This article has been written by Gordon Hockey, PSNC Director of Operations and Support, and is part of a series of articles for contractors about the General Data Protection Regulation (GDPR) and the associated (currently draft) UK Data Protection Act 2018 (DPA 2018), which both come into force on 25th May 2018. The articles accompany the GDPR guidance and contractor workbook.

The Privacy Notice and the array of data subject rights in the GDPR seek to address the power imbalance between all of us as private citizens and those, including community pharmacy, which hold our personal data.

Community pharmacy should embrace these provisions. The way in which community pharmacy uses personal data is already transparent and data subjects’ rights, while potentially onerous, generally are exercised rarely when patients or other data subjects have confidence in your handling of their data. The Privacy Notice is important to building that confidence.

Key points about the Privacy Notice are:

1. Ensure the Privacy Notice includes all the necessary information and make it clear and simple.
2. The name and contact details of your Data Protection Officer must be included in the Privacy Notice.
3. A model Privacy Notice is included in the Community Pharmacy GDPR Workbook.
4. While it is the contractor (as the data Controller) that must have a Privacy Notice, this should be available at each community pharmacy.
5. The Privacy Notice should be displayed in each community pharmacy and/or in the practice leaflet and/or on the pharmacy website.
6. You should make new patients aware of the Privacy Notice (recognising that a patient who is new to your community pharmacy may well have seen a similar Privacy Notice at another one).
7. Be ready and willing to revise and reissue your Privacy Notice if necessary to improve it for your patients and other data subjects.

Generally, community pharmacy receives personal data direct from the data subject, for example, when a patient ‘presents’ a prescription (hard copy or electronic prescription) or nominates a pharmacy (electronic prescription). The obligation is then to provide the Privacy Notice at the time you collect a patient’s personal data – i.e. when you receive or download the prescription.

If you obtain personal data from other sources, you must provide the patient or other data subject with your privacy information within a reasonable period of obtaining the data and no later than one month after.

The two data subject rights of particular relevance to community pharmacy are the right of access or subject access (this was the subject access request) and the right to object. Relevant staff should be aware of both. Key points on the subject access request are:

1. The request can be verbally or in writing and to any member of staff.
2. You may need to ask the person making the request for ID or establish to your satisfaction that the person has the authority to make the request on behalf of another person.
3. You have one calendar month to respond (but try to do it as quickly as practicable) which can be extended in certain cases.
4. In most circumstances you may not charge a fee (but you can charge a fee if the request is manifestly unfound or excessive or reasonable administrative fee if additional copies of the information are requested).
5. You are providing information not actual or original documents (although in some cases it is just easier to provide a copy of a document).
6. You must confirm if you process (whether you have) the data and if you do, provide it.
7. Data subjects have a right of access to the information provided in your Privacy Notice, so if for example, there is a request for your lawful basis of processing, it may be more helpful to provide a copy of the Notice.
8. If a data subject makes a request electronically, you should provide the information in a commonly used electronic format, unless the individual requests otherwise.
9. You should not provide the personal data of another person in response to a right of access.
10. In the case of a child’s data, the child’s request may be made by a parent or guardian or, if the child understands his or her rights and how to interpret the information, may be accepted from the child. There is additional guidance on children and the GDPR provided by the Information Commissioner’s Office (ICO).
11. The information requested must be provided in concise and intelligible form, using clear and plain language, which means you may need to explain any coded or abbreviated information.

The right to object must be stated on the Privacy Notice if the lawful processing (see Stage 1 – Where do I start?) is ‘performance of a duty in the public interest’. If someone objects, you will need to demonstrate ‘compelling, legitimate grounds for the processing which overrides the interests, rights and freedoms of the data subject’. In most cases you will need to retain the data in accordance with your retention policy. The National Data Opt-Out Programme is an example of the right to object and the extent to which you can accept an objection – if you use patients data for research and planning purposes (see our webpage for more information).

For more information and guidance on GDPR, please visit psnc.org.uk/GDPR

Read the next instalment (9 and 10. Data security and data breaches) here.