Non-Pharmaceutical Legislation Affecting Pharmacy (Part 2) - OSPAP MPHM15 - PDF

Summary

This document covers non-pharmaceutical legislation affecting pharmacy, focusing on data protection, confidentiality, and consent. It includes learning outcomes, definitions, and case studies related to data security in community pharmacies and the General Data Protection Regulation (GDPR).

Full Transcript

WEEK

25

Non-Pharmaceutical Legislation
Affecting Pharmacy (Part 2)
Data Protection, Confidentiality
and Consent

John Sherwood MRPharmS
15th January 2025

Slide 1 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Learning outcomes
Describe the aims of the GDPR and Data Protection Act
Describe the roll of the Information Commissioner
Define terms used in the Law and what list what constitutes personal data
Describe what a Caldicott Guardian is responsible for and know the
Caldicott Principles
Describe the data protection principles and the rights of individuals, and
how these apply to pharmacy
Define consent and describe how this may be obtained
Describe how disclosure of confidential information can be lawfully made
and the likely consequence of unlawful disclosure
Be aware and understand GPhC guidance regarding confidentiality and
consent
Describe what information can be found on a patient’s SCR and when it
may be useful to access the SCR

Slide 2 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25 Is data protection and confidentiality
an issue in pharmacy?

‘Typically, the sorts of issues being found [in community
pharmacies that were inspected] were prescriptions
forms being left on the medicines counter and cases
where the consultation room was being used for
additional dispensing space but without appropriate
precautions being taken to protect patient data’

(GPhC, Council meeting and minutes, 8 February 2018)

Slide 3 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25

Slide 4 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25

Slide 5 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25

Slide 6 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25

DATA PROTECTION

Slide 7 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25

Slide 8 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25 What is the General Data
Protection Regulation (GDPR)?
Focuses on the processing of personal data
Intended to ensure that data is processed lawfully, fairly and in a
transparent manner in relation to individuals
Gives individuals new rights regarding how their personal data is
used
GDPR is accompanied by a new Data Protection Act which came
into force in May 2018
The new Law is all about personal information and the way that it is
collected, stored and used
The information commissioner (IC) overseas the Act
The Act requires anyone who records and uses personal
information to be registered with the IC

Slide 9 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Definitions
Data subject
An identified or identifiable living ‘natural individual’
Data processing
Collecting, recording, organising, structuring, storing,
retrieval, consulting, use and disclosure of data
Someone who does any of the above is a data processor
Data controller
A person with overall responsibility for the processing of
information (decides what data to process and how)
Information Commissioner’s Office (ICO)
The independent authority for the UK which will uphold
information rights in the public interest

Slide 10 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25 What is classed as
personal information (PI)?
Examples
Name and address
Telephone number
Email address
Details of medicines dispensed
NHS number
Age
This is not exhaustive list!
Any information which could potentially be used to identify a
person could be classed as PI

Slide 11 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Use of personal information (PI)
Organisations are expected to do the following regarding how
they handle and use PI
Be transparent in explaining how they use a person’s PI
Provide choices about how PI is used (where it is
appropriate to do so)
Keep PI secure
Only collect and retain the minimum amount of PI
necessary to carry out their functions
Only retain PI for as long as it is required
Report any loss of PI promptly
There are severe penalties for non-compliance

Slide 12 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
‘Special category’ data (1)
Special category data is personal information that is especially
sensitive
Disclosure of this data could significantly impact the rights and
freedoms of data subjects and potentially be used against them for
unlawful discrimination.
GDPR special category data includes any information relating to a
person's:
Race and ethnic origin
Religious or philosophical beliefs
Political opinions
Trade union memberships
Sexual preferences, sex life, and/or sexual orientation
And any
Biometric data used to identify an individual
Genetic data
Health data
Slide 13 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
‘Special category’ data (2)
The processing of special category data is prohibited unless
one of the following applies:
The data subject has given explicit consent to the
processing for one or more specified purposes
Processing is necessary for the purpose of the provision of
healthcare or treatment. In this case:
The processing must be done under the responsibility
of a professional
But the professional does not have to do the processing
themselves

