Confidentiality and data protection

What is the purpose of data protection?

• ensures people can trust you to use their data fairly and responsibly

• recognises a person’s right to have control over their own information

• recognises that data protection is needed for innovation

If you collect information about individuals for anything other than personal, family or household reasons what laws does it need to comply with?

Data protection act 2018, General data protection regulation (GDPR) 2018 and Human rights act 1998 (HRA)

What does ISO stand for?

information commissioner’s office

What do the ISO do?

regulate data protection in the UK

What does the Data Protection Act do?

it’s the data protect framework in the UK (with GDPR)

What is UK GDPR?

rights and obligations for most processing of personal data in the UK

What is personal data defined as?

• information that relates to an identified or identifiable individual

• information about a living individual or the ‘data subject’

• doesn’t need to be private information

• sensitive data (e.g. health data)

What is a data controller defined as?

an organisation or individual who decides how and why to collect and use the data

What is data processing defined as?

collecting, recording, storing, using, analysing, combining, disclosing, deleting, etc.

What are the data protection principles?

• used fairly, lawfully and transparently

• used for specified, explicit purposes

• used so that it is adequate, relevant and only what is needed

• accurate and if needed up to date

• kept no longer than needed

• appropriate security, with protection against unlawful/unauthorised processing, access, loss, destruction or damage

What information has additional legal protection?

sensitive information (e.g. race, ethnicity, religion, sexual orientation, sexual activity, etc.)

At least one of the following must apply for processing of personal data to go ahead……

• consent from the individual for a specific purpose

• legal obligation (to comply with the law)

• due to a contract or steps before a contract between you and the individual

• vital interests - to protect someone’s life

• public task

• legitimate interests

What must you do if you are using a lawful basis for processing data?

inform the individual who has the right to protest how this data is processed

What are the GDPR standards for valid consent?

• freely given

• obvious and require positive

• action to opt in

• must cover controller’s name, purpose and type of processing

• confirmed in words

• no time limit

• rules for opportunities to withdraw

• clear record keeping

When should you use consent to legally process data?

only if you can offer them a real choice

What does health data refer to?

current, past, or future physical or mental health

What are the lawful basis for processing patient health data?

• provision of direct care and related administrative purposes

• commissioning and planning purposes

• planning and running the NHS

• for research (must have legal basis and sometimes consent)

• safeguarding or legal duties

• subject access request

What are the standards for vald consent by GDPR?

freely given
obvious and require positive action to opt in
specifically covers the controller’s name, the purposes of processing and the types of processing activity
expressly confirmed in words rather than by any other positive action
no set time limit
rules for oppotunities to withdraw
clear record keeping
only if can offer a real choice

What is health data?

personal data relating to current, past or future physical or mental health

What is the lawful basis for using patient’s health data?

provision of direct care and releated administrative perposes
commissioning and planning purposes
for planning and running the NHS
for research (legal basis and may need concent)
safegarding or other legal duties
subject access request

What are the individual’s rights under GDPR?

to be informed, of access, to rectification, erasure, restrict processing, data portability, to object, rights in relation to automated decision making

What is a processor?

someone responsible for processing personal data on behalf of a controller, maintain records, take liability for breeches

What is a controller?

someone who determines the purposes and means of processing personal data, ensures contracts with processors comply with GDPR

What do data protection officers do?

iassist monioring internal compliance, inform and advise on your data protection obligations, provide advice regarding data protection impact assements (DPIAs), act as a contact point for data subjects and the information commissioner’s office (ICO)

What pharmacy environments require a data protection officer and why?

community pharmacies - provide NHS services under national pharmacy contract so are a public authority, NHS hospitals are a public sector body, GP practices

What does the GDPR law say around data protection officers?

if you are a public authority or body, or if you carry out certain types of processing activities the you have a duty to appoint a data protection officer

What are the requirements for the data protection officer?

inderpendent, have qualifications and experience, not the data controller due to a conflict of interest, exisiting employee or externally appointed, can be shared, all that are processing personal data know who it is

When are you processing data as a pharmacist?

taking prescriptions, use info on patient’s record to dispense medication, discussing patient with other healthcare proffessional, when you undertake an audit of medication reveiws, veiwing the summery care record of a patient

What is a personal data breach?

a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data

What happens if there is a deliberate breach?

pharmacists, technitians and organisations have been prosocuted by the ICO, the GPhC may pursue fitness to practise cases

What are the conquenses of inadvertant breaches of personal data?

particulary serious as the data is sensitive, patient confidentiality and data protection can often be a problem