As you will know, the 21st century requires us all to regularly grant permission for our personal information to be used for a variety of reasons in exchange for ‘free’ services, leaving us wide open to misappropriation and misuse of our personal data.
Until now, data was protected by the Data protection act 1998, which was brought into law to implement the 1995 EU Data protection Directive. GDPR will now replace the Data protection act 1998 and seeks to give people more control over how organisations use their data and will introduce hefty penalties for organisations that fail to comply with the rules, and for those that suffer data breaches. it also ensures data protection law is almost identical across the EU.
Adrienne Clugston, Operations Manager at the ulster chemists’ association provides PiF with a comprehensive guide to GDPR.
What is GDPR?
General Data protection regulations come into force in the UK on 28 May 2018 and have been introduced to strengthen existing data protection laws considering several high profile and serious breaches of people’s personal data in recent years, including yahoo, eBay, uber and most recently Facebook.
The new law provides a consistent data protection framework with enhanced rights for individuals and greater accountability and transparency. the GDPR applies to personal data and data controllers and processors are faced with several tasks to ensure their business is compliant with the new regulations.
GDPR applies to all businesses regardless of size and community pharmacies are not exempt. it is also unlikely to be affected by Brexit. there is no bedding in period and all businesses are expected to be compliant by end of May.
Key definitions What is a data subject? an individual, living (or natural) person to whom the data relates.
What is personal data?
- information relating to an identified or identifiable natural person, i.e., information or data that can identified, directly or indirectly, an individual
- identifiers include name, identification number, location data, online identifier or their physical, physiological, genetic, mental, economic, cultural or social identity
What is sensitive personal data?
Data which can identify an individual’s race or ethnicity, political opinion or affiliation, religious or philosophical beliefs, trade union membership, physical or mental
health, sexual life or orientation and genetic or biometric information. in other words, data which can be used to discriminate against an individual.
What is data processing?
Collecting, recording or holding data, as well as the sorting and analysis of that data.
What is a data controller?
A controller determines the purposes and means of processing personal data.
- where a business uses a data processor, the GDPR places further obligations on the data controller to ensure their contracts with processors comply with the GDPR.
What is a data processor?
- a processor is responsible for processing personal data on behalf of a controller.
- if you are a processor, the GDPR places specific legal obligations on
you; for example, you are required to maintain records of personal data and processing activities. you will have legal liability if you are responsible for a breach.
an individual business may use an external processing company or appoint a separate data controller and processor.
What is a Data Protection Officer?
The GDPR introduces a duty for public authorities to appoint a data protection officer (DPO). in its recent letter to local contractors, the health and social care board (HSCB) confirmed that all community pharmacies are considered to be public authorities since they are NHS funded primary care providers.
DPOs assist an organisation to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data protection impact assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
The DPA must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
A DPO can be an existing employee or externally appointed. in some cases, several organisations can appoint a single DPO between them.
Community pharmacy Northern Ireland (CPNI) is backing PSNC who are leading a challenge to this aspect of the GDPR in an attempt to create an exemption for small pharmacy businesses for which the cost would be disproportionate and unreasonable.
What is a data breach?
‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’
Examples include a computer system being hacked, papers containing personal data being stolen or left on the bus, records being destroyed within their retention period, hr records left on a desk and viewed by employees, confidential email addresses disclosed to others when sent in the ‘to’ field.
Six principles of GDPR personal information (data) must be:
- processed lawfully, fairly and in a transparent manner
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary for the purpose for which they are processed
- accurate and up to date where necessary and inaccuracies rectified as quickly as possible
- kept (or kept in a form which permits identification of individuals) for no longer than is necessary
- processed in a manner that ensures appropriate security of the personal data and in line with the data subject’s rights note that the Data controller is responsible for, and must be able to demonstrate, compliance with these principles.
Six lawful bases for processing personal data the lawful bases for processing are set out in article 6 of the GDPR.
At least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (this cannot apply if you are a public authority processing data to perform your official tasks.)
What to do if you suffer a data breach under GDPR there is a duty on all organisations to report certain types of personal data breach to the information commissioner within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a substantial risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. this will facilitate decision making about whether you need to notify the relevant supervisory authority and the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify. for pharmacies, you must also inform HSCB if you suffer a suspected or actual data breach, by contacting your local pharmacy advisor.
When reporting a breach, you must provide:
- a description of the nature of the personal data breach including, who and how many individuals are concerned and the type of records that have been breached
- the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
- a description of the likely consequences of the personal data breach; and >
The new law provides a consistent data protection framework with enhanced rights for individuals and greater accountability and transparency
A description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
In the event of an information loss or breach, it is vital that you have robust policies and procedures in place to manage the incident effectively. you should assess the breach as soon as possible to ensure that you are able to recover any data lost or stop any further breaches.
Your policy should also cover steps to investigate how the breach occurred so that you can learn from it and improve your processes for the future.
Rights of data subjects
GDPR introduces improved rights for individuals about the information that you may hold about them.
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- rights related to automated decision-making and profiling
Privacy statements your business should have a Data protection policy and processes to ensure compliance with the GDPR principles. a privacy statement or notice must be provided to individuals setting out how you collect data, store it and use it. the privacy notice should also provide details of data subjects’ rights and how to contact the organisation with a complaint or query regarding their data.
the notice should use clear, concise language that is easily understood by adults and children.
