unlawful disclosure.
• Guidance on confidentiality and consent (from the GPhC) will be reviewed.
• Students will learn what information is found on a patient's Summary Care Record (SCR).
• They will gain an understanding of when accessing the SCR is appropriate.

Is Data Protection and Confidentiality an Issue in Pharmacy?

• A GPhC council meeting and minutes (February 8, 2018) noted recurring issues with data protection in community pharmacies, including prescription forms left on counters and consultation rooms used for additional dispensing space without adequate precautions.

'Nosey' Technician Warned

• A pharmacy technician, Amy Jane Connelly, received a formal warning from the GPhC for repeatedly accessing patient medical records without clinical justification.

Pharmacy Incurs First Ever UK Data Protection Fine

• Doorstep Dispensaree, a London-based dispensary, incurred the UK's first fine for violating the General Data Protection Regulation (GDPR).

Pharmacist Issued Warning After Fly-Tipping 'Personal Patient Details'

• An East London pharmacist was issued a warning for discarding patient information with other waste. This included personal details, dry packaging, blister packs, prescription slips, boxes, and paperwork like invoices.

Data Protection

• GDPR focuses on the lawful, fair, and transparent processing of personal data, granting individuals new rights regarding how their data is handled.
• The UK's Information Commissioner oversees the GDPR Act.

Definitions

• Data Subject: Any identified or identifiable living individual.
• Data Processing: The collection, recording, organization, structuring, storage, retrieval, consultation, use, and disclosure of data.
• Data Controller: The person with overall responsibility for the processing of information, deciding on what data is to be processed and how.
• Information Commissioner's Office (ICO): The independent UK authority upholding information rights in the public interest.

What is Classed as Personal Information (PI)?

• Examples include name, address, phone number, email, details of dispensed medicines, NHS number, and age.
• This list is not exhaustive. Any information that could identify a person is considered PI.

Use of Personal Information (PI)

• Organizations must handle PI transparently, explaining how it's used.
• They must provide individuals with choices on the use of PI.
• Keeping PI secure is critical.
• Organizations should collect and retain the minimum amount of PI necessary for their functions.
• Only retain PI as long as it's needed.
• Report any loss of PI promptly.

'Special Category' Data (1)

• Special category data involves particularly sensitive personal information.
• Its disclosure can significantly impact rights and freedoms.
• Examples include: race, ethnicity, religious beliefs, political opinions, trade union membership, sexual preferences, sexual orientation, biometric data, genetic data, and health data.

'Special Category' Data (2)

• The processing of special category data is restricted unless one of two conditions holds:
• The data subject explicitly consents to its processing for specific purposes.
• Processing is necessary for healthcare or treatment, under the responsibility of a professional.

Data Protection Principles

• The data must be fairly and lawfully processed.
• Processing is limited to specified purposes.
• Data collected must be adequate, relevant, and not excessive.
• The data must be accurate and kept up to date.
• Data retention is limited to what's necessary.
• Processing must align with individuals' rights. The data is protected from unauthorized or illegal use and accidental loss or destruction.
• Data should not be transferred outside the European Economic Area (EEA) unless appropriate protections are in place.

Rights of Individuals (Data Subjects)

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object to data processing
• The right not to be subject to automated decision-making (including profiling)

Rights of Individuals – Applied to Pharmacy

• Display a fair processing notice (privacy notice)
• Provide access to personal information
• Allow rectification of inaccurate or incomplete information
• Address objections to data processing

Key Roles and Responsibilities – Applied to Community Pharmacy

• An Information Governance (IG) Lead is needed to meet contractual requirements.
• A Data Protection Officer is essential to handle GDPR and compliance, independent from the business owner.
• All staff members share responsibility for data protection and confidentiality.

Application to Pharmacy

• Patient confidentiality is important for building trust
• The GPhC guidance is a resource.
• Consent for access to confidential information is crucial.
• Disclosure of information without consent may be required for public interest or legal reasons.

Data Breaches

• Examples of breaches include unauthorized access, incorrect recipient of data, alteration of data, loss or theft of devices holding PI, and deliberate/accidental breaches by controllers or processors.
• Data breaches must be documented and reported to the ICO within 72 hours.
• Significant breaches may require notification of individuals.
• Penalties for data breaches can be substantial.