Slide 14 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Data Protection Principles
The data must be:
1) Fairly and lawfully processed
2) Processed for specified purpose(s)
3) Adequate, relevant and not excessive
4) Accurate and kept up to date
5) Not kept for longer than is necessary
6) Processed in line with person’s rights
7) Protected against unauthorised or unlawful processing
and against accidental loss, destruction or damage
8) Not transferred outside the EEA unless that country has
adequate protection arrangements

Slide 15 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Rights of individuals (‘data subjects’)
1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object to data processing
8. The right not to be subject to automated decision-making
including profiling

Slide 16 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25 Rights of individuals – applied to
pharmacy
1. The right to be informed
Pharmacy should display a fair processing notice (‘privacy notice’) which explains how
it will handle PI. The notice should be in plain English and readily available, including
on a website or in the pharmacy practice leaflet
2. The right of access
People can request information held about them without incurring any charge and the
information must be provided within one calendar month
3. The right to rectification
An individual has the right to request that any information entry is amended, or
corrected or other relevant information be added. Some information should be
retained even it is incorrect (e.g. if it records what was written on a Rx or what was
dispensed)
7. The right to object to data processing
People have a right to object to processing their data and if they do pharmacy will
need to consider whether the need to continue processing (e.g. holding a record)
overrides their interests, rights and freedoms

Slide 17 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25 Key roles and responsibilities – applied to
community pharmacy
Information Governance (IG) Lead
The pharmacy must appoint an IG lead to meet contractual
requirements
Data Protection Officer
The pharmacy must appoint a Data Protection Officer
Should be someone who has expertise in data protection law and
GDPR and who can give advice and monitor compliance
Should not be anyone who decides the means of processing personal
data (so should not be the business owner) as this could give rise to a
conflict of interest
Should also understand pharmacy and the associated professional and
legal responsibilities

All pharmacy staff are responsible for data protection and confidentiality

Slide 18 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Application to pharmacy
Community pharmacies are already subject to information governance (IG)
requirements
Patient confidentiality is a professional obligation for all pharmacy
professionals
Also, an important aspect of maintaining good relationships with patients
GPhC ‘Guidance on Patient Confidentiality’ provides a useful source of
information
Need to bear in mind the storage of confidential information and its proper
destruction
Access to confidential information should occur with the consent of the
patient
However, there are some circumstances where consent is not needed
Disclosure of information is a complex area and advice should be sought if
there is any uncertainty about the legal situation
GDPR consent applies to commercial activities (e.g. use of data for marketing
purposes) rather than professional activities

Slide 19 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Data breaches
Examples:
Access by an unauthorised third party
Sending personal data to an incorrect recipient
Alteration of personal data without permission
Computing devices containing personal data being lost or stolen
Deliberate or accidental action by a controller or processor

Any data breaches should be documented
Personal data breaches that are likely to result in a risk to a person’s rights
must be reported to the ICO within 72 hours of the breach
If there is a high risk that the breach is likely to affect the rights of
individuals, the individuals affected must be informed
The IC has the power to fine controllers or processors who breach GDPR
by up to 4% of global annual turnover or up to €20 million, whichever is
the highest

Slide 20 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25 Examples of data insecurity
in a pharmacy
Visibility of prescription forms – left in a place where other people can see
them (also prescriptions awaiting collection)
Visibility of PMR screen to other people
Having discussions about customers both inside and outside of work
Physical security breaches to the premises – open windows. doors
Errors when bagging/handing out/delivering prescriptions
Shouting out patients’ details when they are collecting a prescription
Lack of a secure sign on for access to PMR
Lost prescriptions
Lost keys to the premises or any filing cabinets
Faxing information to an incorrect number
Lack of encryption of electronic data
Sending an email with data to the incorrect recipient
Not keeping NHS smartcards secure or sharing a smartcard

