General Data Protection Regulation: Update for Contractors

General Data Protection Regulation: Update for Contractors

February 27, 2018

Community pharmacy contractors should be aware that the General Data Protection Regulation (GDPR) is approaching – all organisations must comply with the GDPR by 25 May 2018.

The GDPR and the UK data protection legislation that will accompany it represent an overhaul of data protection legislation and all organisations, including community pharmacy businesses, will need to take steps to ensure that they comply with it.

PSNC, with other stakeholders, is developing a guidance toolkit which will help community pharmacy contractors to comply with the regulation.

The guidance should be ready by the end of March and it will set out the steps that contractors need to take to comply with GDPR, as well as providing templates for contractors to use, and answering key FAQs.

We are working on the guidance with the Community Pharmacy GDPR Working Group which includes the NPA, CCA, AIM, CPPE and RPS, and are liaising with the Information Commissioner’s Office (ICO) and NHS England.

PSNC will hold a webinar to talk contractors through the guidance once it has been issued, allowing people to see what needs to be done and ask any questions.

Contractors are asked to sign up to PSNC’s emails to ensure that they are notified as soon as the guidance becomes available. Sign up at:

Further information on the GDPR and changes for pharmacy

Background information on the GDPR is available on PSNC’s website and detailed information is available from the websites for the Information Commissioner’s office and NHS Digital’s Information Governance Alliance (IGA).

A key message from the Information Commissioner’s Office has been that the GDPR brings evolutionary rather than revolutionary change; broadly, it makes mandatory what is already best practice.

The changes for community pharmacies will include:

* The need to demonstrate compliance with data protection principles and take other proactive steps for compliance including certain record keeping.

* The need for a Fair Processing Notice to explain to data subjects how you process their data – what many are calling a Privacy Notice.

* The need to ensure you have appropriate agreements with those who process personal data for you or those whose personal data you process.

Most community pharmacy processing of personal data will be lawful under the category of necessary for the performance of ‘a task carried out in the public interest’ or ‘a contract’ or ‘compliance with a legal obligation’ (i.e. not the category of consent) and, because data concerning health is a special category of data, its processing must also be necessary for an additional specified reason, generally for ‘the provision of health or social care or treatment or the management of health or social care systems and services’.

If you process personal data by consent (e.g. for direct marketing), the consent you have from data subjects must be GDPR compliant and you must have a record of that consent (before 25 May 2018 for existing data subjects).

The most problematic issue for community pharmacy is the Data Protection Officer (DPO). The GDPR and associated legislation set out who must appoint a DPO and the role of the DPO; broadly he or she advises one or more organisations on data protection issues. It may be that all pharmacy contractors will have to appoint a DPO, or, it may be that only those that process data concerning health on a ‘large-scale’ will have to appoint a DPO. (There is no clear definition of large-scale.) PSNC is working with other pharmacy and primary care organisations to try to limit the number of contractors who must appoint a DPO and, if this is unsuccessful, to ensure the guidance on DPOs is applied pragmatically to community pharmacy.

Posted in: , ,

More Latest News >

Reminder: End of January payment

Community pharmacy contractors are reminded that, due to changes that came into effect with the November 2018 Drug Tariff, they...

Ask PSNC: Quality Payments FAQs

The team at PSNC has received a number of queries on the Quality Payments Scheme. Below are some of the questions asked in recent weeks....