Getting to grips with GDPR – 7. Consent

Getting to grips with GDPR – 7. Consent

May 14, 2018

This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is part of a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the GDPR guidance and contractor workbook.

Consent is a particular problem area given the number of questions we have had about it, so let’s try to clarify the position.

Perhaps the three things to remember are that (1) generally, for the professional activities of a community pharmacy you will not be using GDPR consent, (2) consent remains important to pharmacy practice, and that (3) GDPR consent will be important to any direct marketing. Exploring each one:

Why is GDPR consent generally not relevant to professional activities of community pharmacy?

There are three main reasons why GDPR consent is not usually relevant to pharmacy professional practice:

  1. There are other options for lawful processing such as contract, legal obligation, legitimate interests or vital interests, and one lawful basis should cover almost everything – performance of a duty in the public interest.
  2. GDPR consent may not be appropriate to the processing of healthcare information where consent to processing cannot always be withdrawn and where some patients may not be able to give consent.
  3. Processing of health data (a special category of personal data) is more appropriately processed for the purposes of treatment and care, public health or the management of the health service, under the responsibility of an appropriate person such as a pharmacist.

The table below describes pharmacy services and the applicable lawful basis (as previously described in part 3 of this series).

Pharmacy services Lawful basis (Article 6) Lawful basis / Condition for processing special category personal data  (Article 9)
Dispensing prescriptions Performance of a duty in the public interest Treatment of patients and management of a healthcare system
Flu vaccination service Performance of a duty in the public interest Treatment of patients and management of a healthcare system
Home delivery service (free or paid) Performance of a duty in the public interest (you could argue this comes under legitimate interests) Treatment of patients
Summary Care Records Performance of a duty in the public interest Treatment of patients and management of a healthcare system
Patient nominations Performance of a duty in the public interest; Treatment of patients and management of a healthcare system 

What do you mean by consent remains important to pharmacy practice?

Consent remains important in terms of the activity or confidentiality.

Consent for activity is common sense. You need a patient’s consent to administer a flu vaccination. It is patients who chooses or should choose which pharmacy dispenses their prescriptions. A patient must agree for you to delivery medicines to their home. A patient must nominate a pharmacy for EPS in accordance with current rules and guidance.

Confidentiality (the common law duty of confidence) is integral to pharmacy practice. Generally, you must not disclose confidential information, but you may do so with the express or implied consent of the patient, or as required by law, or because of an overriding public interest. It is these provisions which might allow you to disclose information to a GP or hospital in an emergency (you do not have to have your lawful basis of processing under GDPR as ‘vital interests’ to do so); or allow you to provide information to the police if they are investigating a serious crime and wish to identify a person who visited your pharmacy at a particular time; or call out the name of a patient waiting to collect a dispensed medicine (on the basis of implied consent).

When might GDPR consent be relevant?

This could be for direct marketing or a pharmacy store card and you will need to seek your own advice on this aspect of your business. There is some information on GDPR consent in the guidance and perhaps key points to remember are that:

  1. Pre-ticked boxes will not provide GDPR consent;
  2. GDPR consent must be freely given, unbundled with other acceptances and recorded;
  3. If you do not have GDPR consent and require it, this must be obtained before 25th May 2018;
  4. If you are processing health data under GDPR consent that consent must be explicit – see the ICO information for more detail; and
  5. You must not use information provided for NHS or healthcare purposes to seek to obtain GDPR consent for other purposes such as direct marketing.

For more information and guidance on GDPR, please visit

Read the next instalment (8 and 11. Privacy Notice and data subject rights) here.

Posted in: , ,

More Latest News >