Slide 21 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
NHS Smartcards
An NHS smartcard is required to access the NHS spine (i.e. to
download electronic prescriptions, access patient’s SCRs)
The NHS national terms and conditions state that:
Smartcards should not be shared
Smartcards should not be left unattended
Users should not disclose their passcode to others
The smartcard holder is responsible and accountable for any
actions undertaken when their smartcard is used
Any lending of the card, and subsequent errors made by the
lender, will be attributable to the smartcard owner since this
is what will be documented and be auditable in the patient’s
records

Slide 22 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25

CALDICOTT GUARDIANS

Slide 23 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Caldicott Guardians (1)
Organisations that provide services and care within the NHS are recommended to
appoint someone as a Caldicott Guardian
Caldicott Guardians should: “Play a key role in helping to ensure that their
organization satisfies the highest ethical and legal standards for processing patient
and service user confidential information. Their main concern is confidential
information relating to patients, service users and their care.”
Day-to-day activities of a Caldicott Guardian will vary according to the type and
size of the organisation, but they may include:
advising on disclosures of confidential information
involvement with patients’ or service users’ complaints
involvement in audit reporting or recommendations
involvement in data breach investigations
Caldicott Guardians should be “available and accessible for patients and service
users”. Their contact details should be publicly accessible, for example via
websites. Organisations must register the details of Caldicott Guardians on the
Caldicott Guardian register, which is maintained by NHS Digital

Slide 24 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Caldicott Guardians (2)
Caldicott Guardians should document any advice offered,
judgments or decisions made and the reasoning behind them in the
interests of transparency and accountability
Emails and written communications are preferable to verbal
conversations because they provide Caldicott Guardians with a
clear, documented history including how the Caldicott Principles
have been considered, any advice given, how much information has
been shared, and with whom
The role of Caldicott Guardian can be combined with that of DPO so
long as no conflict of interest arises
However, the responsibilities of a Caldicott Guardian are not the
same as a DPO, and the former will need to have detailed
knowledge of the relevant law and the Caldicott principles

Slide 25 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Caldicott Principles
Principle 1: Justify the purpose(s) for using confidential information
Principle 2: Use confidential information only when it is necessary
Principle 3: Use the minimum necessary confidential information
Principle 4: Access to confidential information should be on a strict
need-to-know basis
Principle 5: Everyone with access to confidential information should
be aware of their responsibilities
Principle 6: Comply with the law
Principle 7: The duty to share information for individual care is as
important as the duty to protect patient confidentiality
Principle 8: Inform patients and service users about how their
confidential information is used

Slide 26 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25

CONSENT

Slide 27 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25 Confidentiality and
consent to disclose information
Patient confidentiality is a professional obligation for all pharmacy
professionals
It is also an important aspect of maintaining good relationships with
patients - trust
GPhC ‘Guidance on Patient Confidentiality’ provides a useful source
of information
Access to confidential information should occur with the consent of
the patient
However, there are some circumstances where consent is not
needed (for example, the law requires the information or it is in the
public interest that the information is disclosed)
Disclosure of information is a complex area and advice should be
sought if there is any uncertainty about the legal situation
GDPR consent applies to commercial activities (e.g. use of data for
marketing purposes) rather than professional activities

Slide 28 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Consent (1)
The GDPR uses a definition of consent emphasising individual
choice and ‘ongoing control’ over their consent
The consent must be ‘active’ and cannot be silent, inactive or
assumed
The use of pre-ticked opt-in boxes on forms is prohibited
Information must be provided on the right to withdraw consent and
how to do this
Consent or explicit consent is a lawful basis for processing personal
data
Consent as a lawful basis for data processing is not the same as
consent for service provision (consent to the activity) e.g. providing
a service in a pharmacy
Therefore, you may need to get consent twice for some activities
Consent to provide the service
Consent to process the data associated with the service

