Running your business
Get to grips with data protection
Pharmacy contractors are up against a tight deadline to ensure they comply with the General Data Protection Regulation coming into force in May, but these new data protection rules do matter
Businesses throughout the country are gearing up for the biggest shake-up in European data protection in years. The General Data Protection Regulation (GDPR) builds on businessesâ€™ existing responsibilities under the Data Protection Act (DPA), as well as adding new ones specifically designed for our increasingly linked-up economy. Itâ€™s important to note that the UKâ€™s participation in the updated regulation is in no way affected by the vote to leave the European Union.
Community pharmacy representative bodies such as the Pharmaceutical Services Negotiating Committee (PSNC) have been stressing for some time that our sector is no different from any other. â€œPharmacies keep personal data related to the dispensing of patientsâ€™ prescriptions and other services,â€ says Gordon Hockey, director of operations and support, â€œso every pharmacy in the UK must ensure that as of 25 May it is fully GDPR-compliant.â€
What do the changes mean for community pharmacy and what do businesses need to do to ensure theyâ€™re up to scratch by the deadline?
Why the change?
GDPR is aimed at making data protection laws fit for purpose in the era of so-called big data. Commentators say that existing laws were drafted at a time when data was largely held neatly in structured databases. In an era when unstructured electronic information, such as emails, travels across the globe in an instant, these laws no longer suffice. And the sheer volume of data being produced eclipses what has gone before. According to legal and accountancy firm Oury Clark, more data has been created over the past two years than in the entire history of the human race.
The regulation seeks to improve how businesses safeguard personal data and how they keep documented evidence of this protection. It covers things such as the rights people have with regard to their data, how organisations obtain their consent for using that data and where responsibility for data protection compliance sits within an organisation.
The Information Commissionerâ€™s Office (ICO), the UKâ€™s independent authority for upholding information rights, advises that all key individuals in an organisation are aware of the changes coming with the GDPR, saying they â€œneed to appreciate the impact [the legislation] is likely to have and identify areas that could cause compliance problems under the GDPRâ€. The ICO also has a word of advice for those implementing the changes: â€œYou may find compliance difficult if you leave your preparations until the last minute.â€
NPA chief pharmacist Leyla Hannbeck described the GDPR as going â€œone step furtherâ€ than the current requirements under the DPA, speaking at 2018's Sigma Conference in Borneo. For example, the obligation to document any personal data held, where it came from and with whom it is shared as outlined in the GDPR is not new. What is changing, according to the ICO, is the degree to which rights are being updated for a â€œnetworked worldâ€.
Documenting data is something health organisations often struggle with, says the ICO. â€œWhether at large NHS hospitals or small private dentists, we often see ineffective logging, tracking or movement of manual records,â€ it says. DPA breaches have included care home records being found in derelict garages.
The GDPR upholds the existing requirement to ensure procedures are in place to detect, report and investigate any personal data breaches, and introduces a duty on all organisations to report certain types of data breach to the ICO and, in some cases, to individuals.
The GDPR deals with the various bases on which an organisation is permitted to process an individualâ€™s data. One basis for processing data that has generated a lot of discussion is consent. The regulation has been described as setting a high standard for obtaining an individualâ€™s consent. â€œIt is very important that the entire team is aware of data protection and individual rights and consent, because they will be having an important role to play here,â€ Ms Hannbeck told the Sigma conference. â€œYou need to have robust consent activity in your pharmacy.â€
According to the ICO, organisations might also need to implement new procedures to cope with new developments regarding transparency and individual rights. This is especially relevant for large or complex organisations where new requirements â€œcould have significant budgetary, IT, personnel, governance and communications implicationsâ€, says the ICO.
The GDPR also brings with it increased penalties for breach of obligations, with maximum fines as high as â‚¬20 million (Â£18 million), a big leap from the current maximum fine for organisations of Â£500,000.
The GDPR states that organisations should designate someone to be responsible for data protection compliance Â and to consider whether they should formally designate a data protection officer (DPO). This is the â€œmost problematic issueâ€ for contractors, says the PSNC.
â€œLarger community pharmacy businesses must appoint a DPO, but smaller pharmacies ought to be able to avoid this requirement,â€ says Mr Hockey. â€œHowever, as the new UK Data Protection Act currently stands in draft, all pharmacies will have to appoint a DPO. We, with other representatives of primary care contractors, are opposing this.â€
The PSNC has said it was working to â€œlimit the number of contractors who must appoint a DPO and, if this is unsuccessful, to ensure the guidance on DPOs is applied pragmatically to community pharmacyâ€. Ms Hannbeck says it is a near certainty that pharmacies will be required to have a DPO and advises contractors to act accordingly.
