A selection of recent members’ questions speci cally on the GDPR which came into effect on Friday 25 May that were answered by the NPA’s pharmacy team.

What are the six data protection principles identi ed under the GDPR?

The six data protection principles identi ed under the GDPR state that personal data must be:

1. Processed lawfully, fairly and in a transparent manner
2. Collected for speci ed, explicit and legitimate purposes
3. Adequate, relevant and limited to what is necessary in relation to the purposes of processing 
4. Accurate and where necessary, kept up to date 
5. Kept in a form which allows the identi cation of a data subject for no longer than is necessary 
6. Processed in a manner that ensures appropriate security

What is the purpose of the accountability principle under the GDPR?

The accountability principle is a new addition under the GDPR which requires organisations to demonstrate compliance with the data principles of the GDPR. The accountability principle aims to minimise the risk of data breaches and promote protection of personal data. It is the organisation’s responsibility to ensure they are able to demonstrate compliance with the GDPR requirements. Organisations can demonstrate compliance through:

1. Implementation of comprehensive governance measures, which must be proportionate to their processing 
2. Maintenance of records of data processing activities – these records must include the:

• Name and details of your organisation (and where applicable, of other controllers, your representative and data protection officer) 
• Purposes of the processing 
• Description of the categories of individuals and categories of personal data o Categories of recipients of personal data 
• Details of transfers to third countries including documentation of the transfer mechanism safeguards in place 
• Retention schedules 
• Description of technical and organisational security measures
• Putting into practice appropriate security measures to protect personal data

I need to ask the patient/ representative to con rm the address verbally when handing out a dispensed prescription whilst others may hear; is this still possible under the GDPR?

Yes. Calling out a patient’s name when handing out a dispensed prescription is important to ensure the correct patient/representative receives the dispensed prescription. To ensure a data breach does not occur, the patient/representative should be asked to con rm the address, rather than a member of the pharmacy team stating it – for example, using a phrase similar to “can you please confirm the address?” Seeking confirmation gives the option to the patient/representative to choose whether to con rm the address verbally or choose to show proof of identi cation.

You may also wish to consider displaying a patient notice informing patients of the procedure undertaken when handing out dispensed prescription items – this notice can outline that the patient has the option to provide proof of identi cation instead of verbally confirming their identity. Additionally, the notice can highlight that the process of con rming identity can take place in a consultation room.

If a pharmacy organisation chooses to display a patient notice, this process must be highlighted in the pharmacy’s standard operating procedure (SOP) and the pharmacy must ensure patient con dentiality is maintained at all times – not just to comply with GDPR, but also to abide by the professional standards set by the GPhC/PSNI. 

What lawful basis is appropriate if I sell/supply pharmacy (P), general sales list (GSL) medicines and non-GSL items through my website? 

Generally, a patient is required to open an account and provide personal data through an online questionnaire if they plan to buy a P/GSL/non-GSL item via a pharmacy website. The request may require the pharmacy contact the patient by email/telephone to ensure the supply is appropriate. If personal data is not collected/ processed, then no lawful basis is required. Although the patient has already provided implicit consent when creating an account, the pharmacy website’s privacy policy needs to clearly outline the purpose(s) for which the personal data is collected. When selling/ supplying a GSL medicine or a non-GSL items or CE-marked item such as an eye drops for dry eyes, the pharmacy may need to contact the patient in order to make a safe and appropriate supply.

Depending on the situation, and item being sold/supplied, the lawful basis may differ; potential lawful bases are:

• The data subject has given consent to the processing of his or her personal data for one or more specific purposes 
• Data processing is necessary due to a contract in place or prior to an individual entering into a contract 
• Data processing is necessary for compliance with a legal obligation to which the controller is subject 
• Data processing is necessary for the performance of a task undertaken in public interest or to exercise of official authority vested in the controller