Week 12 / Data Protection and Confidentiality

Question 1

Q: What does the General Data Protection Regulation (GDPR) focus on?

Answer 1

A: The processing of personal data.

Question 2

Q: What is the main purpose of GDPR?

Answer 2

A: To ensure data is processed lawfully, fairly, and transparently in relation to individuals.

Question 3

Q: What rights does GDPR give to individuals?

Answer 3

A: New rights regarding how their personal data is used.

Question 4

Q: What legislation accompanies GDPR in the UK?

Answer 4

A: The Data Protection Act 2018.

Question 5

Q: What does the Data Protection Act 2018 focus on?

Answer 5

A: How personal information is collected, stored, and used.

Question 6

Q: Who oversees the enforcement of the Data Protection Act?

Answer 6

A: The Information Commissioner (IC).

Question 7

Q: What must anyone who records and uses personal information do under the Act?

Answer 7

A: Register with the Information Commissioner (IC).

Question 8

Q: Who is a data subject under GDPR?

Answer 8

A: An identified or identifiable living natural individual.

Question 9

Q: What is meant by data processing?

Answer 9

A: Collecting, recording, organising, structuring, storing, retrieving, consulting, using, or disclosing data.

Question 10

Q: Who is a data processor?

Answer 10

A: Someone who performs any of the data processing activities.

Question 11

Q: What is the role of a data controller?

Answer 11

A: A person with overall responsibility for data processing—deciding what data to process and how.

Question 12

Q: What does a Data Protection Officer (DPO) do?

Answer 12

A: Provides advice, monitors compliance with GDPR, and must understand data protection law and pharmacy practice.

Question 13

Q: What is the Information Commissioner’s Office (ICO)?

Answer 13

A: The UK’s independent authority that upholds information rights in the public interest.

Question 14

Flashcard 1
Q: What does the first principle of GDPR require?

Flashcard 2
Q: What is the second principle of GDPR?

Flashcard 3
Q: What is the third principle of GDPR about?

Flashcard 4
Q: What does the fourth principle of GDPR state?

Flashcard 5
Q: What is the fifth principle of GDPR?

Flashcard 6
Q: What is the sixth principle of GDPR?

Answer 14

A: Information must be processed in a transparent, lawful, and fair manner.

A: Data must be collected for a specific, legitimate, and explicit purpose.

A: Data must be relevant and limited to what is necessary for processing.

A: Information kept must be accurate and up to date.

A: Data should be kept no longer than necessary and in a form where the data subject is identifiable only as long as needed.

A: Data must be processed in a way that ensures security of the information.

Question 15

Q: Give examples of Personal Information (PI).

Answer 15

A: Name and address, telephone number, email address, NHS number, age, details of medicines dispensed.

Question 15

Q: What is Personal Information (PI)?

Answer 15

A: Any information that can be used to identify a person.

Question 16

Q: Is the list of what counts as PI exhaustive?

Answer 16

A: No, any information that could potentially identify someone may be classed as PI.

Question 17

Q: What must organisations be when handling personal information (PI)?

Answer 17

A: Transparent about how PI is used.

Question 18

Q: What should organisations provide regarding PI use?

Answer 18

A: Choices about how PI is used, where appropriate.

Question 19

Q: How should personal information be kept?

Answer 19

A: Secure.

Question 20

Q: What amount of personal information should organisations collect and retain?

Answer 20

A: Only the minimum necessary to carry out their functions.

Question 21

Q: How long should personal information be retained?

Answer 21

A: Only for as long as it is required.

Question 22

Q: What must organisations do if PI is lost?

Answer 22

A: Report any loss of PI promptly.

Question 23

Q: What are the consequences of not complying with PI use regulations?

Answer 23

A: Severe penalties for non-compliance.

Question 24

Flashcard 1 Q: What is the first lawful reason for data processing under GDPR? Flashcard 2 Q: When can data be processed in relation to agreements? Flashcard 3 Q: How does compliance with the law justify data processing? Flashcard 4 Q: When can data be processed in emergencies? Flashcard 5 Q: What lawful reason relates to the community or government tasks? Flashcard 6 Q: When is processing allowed based on the controller’s needs?

Answer 24

1A: The data subject has given consent. 2A: For the performance of a contract. 3A: To comply with a legal obligation. 4A: To protect the vital interests of the data subject. 5A: For a task carried out in the public interest. 6A: For legitimate interests of the data controller, unless overridden by the rights and freedoms of the data subject.

Question 25

Q: What is "special category" data?

Answer 25

A: It is sensitive personal information that requires extra protection due to its potential impact on individuals' rights and freedoms.

Question 26

Q: List five examples of special category data.

Answer 26

A: Health data Genetic data Biometric data used to identify an individual Sexual orientation or sex life Race and ethnic origin

Question 27

Q: What other examples of special category data are protected under GDPR?

Answer 27

A: Religious or philosophical beliefs Political opinions Trade union membership

Question 28

Q: Why is special category data protected more strictly?

