A selection of recent members’ questions specifically on the forthcoming General Data (GDPR) that were answered by the NPA’s Pharmacy Services team. 

Q: Do all members of the pharmacy team need to be aware of the GDPR?

Yes. A fundamental requirement for the implementation of the GDPR is its awareness by all within an organisation; this includes having an understanding about the GDPR, its principles, and the roles, responsibilities and processes of organisations. The NPA GDPR Staff Training Manual and accompanying multiple choice question (MCQ) assessment can be used to demonstrate compliance with this requirement of the GDPR.

Q: What is the difference between a data controller and a data processor?

Adatacontrollerdetermineshowandwhypersonaldatais processed. Under the GDPR, the pharmacy organisation is a data controller. The superintendent pharmacist/members of the pharmacy team working within the pharmacy organisation help to ful l the role of the data controller. A data processor carries out processing on behalf of the data controller. All individuals within a pharmacy organisation are acting as data controllers and not data processors. Examples of a data processor would include an externally appointed pharmacy organisation’s payroll company or a courier company used for the purpose of submitting an end of month prescription bundle.

Q: Does consent need to be obtained from each patient who presents a prescription for dispensing? 

No. Consent under the GDPR does not need to be obtained from each patient presenting a prescription for dispensing because consent is not the lawful basis for processing:

• A patient provides implied consent to enable the pharmacy to process their personal data for the purpose of dispensing a prescription
• The pharmacy’s lawful basis for processing the personal data present on the prescription: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of of cial authority vested in the controller”.

Q: Is consent always required when processing personal data in a pharmacy?

Consent must be obtained where no other lawful basis for processing personal data is applicable. As there are ve other lawful bases to process personal data, consent may not always be required from an individual. Wherever possible and appropriate, the organisation should try to use other lawful bases permitting the processing of an individual’s personal data. For consent to be valid, it must meet the GDPR’s ‘conditions for consent’. Where consent is used as the lawful basis for processing personal data, the individual must be given an actual choice and control on how the organisation is to use their data. Examples of where consent would be necessary in pharmacy include: a prescription delivery service, a repeat prescription management service, sending emails/text messages, nominating patients for the Electronic Prescription Service (EPS) and accessing Electronic Care Records in Northern Ireland or Summary Care Records (SCR) in England. When a patient presents a prescription for dispensing in a pharmacy, the patient effectively implies consent to enable the pharmacy to process their personal data for the purpose of prescription dispensing. In this scenario, the pharmacy’s lawful basis for processing the personal data under the GDPR is: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of of cial authority vested in the controller”.