Sid Dajani, the Royal Pharmaceutical Society’s elected representative on the Pharmaceutical Group of the European Union, examines the issues around data protection in healthcare

They say in the land of evidence-based healthcare, the data-rich person is king. And in an information age we are likely to collect more data, not less, and in some cases we may not know its value until later on. Naturally this raises a few over-arching questions.

As more and more information is collected, we need to know why it is being collected. As this necessity becomes more prevalent, so does the need to understand data flows and who is responsible.

Europe is defining health data for the first time, so it can be regulated and gathered for specific purposes and under certain conditions. This is extremely important for us, as it will establish the conditions for accessing health records and adapting our practice to the provisions established in the regulation. This law could also facilitate the development of health record tools in member states where legislation on data protection is a barrier to access.

Trying to get 28 countries to sign up to a conformist need to understand the breadth and depth of data is going to be hard. But a consensus will be needed to ensure data is processed fairly and lawfully, has clearly defined purposes, has an audit trail, is kept up to date, isn't kept for longer than necessary, is secure, and is adequate, relevant and not excessive.

So major legislative changes are required around retaining appropriate documentation, implementing data security requirements, getting prior authorisation and probably an impact assessment, evidence to show cooperation with the supervisory authority, and designating a data protection officer. In addition, the proposal establishes a complex system of judicial remedies to ensure the regulation is applied. The pharmacist acting as a controller or processor, and not complying with the data protection regulation, can be fined.

In some cases, the consent of the data subject could be waived, in particular when the processing is done for reasons of public interest. Following the definitions proposed in the regulation, it is clear that processing for reimbursement and pharmacovigilance purposes could be considered as a reason of public interest. However, it is not clear if the potential to access to patient records will also be exempted from the requirement of the patient consent.

The critical points of the proposal are the impact of the delegated acts on the development of health records, the need to extend the ability to identify patients to all health professionals dealing with health records, and the implication of patient consent for healthcare professionals. This could also be potentially expensive to implement for every pharmacy. The regulation is expected before the end of 2014.