From handwritten prescriptions to confidential medical histories and home addresses, pharmacies are custodians of highly sensitive personal information. The Information Commissioner’s Office (ICO) reveals that the healthcare sector is a prime target, accounting for a staggering 44% of all reported data breaches.
Adding to this urgency is the General Data Protection Regulation (GDPR), which came into force on May 25, 2018, under the Data Protection Act 2018. This regulation introduces stricter legal frameworks and increased obligations for anyone involved in collecting and processing personal data, aiming to provide greater protection for individuals. For pharmacists, pharmacy professionals, and business owners, GDPR carries significant weight, transforming existing professional responsibilities into a technical landscape demanding meticulous attention to detail and continuous adherence.
The rise of data breaches in pharmacy
Recent high-profile incidents have placed pharmacies firmly in the spotlight regarding their data security practices. A Trustwave report suggests that on the black market, a healthcare data record could fetch as much as £200, which is considerably more than the roughly £4.30 you might get for the next most valuable record, a payment card.
GDPR fines within the healthcare sector continue their upward trajectory. A stark example is Doorstep Dispensaree Ltd, the pharmacy that was fined £275,000 by the UK’s Information Commissioner’s Office (ICO). This penalty was issued because the pharmacy failed to ensure the security of special category data, specifically leaving approximately 500,000 documents containing patient information in unlocked containers at the back of its premises. The documents, some of which were damaged, included names, addresses, dates of birth, NHS numbers, medical details, and prescriptions dating back to June 2016. Consequently, the ICO’s investigation concluded that this careless storage constituted a failure to process data securely under the General Data Protection Regulation (GDPR), and thus warranted the significant fine.
The message is clear: GDPR compliance is not optional for pharmacies, it’s a fundamental responsibility that goes beyond patient care. To avoid becoming the next cautionary tale in healthcare and GDPR news, proactive measures are essential.
Key definitions of GDPR in pharmacy
To effectively navigate GDPR, it’s essential to grasp the following core definitions:
- Personal Data: Any information that relates to an identified or identifiable person (the «data subject»).
- Data Controller: The entity (in the case of a pharmacy, the pharmacy owner) that decides what personal data will be processed and how.
- Data Processor: Any individual or organisation (including pharmacy employees and locums who handle data) that processes personal data on behalf of the data controller.
- Processing: A broad term encompassing any operation performed on personal data, including collection, recording, organisation, structuring, storage, retrieval, consultation, use, and disclosure.
Top practices of pharmacy GDPR compliance
Given the escalating threat of data breaches in the pharmaceutical industry, implementing data protection strategies is no longer a choice, it’s a necessity. Adhering to these best practices will safeguard sensitive patient information and ensure compliance with GDPR regulations:
Designate and train a Data Protection Officer (DPO)
The Pharmaceutical Services Negotiating Committee (PSNC) strongly advises community pharmacies to appoint a dedicated and well-trained Data Protection Officer. This individual will be responsible for overseeing data protection compliance within your pharmacy.
Review and document your data processing
Conduct a thorough audit of all the personal data your pharmacy holds. For each category of data, establish and clearly document the lawful basis for its processing. For data derived from prescriptions (both NHS and private), relying on the necessity of processing to comply with a legal obligation is generally sufficient and should be documented.
Implement a data retention policy
Establish clear policies outlining how long different types of patient data will be retained. These policies should include regular reviews to determine if the continued retention of data remains justified (e.g., in cases of patient death or cessation of pharmacy use).
Monitor and control data access
Implement systems to monitor who accesses patient data and ensure that any inappropriate usage is promptly identified and addressed. Only individuals who require access to patient data to perform their specific duties related to a patient’s care should be granted that access.
Educate and train your pharmacy’s staff
Update your website with a clear and accessible privacy policy and ensure that every member of your team who handles patient data is acutely aware of the importance of patient confidentiality and the new legal requirements under GDPR. Highlighting the potential penalties for data breaches can further reinforce the significance of compliance.
Practical «Dos and Don’ts» for pharmacy GDPR
Here are some actionable steps to implement within your pharmacy:
Dos:
- Keep all prescription forms in secure locations, away from public view.
- Double-check consultation rooms to ensure no patient information is visible before inviting another patient in.
- Continuously emphasise the importance of data protection and patient confidentiality to all staff.
- Clearly explain that patient data can only be accessed for reasons directly related to the patient’s care and on a strict need-to-know basis.
Don’ts:
- Allow patient data to leave the pharmacy premises without a clear understanding of its destination and assurance that the recipient understands the importance of confidentiality.
- Call out patients’ addresses or ask for address confirmation in public areas. If names must be called, request address confirmation in a private setting.
Understanding the lawful basis for processing
Having a lawful basis for processing personal data is a cornerstone of GDPR. While several options exist, those most relevant to pharmacies include:
- Legal Obligation: Processing is necessary to comply with a legal requirement (e.g., maintaining patient medication records for dispensed prescriptions). This is often the most suitable basis for prescription-related data.
- Public Interest: Processing is necessary for the performance of a task carried out in the public interest (e.g., providing healthcare services).
- Legitimate Interests: Processing is necessary for the legitimate interests pursued by the pharmacy owner (e.g., processing data for non-NHS services in the interest of patient care). However, this basis is not applicable to NHS services.
- Consent: The patient, as data subject, must provide explicit consent for a specific purpose through an active opt-in, because consent cannot be implied or given by default. When consent is obtained, the pharmacy will be under an obligation to provide information to patients, including their right to withdraw consent. Withdrawing consent should be just as easy for them as giving it in the first place. If this isn’t the case, the consent is not valid. The previous common practice of obtaining patient consent through website and app terms and conditions, where clicking “accept” or proceeding implied agreement to multiple data uses, is no longer valid. Valid consent now requires patients to actively opt in and provide individual agreement for each specified purpose. For example, for services like SMS or email reminders, instead of automatic enrollment, a separate form or a clear section of the patient information sheet should include a statement like “Would you like to receive text message or email reminders about your medication refills? (Please tick the box if yes)”, clearly stating the purpose as “sending refill reminders”.
It is crucial to document the chosen lawful basis for each type of data processing your pharmacy undertakes.
Upholding patients’ rights in your pharmacy
Under GDPR, patients have several rights that your pharmacy must respect and facilitate. These rights must be clearly communicated to patients at the time their data is collected, using clear and easily accessible language. These rights include:
- The right to be informed about the processing of their data.
- The right to access their data free of charge.
- The right to erasure («right to be forgotten») of their data under certain circumstances.
- The right to withdraw consent if consent is the lawful basis for processing.
Maintaining continuous compliance
GDPR compliance is not a one-time task but an ongoing process. Your pharmacy should:
- Regularly review the data it holds.
- Assess whether the data is still necessary for the original lawful purpose.
- Securely delete data that is no longer required.
- Monitor who is accessing which data and audit access logs for any potential irregularities.
- Report any data breaches, regardless of severity, and notify the ICO within 72 hours if the breach is likely to pose a risk to individuals’ rights. High-risk breaches must also be communicated to the affected individuals.
Conclusion
To help community pharmacies comply with the GDPR, the cross-sector Community Pharmacy GDPR Working Party (comprising Community Pharmacy England, NPA, CCA, AIMp, RPS, CPPE, and CPW) has developed the following guidance documents.
By understanding your obligations and fostering a culture of data protection within your pharmacy, you can safeguard your patients’ privacy, maintain their trust, and avoid the serious repercussions of GDPR non-compliance. Don’t wait for a breach to occur, take proactive steps today to ensure your pharmacy is on the right side of data protection law.