ICO report warns pharmacies about data protection breaches

Losing confidential personal data when transferring patient records is one of the data protection breaches committed by community pharmacists, according to the Information Commissioner’s Office’s good practice department.

Shelves of patient records

Loss of data in transit is one of the most common data protection breaches by community pharmacists, according to a report by the Information Commissioner’s Office (ICO).

The report, ‘ICO work relating to community pharmacies’,published on April 7 2017, also highlights concerns over the lack of ongoing training — especially for smaller pharmacies — and incomplete information on community pharmacy websites about how personal data is used.  

The results — based on an ICO review of all cases, concerns and complaints received on possible breaches of the Data Protection Act by community pharmacies over the past three years — come as the profession is expanding the provision of clinical services and therefore increasing the amount of confidential data it handles.

The researchers found that some pharmacies did not have proper procedures in place for removing personal data from their premises. “Records on sites are generally stored in a range of files, box files and cardboard boxes depending on the branch.

“While details were not provided, loss of data while in transit remains one of the most common breaches likely to lead to significant reputational damage or fines,” they say.

“With the expansion of services being offered by the community pharmacy sector it is important that the basics are successfully implemented to provide a strong platform for growth and expansion,” they add.

The report also highlights inconsistencies, stating that “it was rare for an organisation to be consistently successful in all the areas looked at”.

“Ongoing training was one of the hardest to execute successfully in smaller settings where resources may be more limited,” it says. “Another issue was that fair processing notices on pharmacy websites often only dealt with how that website uses information, rather than how the organisation as a whole uses it.”

The ICO also approached the General Pharmaceutical Council, National Pharmacy Association, Pharmacy Voice, Community Pharmacy Scotland, Community Pharmacy Wales, and the Pharmaceutical Society of Northern Ireland for assistance in working with the sector.

The results of an online questionnaire of community pharmacy staff carried out between August 2016 and September 2016 were also used to inform the report.

Commenting on the findings, Martin Astbury, community pharmacist and president of the Royal Pharmaceutical Society, says: “It is great to see such a positive report about data protection in community pharmacies. In my own experience, I have always found it taken seriously by pharmacists, their teams and, of course, patients too.  It is vital we maintain our patients’ confidence in our systems in order to keep a bond of trust with them. 

“There’s no room for complacency, however, and issues such as keeping staff up to date on data protection, regular training to cope with staff turnover and updating systems where necessary are all essential to creating high quality data protection,” he adds.

The ICO is an independent UK regulator which ensures that organisations comply with the Data Protection Act 1998 and promotes good practice in the handling of information.

Last updated
The Pharmaceutical Journal, PJ, May, Vol 298, No 7901;298(7901):DOI:10.1211/PJ.2017.20202771

You may also be interested in