The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR)
The General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 came into force on 25th May 2018. This represents an overhaul of data protection legislation and all organisations, including community pharmacy businesses, will need to take steps to ensure that they comply with it. PSNC, with other stakeholders, has worked to develop a range of guidance and resources to help pharmacy contractors to comply with the new legislation.
GDPR guidance documents
The following series of guidance documents has been created by the cross-sector Community Pharmacy GDPR Working Party (made up of PSNC, NPA, CCA, AIMp, RPS, CPPE and CPW) to assist community pharmacy contractors in working towards General Data Protection Regulation (GDPR) compliance.
Guidance for Community Pharmacy (Part 1): this should help contractors to understand the GDPR requirements, and it sets out the steps they will need to take to comply.
Guidance for Community Pharmacy (short version) (Part 2): this has been made available to assist with staff training.
Workbook for Community Pharmacy (Part 3): this contains a set of editable templates that contractors can use to show that they are meeting all the GDPR requirements.
- Update to the Workbook (published 18th May 2018) (new)
- Appendix for step 1: Data Protection Officer (DPO) – top tips and advice (new) – also see this news story
- Appendix for step 13: Model Data Protection Impact Assessment (DPIA) (new)
FAQs for Community Pharmacy (Part 4): this provides simple answers to key questions on the GDPR.
Getting to grips with GDPR (articles by PSNC’s Gordon Hockey) (Part 5): this has been developed as an alternative to additional FAQs.
The 13 steps – additional guidance
The Community Pharmacy GDPR Working Party wanted to make the path towards compliance a little easier, so they have broken down it down into 13 steps, as followed by the guidance and the workbook above. The steps are set out in the form of a mnemonic – DATAPROTECTED – to help you to remember them. Related articles (by PSNC Director of Operations and Support Gordon Hockey) that provide more detail are linked to each step.
- Decide who is responsible
- Action plan
- Think about and record the personal data you process
- Assure your lawful basis for processing
- Process according to data protection principles
- Review and check with your processors
- Obtain consent if you need to
- Tell people about your processes: the Privacy Notice
- Ensure data security
- Consider personal data breaches
- Think about data subject rights
- Ensure privacy by design and default
- Data Protection Impact Assessment
On 4 May 2016, the GDPR was published in the Official Journal of the European Union and officially came into force on 24 May 2016.
There is a two year implementation period and therefore, the GDPR will only be applicable from 25 May 2018. Perhaps the most seismic overhaul of data protection in the last 20 years, the implementation phase will allow organisations the opportunity to plan and prepare their strategy on how to comply with the GDPR.
More background information is available on the European Commission’s website.
What are the major (non-exhaustive) changes?
Increased fines for breach of obligations
The Information Commissioner’s Office (ICO) have greater powers to impose monetary fines– with maximum fines as high as €20 million euros (equivalent to about £17.9 million) for breaches of GDPR obligations. Previously, the ICO had powers to fine organisations up to £500,000.
Data Breach Notification
Under the GDPR data controllers will need to notify the supervisory authority (in the UK this is likely to be the ICO) of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. Where a notification is not made within 72 hours, reasons for the delay will need to be provided.
Data Protection Officers (DPO)
The GDPR will require some organisations to designate a DPO, for example, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to ensure that a named individual in pharmacy business, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively. Pharmacy contractors will be familiar with the requirement to have a Pharmacy Information Governance Lead (see Requirement 114) and should consider whether the designation of a DPO is required and, if so, to assess whether the current approach to data protection compliance satisfies GDPR’s requirements.
Greater control for data subjects
Data subjects which include any living person whom the pharmacy holds / processes personal data on have the “right to erasure” also known as the “right to be forgotten”. This gives patients the right to direct the Data Controller – the pharmacy – to erase any of their personal data in certain situations.
Data Protection Officer (DPO)
To meet the DPO requirement, contractors can either appoint a member of staff or an external person, perhaps shared with other community pharmacies locally.
The DPO may be a pharmacist or another suitable person with knowledge of the particular community pharmacy and ‘expert’ knowledge of data protection and the GDPR and associated legislation, as this relates to that community pharmacy. The DPO is primarily an advisory role, although the DPO’s name is stated on the Privacy Notice and, therefore, may be the first person to be contacted by patients about data protection issues and data subject rights. The DPO must not be a person who decides the purposes and means of processing, the person who decides the operational issues on data flows.
The Community Pharmacy GDPR Working Party has issued DPO guidance for contractors and the National Pharmacy Association has agreed to lead on the issue for its members.
