The Pharmaceutical Services Negotiating Committee (PSNC) is advising that all community pharmacies regardless of size should appoint a Data Protection Officer (DPO) following indications that this will be required by the UK Data Protection Act 2018.
Representative bodies such as the PSNC and the National Pharmacy Association (NPA) had lobbied for an amendment to the draft legislation that would have meant smaller pharmacies did not necessarily need to have a DPO.
However, on Wednesday 9 May Margot James MP, the Minister for Digital and the Creative Industries told the House of Commons that because primary care providers “process sizeable quantities of sensitive health data” they should have “a single point of contact on data protection matters”.
The PSNC says that while it still opposes this and will continue to campaign on the issue, “we now find ourselves in the position that we must advise contractors to appoint a DPO”.
The General Data Protection Act comes into force on 25 May, and it is considered likely that the UK Data Protection Act 2018 will come into force on the same day. This leaves pharmacies with very little time to appoint a DPO.
However, PSNC has reassured contractors that the Information Commissioner’s Office (ICO) is likely to take a pragmatic stance on businesses that are not compliant with all aspects of GDPR by the deadline.
PSNC director of operations and support Gordon Hockey said: “It appears that the UK’s Data Protection Act 2018 is likely to deem all community pharmacies to be public authorities (even though they are not). It seems that the common-sense and pragmatic approach of European legislators on this issue will not be followed in the UK.
“PSNC is disappointed by the current stance that the government is taking on this issue and so will continue to work with other representatives of other primary care contractors to lobby against this. In the meantime, the Community Pharmacy GDPR Working Party will be considering guidance to assist smaller contractors in deciding how they are going to meet the DPO requirement.”
Read Numark's Laura Reed's guide to GDPR here.