Home » Five years of the EU General Data Protection Regulation (GDPR)
One of the IPU’s roles as a representative body is to help members to ensure that their pharmacy is compliant with all data protection legislation. In preparation for the EU General Data Protection Regulation (GDPR), which came into effect in May 2018, the IPU produced the IPU Data Protection Guide for Community Pharmacy (the Guide). With five years’ worth of experience in supporting our members, we revisited our Guide and reflected that experience into it.
Members will find the updated Guide at ipu.ie/gdpr.
Overall, our message remains the same: community pharmacies have always had to comply with data protection legislation and the GDPR does not make this any more onerous. Similarly, the principles in our Guide remain unchanged, and we have added to our FAQ section with some of the scenarios faced by you regarding requests and management of patient information.
As ever, in the run up to another anniversary of the GDPR coming into force, it might be timely to revisit your Data Protection Checklist and ensure your continued compliance. To help you, we have included a handy Checklist as an insert with this issue of the IPU Review for you to keep on file, or on your pharmacy notice board. You can also find the Checklist and all other templates on our website.
While data protection is increasingly topical, the scenarios faced by pharmacists on a day-to-day basis have not changed with the advent of GDPR; if anything, the rules are clearer. That said, we have added a number of additional scenarios to our Guide and made some amendments. For example, we often get asked about CCTV, including the queries outlined below.
People have a right to request for their own personal data to be provided to them, even in the form of CCTV images. This process is called a Subject Access Request (SAR). However, there is also an obligation to protect the privacy of other people whose images may be captured on the same CCTV footage. In the event of providing someone with their images, the identification of another person will first need to be redacted before sharing the images, or stills. As this can often make the CCTV images of little use to the requester, it is often advisable to make this clear to the requester at the outset, as they may not subsequently want to proceed with their CCTV Subject Access Request. This can save the pharmacy the time and money involved in redacting images or stills of CCTV footage, as the cost of this is at the expense of the Data Controller (i.e., the pharmacy).
The CCTV recording can be shared with the requester in the form of posting them an encrypted CD, while sending the password separately. This should only be sent after redacting other people’s images and identifying data from the images. If sending a recording is not possible, then a printout of the recording would need to be provided, at a rate of one printout per second of recording.
We also receive a lot of queries about next of kin, who can be making requests about a living or deceased relative, which carry different considerations.
While next-of-kin (NOK) is an extremely important role, the designated NOK is not actually entitled to access the personal data of the patient. If requested by NOK to provide medical personal data to them, the consent of the Data Subject should be sought first, before sharing the personal data involved.
The GDPR does not actually apply to deceased persons, and so the personal data is not in scope of GDPR — i.e. you don’t have to comply with a Subject Access Request about a deceased person. You are under no obligation to share the personal data with their family members, unless you were compelled to provide it under the authority of a Court Order or Garda investigation. You can make a decision to provide the requested information on a case-by-case basis; say, for example, the pharmacy knows the family member and trusts them. However, bear in mind that the deceased person may not have wanted their medical personal data shared after their death, so it is best to exercise caution before sharing personal data in this scenario.
You will find these scenarios, and more, in our full Guide.
The revised IPU Guide was produced in consultation with our solicitors and our data protection advisors; the original 2018 Guide had input from the Data Protection Commission (DPC). It explains the data protection regulations and the principles pertinent to healthcare, and specifically, community pharmacy. The FAQ section contains a range of possible scenarios in which pharmacies may be asked to disclose information about a patient, and typical examples of queries received by the IPU in relation to data protection and disclosure of patient information. If you want to brush up on the principles of data protection, or if you are training new staff, we recommend reading this section three or four times.
We have a suite of templates on our website to support you, including the following:
These templates, and more, can be downloaded separately from the IPU website.
The IPU Guide provides a step-by-step guide to demonstrate compliance with the data protection regulations, and has a number of templates for that purpose (as explained above).
The IPU Data Protection Guide for Community Pharmacy is your go-to Guide to ensure everything is as it should be. However, if you have any data protection or patient confidentiality queries, we are here to assist you on 01 493 6401.
Alan Reilly
Head of Information and Technology, IPU
Highlighted Articles