NHS England and NHS Digital’s Information Governance Alliance (IGA) are providing support on meeting the GDPR’s requirement for smaller primary care providers. As part of this work, NHS England has said:
“Regarding the DPO role, the ICO are sympathetic to the position that small community pharmacies find themselves in. Their advice was that when a Pharmacy Manager (or other staff member) becomes a DPO, the decision and the reasons behind it should be documented and this retained as part of the ‘accountability’ that the GDPR requires. They also said, where possible, that any conflicts of interest between a person’s current role and that of the DPO should be recorded along (and again where possible) with any mitigating measures to reduce or even eliminate such conflicts. Where they have to deal with a small public authority with the requirement for a DPO to be appointed, they intend to be as pragmatic as they can be.”
System (PMR) supplier data processing information now available
The main Processors for community pharmacies will be:
- your PMR supplier and the aggregator (usually by the PMR supplier) which together transfer prescription data from the community pharmacy to the NHS; and
- any organisation that provides data capture and reporting systems (such as PharmOutcomes, Sonar Informatics, Healthi or Webstar Health).
Some processors have provided some assurances on their websites:
|Pharmacy system supplier||GDPR website information|
|Analyst (Positive Solutions)||https://www.positive-solutions.co.uk/2018/04/06/general-data-protection-regulation-gdpr-comes-effect-25th-may-2018/|
|Pharmacy Manager / Nexphase / Healthi (Cegedim Rx)||https://info.cegedimrx.co.uk/gdpr-and-your-business-may-2018-v1.1|
|ProScript LINK/Connect (AAH)||https://celesio.co.uk/gdpr/|
|Proscript systems (EMIS)||https://www.emisgroupplc.com/news-and-media/news/emis-group-and-gdpr-general-data-protection-regulation/|
|RxWeb (Clanwilliam Health)||https://www.rxweb.co.uk/news/rxweb-gdpr|
|Sonar (Sonar Informatics)||https://www.sonarhealth.org/london-vacc/privacy-and-cookies|
|Webstar Health (CegedimRx)||https://info.cegedimrx.co.uk/webstar-gdpr-and-your-business-may-2018|
What more can I do to prepare?
The ICO has published, ICO Guidance—Preparing for the General Data Protection Regulation (GDPR): 12 steps to take now, but is expected to provide further guidance throughout the implementation period and once the GDPR is applicable.
NHS European Office (part of NHS Confederation) have also produced a briefing to help prepare commissions, hospitals and other health and care providers for the main changes that can be expected which pharmacy contractors may find helpful.
Pharmacy contractors are encouraged to consider and familiarise themselves with obligations under the GDPR to determine any compliance gaps in need of addressing in their standard operating procedures and other policies for GDPR compliance.
Getting to grips with GDPR articles
This series of articles, written by PSNC Director of Operations and Support Gordon Hockey, has been developed to provide further support for contractors and accompanies the GDPR guidance and contractor workbook. All articles have now been published.
GDPR compliance webinar
PSNC held a webinar about the General Data Protection Regulation (GDPR) for community pharmacies in April 2018.
During the webinar PSNC Director of Operations and Support, Gordon Hockey, explained what the GDPR means for the average pharmacy business, outlined the steps contractors will need to take to comply, and highlighted the templates that PSNC has developed as part of the cross-sector GDPR working group.
Q. What about Brexit?
On 24 June 2016, the UK voted to leave the European Union.
On 14 July 2016, the Financial Times reported that David Davis, Secretary of State for Exiting the European Union’s confirmed that the UK’s formal departure from the EU should be “around December 2018”.
Therefore, at present, the position remains unchanged – the GDPR will apply to the United Kingdom from 25 May 2018. It may be that any EU law not implemented as UK national law but which takes effect in the UK as a result of the UK’s EU membership, such as the GDPR, may no longer apply post-Brexit depending on the terms of the negotiated agreement to leave the EU – the position is likely to become clearer as the UK approaches closer to formally leaving the EU.
Q. Isn’t there something coming out of the EU on cyber security?
Yes. On 6 July 2016, the European Parliament formally adopted new rules to step up the security of network and information systems across the EU.
The Network and Information Security (NIS) Directive will increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers. Essential services operators are active in critical sectors such as energy, transport, health and finance. Digital services cover online marketplaces, search engines and cloud services.
The requirements will be stronger for essential operators than for digital service providers. This reflects the degree of risk that any disruption to their services may pose to society and the economy.
Each EU country (the UK currently one of these) will also be required to designate one or more national authorities and set out a strategy to deal with cyber threats.
In August 2016, NIS came into force which started the 21-month countdown for the UK to implement the Directive into national law (around May 2018) and 6 months more (around November 2018) to identify operators of essential services.
Please also see the FAQs document in the ‘key PSNC resources’ section.
The Information Commissioner’s Office (ICO) website is invaluable. ICO is a non-governmental body sponsored by the Ministry of Justice and is responsible for the regulation of freedom of information and protection of personal data.