GDPR Action Needed: Appointing a Data Protection Officer
GDPR Action Needed: Appointing a Data Protection Officer
May 10, 2018
PSNC is now advising community pharmacy contractors to start making plans to appoint a Data Protection Officer (DPO), because it is likely that the UK Data Protection Act 2018 will require this.
Yesterday (9th May) the Minister for Digital and the Creative Industries, Margot James MP, told the House of Commons that as primary care providers “process sizeable quantities of sensitive health data” then they should have “a single point of contact on data protection matters”.
This followed campaigning by PSNC, the NPA and other primary care representatives, working with some MPs, to try to secure an amendment to the draft UK data protection legislation which would have meant that smaller pharmacies did not necessarily need to appoint a DPO.
Therefore, whilst in the Guidance for Community Pharmacy (Part 1), we advised that community pharmacies ‘may also need to appoint a DPO’, PSNC must now advise that all contractors appoint a DPO as part of their journey towards compliance with the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018.
Selecting a DPO
To meet the DPO requirement, contractors can either appoint a member of staff or an external person, perhaps shared with other community pharmacies locally. The Community Pharmacy GDPR Working Party will issue further guidance*, as will the NPA, which has agreed to lead on the issue for its members. For now, contractors should consider the following details provided by the Information Commissioner’s Office (ICO):
- DPOs assist you to monitor internal compliance, inform and advise on your data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the supervisory authority.
- The DPO must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
- A DPO can be an existing employee or externally appointed.
- In some cases, several organisations can appoint a single DPO between them.
- DPOs can help you demonstrate compliance and are part of the enhanced focus on accountability.
The DPO may be a pharmacist or another suitable person with knowledge of the particular community pharmacy and ‘expert’ knowledge of data protection and the GDPR and associated legislation, as this relates to that community pharmacy (for example, has a thorough understanding of the guidance issued by the Community Pharmacy GDPR Working Party, as well as the ICO and IGA guidance on the role of the DPO). The DPO is primarily an advisory role, although the DPO’s name is stated on the Privacy Notice and, therefore, may be the first person to be contacted by patients about data protection issues and data subject rights. The DPO must not be a person who decides the purposes and means of processing, the person who decides the operational issues on data flows.
Time constraint concerns
There is now very little time before 25th May 2018, the day the GDPR comes into force and the likely day on which the Data Protection Act 2018 comes into force. However, as we said in the Guidance for Community Pharmacy (Part 1):
If you are worried about getting everything done in time, two quotes from the Information Commissioner Elizabeth Denham’s blog may reassure you:
“GDPR compliance will be an ongoing journey”; and “… if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world”.
Informally, the message from those involved with GDPR is that they are not expecting everybody to be fully compliant with GDPR on 25th May 2018, not least because the UK legislation is not yet in place.
PSNC and the NPA, along with representatives of other primary care contractors, have been calling on the Government to make an exemption for smaller NHS providers as we believe that the DPO requirement is inappropriate for smaller pharmacy businesses and will continue to lobby for amendment to the Data Protection Act 2018. However, we now find ourselves in the position that, we must advise contractors to appoint a DPO.
We are also taking this opportunity to clarify two other issues:
- Template A: Decide who is responsible – the Caldicott Guardian
It is not mandatory for pharmacy contractors to appoint a registered Caldicott Guardian, though they may choose to do so if this makes sense for their organisation. There should be somebody at a high level within the organisation – which might be the IG Lead – who takes responsibility for protecting the confidentiality of service users’ health and care data and making sure that it is used appropriately.
- Template D: Data Protection Impact Assessment (DPIA)
Community pharmacies processing data concerning health on a large-scale must carry out a Data Protection Impact Assessment (DPIA). The Workbook made this clear. However, what is not clear is the interpretation of large-scale. We were expecting this to be clarified as part of the discussions on the DPO issue. Therefore, the Community Pharmacy GDPR Working Party will shortly be issuing a model DPIA, as an addition to the Workbook, and we recommend that all contractors, including smaller community pharmacies, complete a DPIA as part of preparations for GDPR compliance.
PSNC Director of Operations and Support, Gordon Hockey, said:
“It appears that the UK’s Data Protection Act 2018 is likely to deem all community pharmacies to be public authorities (even though they are not). It seems that the common-sense and pragmatic approach of European legislators on this issue will not be followed in the UK.
PSNC is disappointed by the current stance that the Government is taking on this issue and so will continue to work with representatives of other primary care contractors to lobby against this. In the meantime, the Community Pharmacy GDPR Working Party will be considering guidance to assist smaller contractors in deciding how they are going to meet the DPO requirement.”