General Data Protection Regulation
The â€˜right to erasureâ€™ only applies in certain circumstances, including where the:Â
- Personal data is no longer necessary for theÂ purposes it was collected or processedÂ
- The individual withdraws consent for the lawful processing of personal data andÂ there is no other lawful basis for processing individual objects to the processing of theirÂ personal data and there is no overridingÂ legitimate interest to continue processingÂ
- Personal data was unlawfully processedÂ
- Personal data must be erased to complyÂ with a legal obligation.
However, requests can still be rejected in certain circumstances. For example, in order to comply with a legal obligation for the performance of a public interest task or exercise of official authority or if it is in the public interest, for public health purposes.
Health data is under a special category under the GDPR which speci es two circumstances where the â€œright to erasureâ€ will not apply:
1) Necessary for public health purposes in the public interest. This is to ensure a high standard of safety and quality healthcare, medical products and medical devices.
2) Necessary for the purposes of preventative or occupational medicine. For example, the processing is necessary for medical diagnosis, providing healthcare or managing healthcare systems/services. This is only applicableÂ if the personal data is processed by, orÂ under the responsibility, of a professional subject to a legal obligation of professional con dentiality/secrecy, such as a healthcare professional.
Please note: The lawful basis for processing personal data and special categories of data when dispensing private and NHS prescriptions is â€œprocessing is necessary for the performance of a task carried out in the public interest or in the exercise of of cial authority vested in the controllerâ€.
Distance selling pharmacies should consider what records they are keeping. The GPhC singles out â€œPâ€ medicines where no records would be kept following an over-the- counter transaction but would be required of a distance sale.
Dealing with an individualâ€™s request to delete their data
You are required to deal with the request without undue delay and respond within one month of receiving the request. The timeframe for responding to requests to delete an individualâ€™s data may be extended in some cases only by a further two months. However, you must inform the individual without undue delay and within one month of receiving their original request explaining why additional time is required.
The ICO say it is â€œunlikely to be reasonableâ€ to request additional time if: to do so is obviously unfounded or excessive; an exemption applies, or; you require additional information to con rm the individualâ€™s identity.
If you refuse the â€˜right of erasureâ€™ withinÂ a month you must provide details of: the reasons for refusal; the individualâ€™s right to make a complaint to the ICO; the individualâ€™s ability to seek enforcement of the â€˜right of erasureâ€™ through a judicial remedy.
If the individualâ€™s personal data has been disclosed to third parties, the individual and the third party must be informed of the erasure request â€“ unless it is not possible to do so, or requires disproportionate effort.
The â€˜right to restrict processingâ€™.
Pharmacies can suggest individuals can exercise this right which means although the pharmacy can store the personal data (for reasons explained above), it will be blocked/suppressed by the pharmacy from further processing. It is applicable in certain circumstances, such as:
â€¢ The accuracy of the personal data is contested â€“ processing of the individualâ€™s personal data should be restricted until the organisation has veri ed its accuracy.
â€¢ The processing of the data is unlawful and the individual does not request for the right of erasure, instead requesting restriction.
â€¢ The organisation no longer requires the data for processing but it is required
by the individual for the establishment, exercise or defence of legal claims.
â€¢ If an individual objects to the processing of their data but processing is required for the performance of a public interest task or purpose of legitimate interests, and the organisation is considering whether their legitimate grounds override those of the individual.
Leyla Hannbeck MSc, MRPharmS, MBA, MA
Director of Pharmacy, NPA
For further information email at email@example.com or call 01727 891800.
Identify the 5 key elements to address in your dry skin consultations