Examples of Data Insecurity

• Examples given for data insecurity include: visible prescription forms; discussion of customer records; errors in prescription processing; lack of security measures; lost prescriptions; lost keys; faxes to wrong number; data breaches; insecure NHS smartcards.

NHS Smartcards

• NHS smartcards are vital for accessing NHS services.
• Users must not share smartcards, leave them unattended, or share their passcodes.
• Cardholders are responsible for actions taken with their smartcard.

Caldicott Guardians (1)

• NHS organizations should appoint a Caldicott Guardian.
• Caldicott Guardians play a key role in maintaining ethical and legal standards for processing patient data.
• Caldicott Guardians have various daily responsibilities, which vary depending on the organization's size and type.

Caldicott Guardians (2)

• Caldicott Guardians are expected to document their advice, judgments, and decision-making processes.
• Digital communications are prioritized over verbal discussions for documentation purposes.
• Combining Caldicott Guardian and Data Protection Officer roles is possible so long as there is no conflict of interest.
• Guardians are required to have an in-depth understanding of relevant data protection laws and Caldicott principles

Caldicott Principles

• The Caldicott Principles include: Justify the purpose of using confidential information, only use information when necessary, use the minimum amount of necessary confidential information, strict need-to-know basis for access, staff awareness of associated responsibilities, comply with the law, and sharing/protecting patient confidentiality. Inform patients about how their information is used.

Consent

• Consent is a critical element of confidential information handling.
• Consent must be active and cannot be assumed, silent or inactive.
• Pre-ticked options for consent are expressly forbidden.
• There are two types of consent: explicit and implied.
• Explicit consent means explicit permission. This consent can be given verbally or in writing.
• Implied consent is implied permission.
• Proper professional judgment and specific service circumstances should be considered when deciding which type of consent to obtain.

Obtaining Consent

• For someone to give consent, they must have the capacity to understand and act voluntarily, possess adequate information, and be capable of weighing implications of the consent (including potential risks).
• Information must be presented clearly, accurately and in a comprehensible way.

Disclosures Required by Law

• Certain individuals (e.g., police, regulators) can request patient information without consent.
• The requester must justify the legitimacy of their request.
• Information disclosure should follow established guidance.

Disclosures Made in the Public Interest

• Confidential information can be disclosed without consent if it is in the public interest, to prevent serious crime, serious harm, or serious public risk to health.

Summary Care Record (1)

• The Summary Care Record (SCR) is a secure electronic record created from GP patient records in England.
• Information in the SCR includes allergies, current medication, past adverse reactions, and other relevant medical history and preferences.

Summary Care Record (2) - Consent

• Patients must be informed and provide explicit consent before reviewing their SCRs.
• Patients can withdraw consent when needed.
• Verbal consent is acceptable and can be recorded.
• Ongoing consent may be necessary for certain circumstances, like recurring situations.

Summary Care Record (3) - Practical Uses

• SCRs are valuable tools in hospital and community pharmacies.
• SCRs can provide quick access to crucial information for patient care.
• When dispensing medicines and using patient records, the SCR is a valuable tool that can minimize administrative tasks and promote quicker and efficient patient care.

Further Information

• Various resources provide further information on data protection, confidentiality, and consent, including GPhC guidance, NHS, and professional organizations.

Case Studies – What Would You Do?

• Several case studies are presented to evaluate students' understanding of data protection and consent application in real-time scenarios in pharmacies.
• Case examples cover special offers, private prescriptions, potential breaches, and requests for information

Further Questions on Case 4

• The final case study poses ethical dilemmas including employee actions, access to medical records, and potential conflicts of interests.

And finally...

• A recent report highlights the 50+ data breaches concerning the handling of patient information over 16 months.
• These breaches include lost or stolen paperwork, data loss due to posting to incorrect recipients or through email. Also, verbal disclosures of personal data.
• There is a concern of widespread ignorance on data protection and that all pharmacies need a data protection officer.

Description

This quiz covers the critical aspects of Non-Pharmaceutical Legislation affecting pharmacy, particularly focusing on the GDPR and Data Protection Act. Learn about the role of the Information Commissioner, key legal terms, and the importance of confidentiality and consent in pharmacy practice.