Getting to grips with GDPR – 9 and 10. Data security and data breaches

Getting to grips with GDPR – 9 and 10. Data security and data breaches

May 18, 2018

This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is part of a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the GDPR guidance and contractor workbook.

Data security was important before the GDPR and it remains important after its introduction. Perhaps the key difference is that you need to think about this and demonstrate compliance proactively before any problems occur. Up until now, you might have ‘got away’ with just doing what you’ve done for a while and promising to improve if there was a problem.

In the GDPR Workbook, we list many of the existing templates you may have, or you may have equivalent practices / documents through which you will seek to ensure the physical, electronic and human security of personal data.

An example of each might be:

Security type Practical example in community pharmacy
Physical Preventing unauthorised access to the pharmacy premises by ensuring that it is locked as required.
Electronic Seeking appropriate advice to ensure that your PMR database and use of the Electronic Prescription Service (EPS) is secure and has the necessary ongoing support from your PMR supplier or others. Pharmacy teams should also only be using NHSmail accounts to send health data about a patient to another healthcare professional.
Human Training staff in confidentiality requirements and ensuring they are bound by them (either professionally or by contract).

The GDPR is making everybody think about how they process personal data, including how they transfer personal data to others and this should not stop after 25th May 2018.

As regards personal data breaches, the first point is to seek to avoid them through good practice, procedure and the right culture in the organisation; and if they happen deal with them quickly and sensibly. In terms of the GDPR, there are three levels:

  1. Any personal data breach – record all data breaches in the Workbook, however minor (and learn from them).
  2. When it is ‘likely’ to result in a risk to the rights and freedoms of the patient or other data subject – record the data breach and notify the Information Commissioner’s Office (ICO). What needs to be reported may change over time. Everybody will probably be cautious at the start and over report data breaches, the real danger here being that the ICO becomes overloaded with information and misses the real problems.
  3. When it is ‘highly likely’ to result in a risk to the rights and freedoms of the patient or other data subject – record the data breach, notify the ICO and tell the patient or other data subject (although as pharmacists are subject to a duty of candour, they may decide to tell the patient about something before this stage).

As a rough guide, because each data breach must be considered against its own facts, here are some examples:

Level of data breach Practical example in community pharmacy
1. Record the breach If you send a patient’s health data to the wrong GP or similar controlled environment when confidentiality can be assured as part of professional requirements; or if a patient’s dispensed medicine has another patient’s repeat slip but the error is corrected quickly in the pharmacy or soon afterwards (subject always to the circumstances and not, for example, if particularly sensitive patient data has been disclosed to somebody who knows the patient).
2. Record the breach and notify the ICO If the prescription bundle is lost on route to the NHS Business Services Authority (NHS BSA) and it is not thought to be lost in the courier’s warehouse.
3. Record the breach, notify the ICO and tell the patient about the breach If a prescription collected at the GP practice has been lost on the way back to the pharmacy and could be picked up by anybody locally.

For more information and guidance on GDPR, please visit

Read the next instalment (12 and 13. Data protection by privacy and design and the Impact Assessment) here.

Posted in: , ,

More Latest News >