In Legal

Follow this topic

Bookmark

Record learning outcomes

Legal experts Richard Hough and Dana Samatar explore the serious consequences pharmacists can face when patient confidentiality, data protection laws and an employer’s data protection policies are breached…

The General Pharmaceutical Council’s (GPhC) Investigating Committee recently issued a formal warning to a pharmacist who accessed her former husband’s medical records on multiple occasions without any clinical justification.

This warning, which has now been published on the GPhC register for 12 months, followed a police investigation and a formal police warning. It also emerged during proceedings that the pharmacist had also accessed the records of family members several times, relying only on their verbal consent.

This incident serves as a reminder that access to patient medication and medical records must always be justified and lawful.

Pharmacist breached several professional standards

The GPhC found that the pharmacist had breached several professional standards, including the requirement to exercise professional judgment, behave in a professional manner, maintain patient confidentiality and privacy, and demonstrate leadership. 

Health and medical information is classed as special category personal data under applicable UK data protection legislation, which means it is subject to enhanced protections.

Organisations must ensure that there is a lawful basis for processing such data under Article 6, and an additional basis under Article 9, of the UK General Data Protection Regulations (GDPR).

Unauthorised access to such special category data can also result in criminal prosecution under section 170 of the Data Protection Act 2018, as was the case with this registrant, who received a formal police caution for unlawfully obtaining her former husband’s personal data.

The Information Commissioner’s Office (ICO) has taken a firm stance on unlawful access to medical records.

In one reported case, a former NHS secretary was fined for accessing the records of 156 patients without a business need, viewing records over 1,800 times, including those of family members and local residents. In another case, a midwifery assistant was fined for accessing the records of 29 individuals, including friends and colleagues, out of personal curiosity.

Pharmacists and pharmacy business owners must take proactive steps to protect patient data and avoid regulatory action. Pharmacy business owners should ensure that access to patient medication and medical records is restricted based on their employees’ job roles and necessity, with audit logs maintained to monitor access patterns.

Staff should receive regular training on data protection responsibilities, with clear internal policies on data access and breach reporting.

Pharmacy business owners should also ensure that confidentiality clauses are included in their employees’ employment contracts, and technical safeguards, such as encryption and secure login credentials, should be used to protect patients’ personal data.

Organisations should also have breach notification procedures and conduct simulated breach drills to test their readiness.

Ultimately, the boundaries of lawful access to a patient’s personal data must be clearly understood by all staff, and robust systems must be out in place to prevent, detect, and respond to data breaches.

Protecting patient data is not just a regulatory requirement; it is fundamental to maintaining public trust and confidence in the profession.

Richard Hough is a partner and head of healthcare at Brabners LLP and a former pharmacist. Dana Samatar is a solicitor in the data protection team at Brabners LLP.