In Analysis

Follow this topic

Bookmark

Record learning outcomes

The news that Pharmacy2U has been fined £130,000 for selling patient data has reignited the debate about whether community pharmacists can be trusted with patient information. 

Confidentiality is a fundamental tenet of the pharmacist-patient relationship. So the news that Pharmacy2U, the online pharmacy, sold patient identifiable data through an online marketing company, has led to widespread dismay in the profession. It was €an €aberration€, according to pharmacy minister Alistair Burt.

The Information Commissioner's Office (ICO) fined Pharmacy2U £130,000 for breaching the Data Protection Act after the issue was uncovered by the Daily Mail. The British Medical Association doesn't think a fine is enough and is pushing for €custodial penalties for those who wilfully or recklessly abuse personal data€. In its view, €the current financial penalties do not offer enough of a deterrent€.

Regret

€We deeply regret this breach of the Data Protection Act, which was not deliberate,€ superintendent pharmacist and managing director Daniel Lee (who owns just over 12 per cent of the business) told Pharmacy Magazine. €At the time, we believed we had customers' consent to receive third party marketing through the privacy policy we had in place.

€We take our responsibilities to the public and the pharmacy profession extremely seriously. As soon as the issue was brought to our attention, we took immediate action to stop the trial selling of customer data €“ and have completely reviewed our information governance since then.€

EMIS, one of the UK's biggest suppliers of pharmacy and GP software systems, which has a 20 per cent holding in Pharmacy2U, was keen to distance itself from the data debacle.

€The information that was sold by Pharmacy2U was information that its customers had provided when they registered for its services. No data was taken from any GP clinical systems or from the NHS electronic prescription service.

€As a leading provider of clinical software systems, we are always reviewing our information governance procedures to ensure complete data security. No changes have been required in relation to the ICO report regarding Pharmacy2U as the two businesses are separate and operate completely independently.€

Suitable punishment

The importance of confidentiality and a suitable punishment has been emphasised by Pharmacy Voice.

€Maintaining the confidentiality of patient data is both an ethical and legal requirement for pharmacies. Patients who use pharmacies either online or in the high street must be guaranteed that their personal details will not be shared with third parties unless they have specifically provided consent.

€Any potential breach of data protection laws or professional standards should be vigorously investigated by the regulators, and an established breach should be punished appropriately by the relevant authority.€

Royal Pharmaceutical Society president Ash Soni welcomed the General Pharmaceutical Council's involvement in the case and hinted at possible RPS action. €We are pleased the GPhC is also investigating this case, recognising the rightful concerns of patients and the public. The RPS will be reviewing the membership of any members who have been found guilty of wrong-doing or are subject of a complaint through our membership committee.€

Scottish concern

Matt Barclay, pharmacy services manager at Community Pharmacy Scotland, emphasised the importance of pharmacists adhering to GPhC standards (see panel below).

€We would hope that incidents like this are regarded as isolated in nature. There are clear regulatory standards for pharmacy professionals in this area throughout the UK, as there are for all healthcare professionals. Access to records is an important enabler for enhanced pharmaceutical care and this should be the only consideration for pharmacists.€

Disgraceful

PSNC chief executive Sue Sharpe was equally emphatic. €Pharmacists and their teams are obliged to keep all patient information confidential at all times, in accordance with the same standards as those that apply to all healthcare professionals. Selling patient information to companies for financial gain is disgraceful conduct, and PSNC hopes that swift and appropriate regulatory action will be taken against anyone found to be taking part in such activity.€

Commenting on the rollout of the Summary Care Record (SCR) to community pharmacies in England, an HSCIC spokesperson was keen to stress that the SCR has well defined processes in place to protect the security and confidentiality of patient information. €The information can only be accessed through a secure private network by authorised pharmacy staff who have been carefully granted a PIN protected access card, and all access is monitored to ensure it is appropriate.€

GPhC investigation

The GPhC says its investigation is now a key priority. €We conducted an inspection of Pharmacy2U jointly with NHS England on April 13, 2015, which assessed whether action had been taken by Pharmacy2U to avoid any further misuse of patient information and if there were any wider issues which needed to be addressed in relation to our standards for registered pharmacies.

€This inspection found that Pharmacy2U had taken steps to prevent another breach of patient information taking place and that there were no other immediate patient safety concerns.€ Now that the ICO has completed its investigation, we have asked it to supply the evidence it may hold which could be relevant to our ongoing investigation, says the GPhC. The regulator is also taking further steps to gather all other relevant evidence.

€That evidence will be assessed in order to decide whether, and in what way, action will be taken against Pharmacy2U and against any registered pharmacy professionals employed by Pharmacy2U who were responsible for misuse of patient information.€

Selling patient information to companies for financial gain is disgraceful conduct