This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is part of a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the GDPR guidance and contractor workbook.

The GDPR requires data Controllers to be more conscious and careful about giving personal data to others to process – their processors – and community pharmacy is no exception.

What is a Processor?

Processors are those who do exactly what you ask them to do with the personal data you send to them. They are not other data Controllers to which you pass information.  So, for example, if you send payroll information to a third party which pays your staff, the third party is a processor of your information. If you send information to, for example, your bank, HMRC, NHS England or the NHS Business Services Authority (NHS BSA), these organisations are generally data Controllers. (Generally, you as a pharmacy are a data controller because you make the decisions about what, when and whether to process patient data.)

Who are my main Processors?

The main Processors for community pharmacies will be:

• your PMR supplier and the aggregator (usually by the PMR supplier) which together transfer prescription data from the community pharmacy to the NHS; and
• any organisation that provides data capture and reporting systems (such as PharmOutcomes, Sonar Informatics, Healthi or Webstar Health).

Reviewing arrangements with your Processors

Having identified your Processors, the question is whether the necessary GDPR safeguards are included in the relevant contract (or sometimes legal provision), which include:

1. Details of the processing that will be carried out on your behalf;
2. The Processor will ensure the security of the personal data;
3. The Processor will only act on the written instructions of the Controller; and
4. The Processor will assist you as the Controller to fulfil your obligations, for example, in relation to the security of the data and data breaches.

Points 1 and 2 may be clear already in your contractual arrangements; points 3 and 4 may be clarified in the standard terms of business or require clarification in a revised contract.

A good starting point is to see what information the Processor has on its website. You must be realistic with the extent to which you can influence larger businesses that process personal data for you. Generally, you will be subject to their terms and conditions including the GDPR assurances you need, which should be updated before 25th May 2018 or soon afterwards.

For more information and guidance on GDPR, please visit psnc.org.uk/GDPR

Read the next instalment (7. Consent) here.