Guidance for community pharmacists to comply with the forthcoming General Data Protection Regulation (GDPR) has been published by the Pharmaceutical Services Negotiating Committee (PSNC).
The guidance covers 13 steps to full compliance, from assigning a responsible person through to processing information according to data protection principles, and performing a data protection impact assessment.
The GDPR is European Union (EU)-wide legislation that comes into force on 25 May 2018, and replaces the Data Protection Directive 95/46/EC. It applies to all companies processing personal data and aims to protect EU citizens from breaches of privacy and personal data. It will continue to apply after Brexit.
Pharmacist contractors will need to demonstrate compliance with data protection principles contained in the legislation, including appropriate record keeping; providing a privacy notice to customers whose personal data is collected; and having data protection guarantees in place with anyone who processes personal data for the pharmacy, such as a patient medication record supplier.
The guidance is available in both full and shortened versions. A set of FAQs is also available, covering issues including the principles of data protection, data subject (i.e. patient) rights, and security and data breaches. Key definitions in the GDPR are provided in the FAQs.
The PSNC guidance was developed with the Community Pharmacy GDPR Working Group, which includes the Royal Pharmaceutical Society (RPS); Community Pharmacy Wales; the National Pharmacy Association; Company Chemists Association; the Association of Independent Multiple Pharmacies and the Centre for Postgraduate Pharmacy Education.
The RPS’s Essential Guide to the GDPR was published in June 2017.
The PSNC and the NPA have written an open letter to the government.asking for exemption from a section of the GDPR-accompanying Data Protection Bill which would require community pharmacies to put in place a data protection officer.
The letter, also signed by representatives from the British Dental Association, and the Optical Confederation, says the costs and high burden of red tape that would come with these rules would be disproportionate to the benefits.
Figures cited in the letter suggest the cost of hiring a private company to provide a data protection officer for a small business could be as high as £11,000 for the first year.
They point out that the Bill currently designates all primary care providers – including community pharmacies – to be public authorities, and as such under the new rules they must appoint a data protection officer, regardless of their size.
But the letter argues that GDPR itself only requires a data protection officer for an organisation processing healthcare data on a large scale, and it calls for urgent amendments before the Bill is passed into law to help protect smaller NHS primary care providers from this ‘unreasonable and unnecessary burden’.