LEGISLATION
obligations, provide advice regarding data Protection Impact assessments (dPIas) and act as a contact point for data subjects and the supervisory authority.
the dPo must be independent, an expert in data protection, adequately resourced, and report to the highest management level.
a dPo can be an existing employee or externally appointed. In some cases several organisations can appoint a single dPo between them.
community Pharmacy northern Ireland (cPnI) is backing PSnc who are leading a challenge to this aspect of the gdPr in an attempt to create an exemption for small pharmacy businesses for which the cost would be disproportionate and unreasonable.
What is a data breach? ‘the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.’
•If you are a processor, the gdPr places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
an individual business may use an external processing company or appoint a separate data controller and processor.
What is a Data Protection Officer? the gdPr introduces a duty for public authorities to appoint a data protection officer (dPo). In its recent letter to local contractors, the health and Social care Board (hScB) confirmed that all community pharmacies are considered to be public authorities since they are nhS- funded primary care providers.
dPos assist an organisation to monitor internal compliance, inform and advise on data protection
Examples include a computer system being hacked, papers containing personal data being stolen or left on the bus, records being destroyed within their retention period, hr records left on a desk and viewed by employees, confidential email addresses disclosed to others when sent in the ‘to’ field.
Six principles of GDPR Personal information (data) must be: 1. processed lawfully, fairly and in a transparent manner 2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; 3. adequate, relevant and limited to what is necessary for the purpose for which they are processed 4. accurate and up to date where necessary and inaccuracies rectified as quickly as possible 5. kept (or kept in a form which permits identification of individuals) for no longer than is necessary 6. processed in a manner that ensures appropriate security of the personal data and in line with the data subject’s rights
The new law provides a consistent data protection framework with enhanced rights for individuals and greater accountability and transparency
note that the data controller is responsible for, and must be able to demonstrate, compliance with these principles.
Six lawful bases for processing personal data the lawful bases for processing are set out in article 6 of the gdPr. at least one of these must apply whenever you process personal data:
(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (this cannot apply if you are a public authority processing data to perform your official tasks.)
What to do if you suffer a data breach Under gdPr there is a duty on all organisations to report certain types of personal data breach to the Information commissioner within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, you must also inform those individuals without undue delay.
You should ensure you have robust breach detection, investigation and internal reporting procedures in place. this will facilitate decision making about whether or not you need to notify the relevant supervisory authority and the affected individuals.
You must also keep a record of any personal data breaches, regardless of whether you are required to notify. for pharmacies, you must also inform hScB if you suffer a suspected or actual data breach, by contacting your local Pharmacy advisor.
When reporting a breach, you must provide: • a description of the nature of the personal data breach including, who and how many individuals are concerned and the type of records that have been breached
• the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
> PharMacY In focUS - 43
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64
