Data protection and confidentiality

What is GDPR?

gives individuals rights regarding their personal data.

How information should be collected, stored and used.

What is a data subject?

an identified or identifiable living natural individual

What is data processing?

collecting, recording, organising, structuring, storing, retrieval, consulting, use and disclosure of data.

Someone who does this is a data processor

What is a date controller?

a person with overall responsibility for the processing of information

What is a data protection officer?

Someone who has expertise in data protection law and GDPR, they can give advice and monitor compliance.

They should also understand pharmacy.

What is the information commissioners office (ICO)?

independent authority for the UK which will uphold information rights in the public interest.

What are the 6 principles of GDPR?

• all information must be processed in a transparent, lawful and fair manner

• information is collected only for a specific, legitimate and explicit purpose

• information must be relevant and limited to only what is required for processing

• the information that is kept must be accurate

• kept in a form so identification of a data subject must be kept for no longer than necessary.

• data must be processed in a way that enable it to be kept secure

What is classed as personal information?

• name and address

• phone number

• email address

• details of medicines dispensed

• NHS number

• age

• anything that could be used to identify a person

How are organisations expected to act surrounding personal information?

• be transparent in use

• provide choices of storage

• keep it secure

• only collect and retain minimum needed

• only retain data for as long as required

• report any loss of PI.

What are 6 lawful reasons for data processing under GDPR?

• data subject has given consent

• for performance of contract

• comply with legal obligation

• protect the interests of the data subject

• for a task to be carried out that is in the public interest

• for purposes of the interests of data controller

What is special category data?

personal information that is especially sensitive

What is included in special category data?

• health data

• genetic data

• biometric data

• race/ethnic origin

• religious beliefs

• political opinions

• trade union memberships

When is processing of special category data allowed?

• data subject has given explicit consent

• processing is necessary for the purpose of provision of healthcare

What are the 8 rights of individuals around data?

The right to:

• be informed

• of access

• rectification

• erasure

• restrict processing

• data portability

• object to data processing

• not be subject to automated decision making including profiling

If a person requests access to any information held about them, how long does the pharmacy have to provide it?

one calendar month

When can disclosure of confidential information happen?

• a patient agrees to their information being disclosed a

• the law requires the information to be disclosed

• it is in the public interest

Who can request information about a data subject without consent?

• police

• healthcare regulator

• NHS counter fraud investigator

• coroner, judge or court

When would a disclosure be made in the public interest?

to prevent a crime, serious harm or serious risk to public health

How may data be unsecure in a pharmacy?

• visible Rx

• visible PMR screen

• discussions about customers

• errors

• smart cards

• lost prescriptions

• lost keys