Slide 29 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Consent (2)
GPhC Standards for Pharmacy Professionals (Standard 1) includes
‘Obtain consent to provide care and pharmacy services’
GPhC ‘Guidance on Consent’ provides a useful source of further
information
Consent means ‘express willingness, give permission, agree’
There are two types of consent:
Explicit consent (can be verbal or written)
Implied consent
Professional judgement and any service specifications should be
used when deciding which type of consent to get
Consent should be an active process rather than a passive or ‘opting
out’ process
Consent should be recorded when appropriate

Slide 30 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Obtaining consent
For a person to give consent they must:
have the capacity to do so
be acting voluntarily
have enough information to allow them to make an informed decision
(including material risks)
Be capable of weighing up the information provided
Information provided should be clear, accurate and presented in a
way the patient can understand
No assumption should be made about a person’s level of
knowledge
Patients should be given the opportunity to ask questions
In an emergency, if a person needs urgent treatment and consent
cannot be obtained, then treatment can be given (unless there is a
valid and applicable advance decision to refuse treatment)

Slide 31 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Disclosures required by law
Certain people can request information about a data
subject without the consent of the data subject
The police or another enforcement, prosecuting or regulatory
authority
A healthcare regulator
An NHS counter-fraud investigation officer
A coroner, judge or relevant court
The above do not have an automatic right to access
information. The person who discloses the information
should be satisfied that the reason for requesting the
information is legitimate.
See GPhC Guidance on Confidentiality for more information

Slide 32 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Disclosures made in the public interest
Confidential information may be disclosed without the consent of
the data subject if it is in the public interest
This could include information that is required to prevent:
A serious crime
Serious harm to a person receiving care or to a third party
Serious risk to public health
Competing interests of maintaining confidentiality vs the public
interest benefit in disclosing the information should be considered.
As should the likely consequences of not disclosing the information
Since this is a complex area, it is likely that professional advice
should be sought (e.g. from an indemnity insurance provider, union,
professional body, independent legal adviser)
See GPhC Guidance on Confidentiality for more information

Slide 33 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25

SUMMARY CARE RECORD

Slide 34 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Summary Care Record (1)
The Summary Care Record (SCR) is a secure electronic patient record in
England which is created from data extracted from patients' records held
by their GP practice (NB other versions exist in Scotland, Wales and
Northern Ireland)
The SCR is one element of the National Care Records Service (NCRS)
The core SCR contains information on:
Allergies
Current prescribed medication from the GP
Previous adverse reactions
The SCR may also contain additional information such as medical history,
care plans, patient's wishes/preferences and other information
Information on the SCR changes when information is updated or changed
on the patients’ medical record at their GP practice
Note that for pharmacy it is ‘read only’ – information cannot be added or
amended by the pharmacy. This may change in the future.
Records should only be accessed where there is an appropriate clinical
need and information is needed to enhance the care of the patient
Slide 35 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Summary Care Record (2) - Consent
The patient must be asked to give their consent before their SCR is viewed
This consent should be informed and explicit - the reason(s) why you want to
access their SCR should be explained to the patient when you ask for consent and
they should be clearly asked if they give consent for their SCR to be viewed
Patients who do not understand the term ‘Summary care Record’ will need an
explanation that you are accessing their GP records (in a limited form)
Verbal consent is acceptable – there is no need for it to be written consent but
professional discretion should be used
Ongoing consent (extended permission to view the SCR) may be useful in some
cases, for example patients on repeat prescriptions who rarely visit the pharmacy
(e.g. care home patients, housebound patients). In these cases, the ongoing
consent should be reviewed at regular intervals and clearly documented on the
patient’s PMR. Patients should be informed they can withdraw this consent at any
time
There may be some scenarios where it is not possible to get patient consent to
view the SCR (this is called ‘emergency access’) – professional discretion must be
used in these cases, bearing in mind the welfare of the patient is your prime
concern. Clear records should be made in these cases