What you need to do NOW the information commissioner’s Office (ICO’s) recommends you take twelve steps to comply with the GDPR:
- Awareness – ensure that all key decision makers in your business are aware of the GDPR and their responsibilities.
- Information you hold – do a data audit to ascertain and record what personal data you hold including human resource records, patient data, financial data, etc. identify the lawful basis for having or processing that information, how you keep it secure, who you share it with and how long you keep it.
- Communicating privacy information – review and update privacy notices in line with the GDPR.
- Individuals’ rights – review your policies to ensure that you are upholding individuals’ rights including how you delete information or provide information to a data subject.
- Subject access requests – review your procedures for handling information requests under the new guidelines.
- Lawful bases – review your data and identify the lawful basis for processing it, updating your privacy notices as appropriate.
- Consent – review how you seek, record and manage consent and update if necessary.
- Children – where you offer services to children, you may need to put systems in place to verify individuals’ ages and to obtain parental consent for data processing activity.
- Data breaches – ensure your procedures cover detection, reporting and investigating a personal data breach.
- Data Protection by Design and Data Protection Impact Assessments – familiarise yourself with the ICO’s code of practice on privacy impact assessments as well as the latest guidance on how and when to implement them in your organisation.
- Data Protection Officers designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements.
- International – if your organisation operates in more than one EU member state (i.e., you carry out cross-border processing), you should determine your lead data protection supervisory authority. ICO’s article 29 working party guidelines will help you do this.
Staff training it is important that all staff understand principles of data protection, what is considered a breach, their duties about data protection and the consequences of a breach.
Like health and safety, we all have a part to play in our organisations to ensure that personal and sensitive data is protected, so providing staff awareness training should be a priority.
Data Audit start by documenting all personal data you hold and consider how you hold it, secure it, process it, the lawful basis for processing it, retention period (bearing in mind legal retention periods laid down in Good Management Good records available on Dept of health website) and how you destroy records when appropriate.
This will make it much easier to manage the personal data you hold, reply to subject access requests and ultimately ensure you comply with the GDPR.
Support available UCA will be providing ongoing support on GDPR, including staff training. CPNI is currently working on guidance documents specifically for community pharmacies in Northern Ireland with step by step workbooks to guide you through the process.
A GDPR seminar will be held on 19 April in the Hilton TemplePatrick for contractors and personnel involved in governance and GDPR compliance.
Pharmacy owners should be starting to review their current data protection arrangements to ensure they comply, particularly as the GDPR has the potential for far greater enforcement penalties than the current laws.
Business owners will need to ensure that they have consent to process employee data, as consent obtained in an employee’s contract is unlikely to be effective under the GDPR. you should also ensure that you have a data breach response plan, as the GDPR requires mandatory breach reporting.
How do I get ready for GDPR?
Pharmacy contractors are encouraged to consider and familiarise themselves with obligations under the GDPR to determine any compliance gaps that need addressing in their standard operating procedures and other policies for when the GDPR goes live.
In summary you will be required to:
- read through the information on getting ready for GDPR at https://ico.org.uk/fororganisations/resources-and-support/ data-protection-self assessment/getting-ready-for-the-gdpr/ identify areas of concern and put together an action plan.
Step 1 – hold a staff meeting to discuss with them the importance of data protection and how the new regulations could significantly impact your business should there be any breach.
Step 2 – check who in your team currently has access to patient information and identify if and how this data is being used.
Step 3 – nominate a person in the pharmacy who can take responsibility for compliance. there’s a wealth of information out there on GDPR which will be accessible to them – challenge them to read up on requirements and build a plan for you to review.
Step 4 – assess all documentation in the pharmacy including paperwork that may contain patient information such as Mur/NMs/DMRs/MYM/CMs forms. any vaccination services forms/paperwork or any other healthcare services provided where personal data is likely to be recorded.
Step 5 – agree who in the team has permission to access paperwork and ensure all paperwork in the pharmacy is secured and that members of the team are clear on who has access to this information. authorised access to information should be recorded in the pharmacy and such information must not be shared with unauthorised personnel.
Step 6 – assess all mechanisms you have in place to communicate with your patients and ensure you provide them with the ability to opt in and not opt Out of communication with your pharmacy and the pharmacy team. such communications could include but are not limited to email, SMS (text messaging) social media, websites, letters, leaflets etc.
Step 7 – Develop an SOP for the pharmacy that outlines processes around data protection to ensure there is no ambiguity.
Step 8 – review your data breach response plan. if you don’t currently have a policy you should ensure you have one in place for when the regulations take effect.
Step 9 – conduct a full review on data held and ensure that where relevant patient information is erased should it no longer be required or necessary for your business. this is a critical element of the new regulations surrounding the GDPR.
Step 10 – regularly review your processes, policies and procedures and ensure your induction processes cover GDPR for new members of staff.
GDPR can be a minefield however it is important that you ensure you understand the importance of data protection and implications should this be breached.
We have developed a series of training modules on the Numark training platform around data protection suitable for the whole pharmacy team including:
- legal advice: moving patient data
- legal advice: whose data is it anyway?
- understanding the Data protection act
- counter excellence – Data protection
We are also developing a range of support to help make compliance and the processes involved as straight forward as possible and from April we will have: template policies including:
- retention of records policy along with retention and disposal schedule
- Data breach register and notification procedure
- subject access request record
- consent procedure
Staff training modules which cover:
- what is the GDPR?
- principles of the GDPR
- rights of data subjects.
- reporting incidents.