Professional Update for Superintendents - Number 15
GENERAL DATA PROTECTION REGULATION
We are not out of the EU yet... and the government has said that this EU Regulation will not be affected by Brexit. It is due to be implemented in UK law by 25th May 2018. As a Regulation rather than a Directive, it is binding to all Member States and there are no derogations (exceptions). However, how it will apply to healthcare and particularly to community pharmacy is very much open to interpretation and guidance. The principles are largely familiar from our own data protection law but there are additional requirements particularly in documenting transparency and governance arrangements. For a definitive account, go to the Information Commissioner's website. Their guidance is cumulative as interpretations are made by the "article 29 working group" but so far, the following is suggested as preparation for implementation. Expect more detailed practical advice from the RPS in due course.
Twelve areas to prepare
- Awareness - assign a senior person (or yourself) to raise awareness that this Regulation is coming, get "buy in" from decision makers and key people.
- Information you hold - health-related data (conditions, disease, medication) will change from "sensitive data" to "special category" and may be subject to additional controls on access and sharing. You will have to know and document what data you hold, where it came from and who you share it with.
- Privacy notices - notices or leaflets to the public about the data you hold about them will need to be more detailed, including the legal basis on which you hold the data (see below), data retention period, maintained in clear, easily understood terms with no jargon or unrecognisable acronyms.
- Individuals’ rights - as well as existing rights, data subjects will have a right to have inaccuracies corrected or even erased (perhaps not for health information), to opt out of direct marketing and object to profiling and automated decision making.
- Subject access requirements - general requests may not be charged for and access must be within a month (not 40 days as before). You can resist or charge for requests that are unfounded or excessive. Data holders should work towards making data "portable", that is directly accessible via a secure sign in process rather than having to ask for lengthy print-outs for example.
- Legal basis - community pharmacy can already keep PMRs without specific consent because it is necessary for the performance of their NHS contract. Other legal bases may cover activities outside dispensing such as MURs or NMS, but obtaining specific consent for these is always advisable.
- Consent - the guidance stresses the importance of real consent and documenting it. Must be clear affirmative action, freely given, specific, informed and unambiguous. Silence, pre-ticked boxes or inactivity does not constitute consent.
- Children - parental or guardian consent is likely to be needed for data held about children under 13 years of age.
- Data breaches - systems to detect breaches of data security must be documented and breaches must be reported to the ICO where damage to the subject, ID theft or breach of confidentiality occurs.
- Impact assessments - may be needed if new technology or high-risk activity is contemplated.
- Data protection officers - must be appointed for large scale processing of special category data. Can be a single officer for a group. The officer must be able to act independently and have no conflicts of interest.
- International - if your activities are multi-site across the EU or outside it, you may have to state which "supervisory authority" your data processing comes under.
Some key points from three consultations that have recently closed:
Supervision of pharmacist independent prescribers (PIPs) - a discussion document before a full consultation on education and training requirements for PIPs. Proposes to allow existing prescribers - doctors, nurse IPs or PIPs - to supervise PIPs in training.
Initial education and training of pharmacy technicians - proposes to allow existing pharmacy technicians to supervise technicians in training and to introduce "flexibility" in the work experience hours (currently two years) required, provided they can meet the learning outcomes. The consultation also proposes to remove the option for a registered pharmacist to become a registered technician without completing the full technician course. Readers might want to look carefully at page 17 of the document on learning outcomes which lists what technicians should be able to do or know how to do. There is no role clarification given for pharmacy technicians.
Religion, personal values and beliefs - you will almost certainly be aware of this one! It proposes to change the last example in the standard for person-centred care to "take responsibility for ensuring that person-centred care is not compromised because of personal values and beliefs". This change should then be interpreted in the light of extensive guidance which is included in the consultation.
Prepared on 17th March 2017 by Joy Wingfield, pharmacy academic and consultant. All links correct at time of posting.
Would you like to join the Pharmacy Law and Ethics Association? It is for pharmacists who are interested in law and ethics and lawyers or ethicists who are interested in pharmacy. Annual fee currently £25 (even to RPS members). Visit www.PLEA.org.uk for details of how to join.