Slide 36 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Summary Care Record (3) - Practical uses
Hospital pharmacy - useful for accessing in acute settings (e.g. A and E) and for
medicines reconciliation when patients are admitted to hospital
Community pharmacy - useful for accessing in a community pharmacy if the
patient does not have a PMR at the pharmacy (e.g. emergency supply at patients’
request, sale of an OTC medicine to check for any drug interactions or adverse
reactions to newly prescribed medicines etc). Also useful for checking allergy
status (e.g. when dispensing a Rx for a penicillin antibiotic). Useful for accessing
information if the GP surgery is closed and may be quicker than contacting the
surgery when it is open!
Access to the summary care record (and any appropriate action) should be
recorded in the patient’s PMR
Note that the SCR is a summary of medical information – it is not comprehensive
(e.g. medicines prescribed by hospital clinics will not be included)
Some patients have decided to ‘opt out’ of having a SCR (< 1% of the population)
Finally, as use of the SCR becomes more widespread and part of standard
pharmacy practice, to not use the SCR (when appropriate) could lead to a claim of
negligence because it will become an accepted ‘duty of care’

Slide 37 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Further information
Guidance on Patient Confidentiality. Published by the GPhC. Revised June 2018.
Guidance on Consent. Published by the GPhC. Revised June 2018.
NHS Confidentiality Code of Practice
https://www.gov.uk/government/publications/confidentiality-nhs-code-of-practice
Codes of practice for handling information in health and care
https://digital.nhs.uk/data-and-information/looking-after-information/data-
security-and-information-governance/codes-of-practice-for-handling-information-
in-health-and-care)
Professional indemnity organisations (e.g. Pharmacy Defence Association) will be
able to offer advice to members
NHS information about the Summary Care Record
https://digital.nhs.uk/services/summary-care-records-scr
NHS information about the National Care Records Service (NCRS)
https://digital.nhs.uk/services/national-care-records-service
In practice, workplaces may also have their own guidance/protocols about
confidentiality and you may be asked to sign a confidentiality agreement as a
condition of your employment
Slide 38 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Case Studies – what would you do?
1) The pharmacy is running a special offer on a new blood pressure machine. Your
boss asks you to run a search on the PMR to identify all patients taking
medicines for hypertension so that they can be sent details of the special offer.
2) A patient comes into your pharmacy with a private prescription. She is on
holiday and lives in Scotland. Since it is unlikely she will ever come to your
pharmacy again she tells you that she does not want you to keep a PMR for her
on your computer.
3) The same patient (above) overhears you asking your pre-registration pharmacist
‘can you make a record of this prescription in the POM register?’. The patient
becomes angry and says ‘I told you I don’t want any records being made of this
prescription’
4) A member of the pharmacy staff has heard that one of her friends is currently
unwell and ill at home. She would like to send her a bunch of flowers as a get
well wish. However, she doesn’t know her address but she knows that she gets
her medicines from this pharmacy. She asks you to find her address from her
PMR record.

Slide 39 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
Further questions on Case 4
1) The member of staff is rather annoyed that you have refused
her request and can’t see what all the fuss is about – she
thinks she is only being a good friend sending some flowers
to someone who is ill. Whilst you are out of the pharmacy
on your lunchbreak she decides to find her friend’s address
on the PMR. Later that day you are dispensing a prescription
for the same patient and you notice that the PMR was
accessed at lunchtime by the member of staff. What should
you do?
2) The member of staff (above) is a pharmacy technician – does
this make a difference to what you would do?

Slide 40 of 41 OSPAP MPHM15 General Data Protection Regulation
WEEK

25
And finally….

In 2022, the ICO shared details about the incident types related to community
pharmacies that had been reported, which included:
loss/theft of paperwork or data left in insecure location
data posted or faxed to incorrect recipient
data emailed to incorrect recipient
verbal disclosure of personal data
Commenting on this, David Reissner, chair of the Pharmacy Law & Ethics
Association, said it is “concerning that there appears to be widespread
ignorance, disregard or simply carelessness of data protection law”.
“Pharmacies handle the most sensitive data, and they should all have a
data protection officer” he stressed.
Slide 41 of 41 OSPAP MPHM15 General Data Protection Regulation