LEGISLATION >
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.
In the event of an information loss or breach, it is vital that you have robust policies and procedures in place to manage the incident effectively. You should conduct an assessment of the breach as soon as possible to ensure that you are able to recover any data lost, or stop any further breaches. Your policy should also cover steps to investigate how the breach occurred so that you can learn from it and improve your processes for the future.
Rights of data subjects gdPr introduces improved rights for individuals about the information that you may hold about them.
1. the right to be informed 2. the right of access 3. the right to rectification 4. the right to erasure 5. the right to restrict processing 6. the right to data portability 7. the right to object 8. rights related to automated decision-making and profiling
Privacy statements Your business should have a data Protection Policy and processes to ensure compliance with the gdPr principles. a Privacy Statement or notice must be provided to individuals setting out how you collect data, store it and use it. the Privacy notice should also provide details of data subjects’ rights and how to contact the organisation with a complaint or query regarding their data. the notice should use clear, concise language that is easily understood by adults and children.
Helpful guidance
from CPNI Community Pharmacy Northern Ireland (CPNI) have provided four documents to help you comply with GDPR:
• guidance for community Pharmacy (Part 1) cPnI • guidance for community Pharmacy (short version) (Part 2) cPnI • Workbook for community Pharmacy (Part 3) cPnI • faQs for community Pharmacy (Part 4) cPnI
44 - PharMacY In focUS
ACTION PLAN numark have produced a plan of action for pharmacies to ensure compliance with gdPr…
How do I get ready for GDPR? Pharmacy contractors are encouraged to consider and familiarise themselves with obligations under the gdPr to determine any compliance gaps that need addressing in their standard operating procedures and other policies for when the gdPr goes live.
In summary you will be required to: • read through the information on getting ready for gdPr at
https://ico.org.uk/for- organisations/resources-and-suppor t/data-protection-self-assessment/ getting-ready-for-the-gdpr/ identify
these gdPr resources were launched at the joint kPMg-cPnI event on thursday 19th april, hilton templepatrick and are now available in the members’ section on cPnI’s website:
www.community pharmacyni.co.uk/members-area
there are thirteen key considerations which should be regularly reviewed to ensure consistent gdPr compliance – think data ProtEctEd.
Step 1. Decide who is responsible the owner of the pharmacy business or directors are responsible for data protection and security, and compliance with the gdPr. It is sensible to appoint one person to lead efforts to comply with the gdPr.
areas of concern and put together an action plan.
gdPr can be a minefield, however it is important that you ensure you understand the importance of data protection and implications should this be breached.
We have developed a series of training modules on the numark training platform around data protection suitable for the whole pharmacy team including: • legal advice: moving patient data • legal advice: Whose data is it anyway?
• Understanding the data Protection act
• counter Excellence - data protection
We are also developing a range of support to help make compliance
Step 2. Action plan data protection and confidentiality of patient data are the responsibility of the pharmacy team, not just the business, and so all staff will need training. You can use the thirteen steps in these information booklets to understand the framework of the gdPr.
Step 3. Think about and record the personal data you process any system, whether paper or electronic eg, on a database, containing searchable personal data is a ‘filing system’ and should be considered. Pseudonymised data is data that could be attributed to a specific individual person if combined with additional data, the gdPr also applies to such data. You will need to
and the processes involved as straight forward as possible and from april we will have:
template policies including: • retention of records policy along with retention and disposal schedule
• data breach register and notification procedure
• Subject access request record • consent procedure
Staff training modules which cover: •What is gdPr? • Principles of gdPr • rights of data subjects. • reporting incidents.
Visit
www.numarknet.com or call customer Services on 0800 783 5709 to find out more.
have a record of all the filing systems that your pharmacy holds, and of how you collect, store and use all personal data. this will need to be reviewed on an ongoing basis – cPnI suggests annually.
Step 4. Assure your lawful basis for processing the gdPr requires all organisations to have a lawful basis for processing personal data. for much data in pharmacies this will be ‘for the performance of a task carried out in the public interest’. Personal data concerning health is further protected and pharmacies must have one of the stated reasons for processing it.
these include: ‘the provision of healthcare or treatment’. You will
Page 1 |
Page 2 |
Page 3 |
Page 4 |
Page 5 |
Page 6 |
Page 7 |
Page 8 |
Page 9 |
Page 10 |
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Page 15 |
Page 16 |
Page 17 |
Page 18 |
Page 19 |
Page 20 |
Page 21 |
Page 22 |
Page 23 |
Page 24 |
Page 25 |
Page 26 |
Page 27 |
Page 28 |
Page 29 |
Page 30 |
Page 31 |
Page 32 |
Page 33 |
Page 34 |
Page 35 |
Page 36 |
Page 37 |
Page 38 |
Page 39 |
Page 40 |
Page 41 |
Page 42 |
Page 43 |
Page 44 |
Page 45 |
Page 46 |
Page 47 |
Page 48 |
Page 49 |
Page 50 |
Page 51 |
Page 52 |
Page 53 |
Page 54 |
Page 55 |
Page 56 |
Page 57 |
Page 58 |
Page 59 |
Page 60 |
Page 61 |
Page 62 |
Page 63 |
Page 64
