The Pharmaceutical Services Negotiating Committee (PSNC) is now advising that all community pharmacies regardless of size should appoint a Data Protection Officer (DPO) following indications that this will be required by the UK Data Protection Act 2018.
Representative bodies such as the PSNC and the National Pharmacy Association (NPA) had lobbied for an amendment to the draft legislation that would have meant smaller pharmacies did not necessarily need to have a DPO.
However, on Wednesday 9 May Margot James MP, the Minister for Digital and the Creative Industries told the House of Commons that because primary care providers “process sizeable quantities of sensitive health data” they should have “a single point of contact on data protection matters”.
The PSNC says that while it still opposes this and will continue to campaign on the issue, “we now find ourselves in the position that we must advise contractors to appoint a DPO”.
The General Data Protection Act comes into force on 25 May, and it is considered likely that the UK Data Protection Act 2018 will come into force on the same day. This leaves pharmacies with very little time to appoint a DPO.
However, PSNC has reassured contractors that the Information Commissioner’s Office (ICO) is likely to take a pragmatic stance on businesses that are not compliant with all aspects of GDPR by the deadline.
The PSNC quotes a blog post from Information Commissioner Elizabeth Denham saying that “GDPR compliance will be an ongoing journey,” and that “…if you can demonstrate that you have the appropriate systems and thinking in place you will find the ICO to be a proactive and pragmatic regulator aware of business needs and the real world”.
PSNC director of operations and support Gordon Hockey said: “It appears that the UK’s Data Protection Act 2018 is likely to deem all community pharmacies to be public authorities (even though they are not). It seems that the common-sense and pragmatic approach of European legislators on this issue will not be followed in the UK.
“PSNC is disappointed by the current stance that the government is taking on this issue and so will continue to work with other representatives of other primary care contractors to lobby against this. In the meantime, the Community Pharmacy GDPR Working Party will be considering guidance to assist smaller contractors in deciding how they are going to meet the DPO requirement.”
NPA chief pharmacist Leyla Hannbeck shared advice for contractors on some key aspects of this newly created role: “The DPO can be an existing employee of an organisation. Alternatively, the role can be contracted out externally. No training is required for the role; however, the Information Commissioners Officer (ICO) has stated that the DPO should have expert knowledge of data protection law.
“According to the current ICO guidance, one DPO can be appointed for a group of companies or public authorities, as long as the appointed individual effectively performs the DPO tasks taking the size and structure of each organisation into consideration. However, it is important to consider if one DPO can realistically cover a collection of organisations.
“The organisations should ensure the DPO has the necessary resources in place to undertake their role and be supported as appropriate. If a DPO is shared by a group of organisations, the DPO must be easily contactable. The DPO’s contact details should be available to the employees of each organisation, the ICO and the individuals whose personal data is processed.”