Many of the rights people have regarding their data under the GDPR are the same as with the DPA, but itâ€™s still worth businesses checking their procedures and whether they are equipped to enforce all of these rights. One new addition is the â€œright to data portabilityâ€, which allows individuals to obtain and reuse their personal data for their own purposes across different services, potentially significant at a time when we hear more of linked-up health services.
â€œThe GDPR permits the flow of personal data when required for the performance of tasks in the public interest, with various caveats and protections,â€ says Mr Hockey. â€œThis should allow community pharmacy to be more integrated with the rest of the NHS.â€
The GDPR steps up the requirement to keep people informed about how their data is used. As well as the existing need to say who you are and how you use information, you will need to explain other things such as data retention periods and information must be provided in concise, easy-to-understand and clear language.
A worrying report from the Federation of Small Businesses in February found that just 10 per cent of small businesses in the UK were fully prepared to comply with the GDPR, and there are concerns in the community pharmacy sector that some contractors could reflect the national trend of unpreparedness.
However, Bristol pharmacist Mithun Makwana says he has every confidence in his businessâ€™s data management processes. â€œWe do follow the current Data Protection Act properly,â€ he says. â€œWe have information governance already implemented and so on, but we might have to do just a few things differently. I feel confident in our approach to data management and donâ€™t think weâ€™ll have to do much extra stuff, but I do know that the penalties can be severe, so we obviously want to avoid that.â€
â€œWe are just about to issue guidance on the GDPR, which has been developed with a cross-sector working party from community pharmacy,â€ says Mr Hockey. â€œThis will include a workbook for contractors to complete to assist GDPR compliance. Pharmacies are subject to considerable information governance requirements already, but there is still some work to be done.â€
Mr Hockey concludes that the GDPR is a positive thing for the sector. â€œYes, community pharmacy has always taken a decisive approach to data management and this is important for the security and confidentiality of patient information,â€ he says. â€œThe GDPR should further improve this.
PSNCâ€™s top tips
PSNC director of operations and support Gordon Hockey advises contractors to complete the committeeâ€™s workbook and follow the 13 steps withinÂ it, which are listed under the mnemonicÂ DATAPROTECTED.
1. Decide who is responsible
2. Action plan
3. Think about and record the personal data you process
4. Assure your lawful basis for processing
5. Process according to data protection principles
6. Review and check with your processors
7. Obtain consent if you need to
8. Tell people about your fair processing notice
9. Ensure data security
10. Consider personal data breaches
11. Think about data subject rights
12. Ensure privacy by design
13. Data protection impact assessment.
Race against the clock
NPA chief pharmacist Leyla Hannbeck on the organisationâ€™s efforts to get the sector up to speed
Q. What progress has there been to date? Are pharmacists up to speed?
A. The GDPR is a big topic and the deadline is approaching quickly. Unfortunately, there are still a lot of pharmacists out there who are not aware of what it means for their business, so we are working hard to ensure there is relevant documentation and templates and guidance documents available for them to access. I will be sending loads of information to pharmacist superintendents in terms of GDPR, what it means for their business, what support is available for them, what is different from the DPA. We will also be doing face-to-face events throughout the country to educate the workforce.
Q. Are there any particular areas that are challenging for pharmacists?
A. There will be a lot more public awareness about what personal data is and how it is handled. The ICO has been advertising in various different media to say that this regulation is coming into effect in May, so the public are aware of their rights and will expect us to enforce them.
The second thing is that there is a role for everyone in the pharmacy in terms of making sure everyone is aware of what it means and what happens if a breach occurs, and really, how to handle personal data in a community pharmacy setting. Itâ€™s important that everybody in the team is aware of it and of the requirement for a data protection officer. Itâ€™s almost certain that there will be a requirement to have a DPO in pharmacies. It will be a case of making sure that every pharmacist is aware of what they need to do.
There is a lot of conflicting information out there about DPOs and GDPR. I would encourage everyone to come via the NPA because we have various resources available and accurate information. Come to us with any questions. There are templates available, and itâ€™s not a scary topic. There is a big requirement for pharmacy to comply because of the sheer volume of data we manage on a day-to-day basis.
Q. Will being forced into data management be a good thing for pharmacy?
A. Of course. Itâ€™s all about data, and itâ€™s not just about the data we manage within our pharmacies. Itâ€™s third parties whom we share data with. Are we happy that those third parties are complying with GDPR? Itâ€™s an important topic for people to be aware of, especially in the healthcare sector, because of the volume of data and the fact that we work with third parties. Also there are areas where there could be a significant breach, such as patient data going missing, prescriptions going missing, things like that, so itâ€™s important to know what the next steps are if a breach happens. People will need to start educating themselves.