Answer 28

A: Because its disclosure could lead to unlawful discrimination and significantly affect an individual's rights and freedoms.

Question 29

Q: Is processing of special category data allowed under GDPR?

Answer 29

A: No, it is prohibited unless specific conditions apply.

Question 30

Q: What are two lawful reasons to process special category data?

Answer 30

A: The data subject gives explicit consent Processing is necessary for the provision of healthcare or treatment

Question 31

Q: Who must oversee the processing of special category data in healthcare?

Answer 31

A: A professional must be responsible, although they do not need to process the data themselves.

Question 32

Flashcard 1 Q: What does the "right to be informed" mean under GDPR?

Answer 32

A: Individuals have the right to be told how their data is collected, used, stored, and shared, typically via a privacy notice.

Question 33

Q: What is the "right of access"?

Answer 33

A: Individuals can request access to their personal data and receive a copy of the data held about them.

Question 34

Q: What does the "right to rectification" allow?

Answer 34

A: Individuals can ask to correct inaccurate or incomplete personal data.

Question 35

Q: What is the "right to erasure"?

Answer 35

A: Also known as the ‘right to be forgotten’, it allows individuals to request deletion of their data, under certain conditions.

Question 36

Q: What is meant by the "right to restrict processing"?

Answer 36

A: Individuals can ask an organisation to limit how their data is used, often while a dispute about accuracy or purpose is being resolved.

Question 37

Q: What does the "right to data portability" provide?

Answer 37

A: Individuals can request their personal data in a machine-readable format and transfer it to another data controller.

Question 38

Q: What is the "right to object" to data processing?

Answer 38

A: Individuals can object to their data being used for certain purposes, such as direct marketing or tasks carried out in the public interest.

Question 39

Q: Are all GDPR rights fully applicable in a pharmacy setting?

Answer 39

A: Not always — some rights (like erasure) may not apply when there are legal or professional obligations to retain pharmacy records.

Question 40

Q: What is the right concerning "automated decision-making and profiling"?

Answer 40

A: Individuals have the right not to be subject to decisions made solely by automated means, including profiling, that have significant effects on them.

Question 41

Flashcard 1 Q: How does the "right to be informed" apply in pharmacy? Flashcard 2 Q: How does the "right of access" apply in pharmacy? Flashcard 3 Q: How is the "right to rectification" handled in pharmacy? Flashcard 4 Q: What does the "right to object to data processing" mean for pharmacy?

Answer 41

A: Pharmacies must display a privacy notice explaining how personal information (PI) is handled. It should be in plain English, easily accessible (e.g. leaflet, website). A: Individuals can request access to their data free of charge, and it must be provided within one calendar month. A: Individuals can request corrections to data. However, some incorrect data may still need to be retained (e.g. original Rx entry) for legal or professional reasons. A: Individuals can object, but pharmacies must balance their reasons for processing (e.g. legal duties) against the individual’s rights and freedoms.

Question 42

Q: Under what circumstances can confidential information be disclosed in pharmacy practice? [2]

Answer 42

A: Confidential information can be disclosed when: The patient agrees (assuming they have capacity). The law requires disclosure. It is in the public interest to disclose the information. Only the necessary information should be shared, and the recipient should be aware of its confidential nature. Records must be made, and pharmacists must be able to justify any action taken.

Question 43

Q: What does the GPhC say about patient confidentiality in pharmacy?

Answer 43

A: Patient confidentiality is a professional obligation for all pharmacy professionals. It is critical for maintaining trust with patients. Access to confidential information should typically be with patient consent, but there are exceptions where consent is not needed. Always seek advice if unsure, especially when the requester is not the patient.

Question 44

Q: Who can request confidential information without the data subject's consent in pharmacy practice? [4]

Answer 44

A: The following can request information without consent: Police or other enforcement, prosecuting, or regulatory authorities. Healthcare regulators. NHS counter-fraud investigation officers. Coroners, judges, or relevant courts. However, these parties do not have an automatic right to access the information. The discloser must ensure the request is legitimate.

Question 45

Q: When can confidential information be disclosed without consent due to the public interest? [3]

Answer 45

A: Confidential information can be disclosed in the public interest without the data subject’s consent if it is required to prevent: Serious crime. Serious harm to a person receiving care or a third party. Serious risk to public health. A balance between maintaining confidentiality and the public interest in disclosing the information must be considered, along with the consequences of not disclosing. Since this is a complex issue, professional advice should be sought.

Question 46

Q: What are some examples of data security breaches in a pharmacy?

Answer 46

A: Visibility of Rx forms or PMR screens to unauthorized individuals. Discussions about patients outside of work or in public. Physical security breaches (e.g., unlocked premises). Errors when bagging, handing out, or delivering prescriptions. Shouting out patient details when collecting a prescription. Insecure handling of smart cards or insecure sign-ins for PMR systems. Lost prescriptions or keys to premises and filing cabinets. Faxing or emailing information to incorrect recipients without encryption.

Question 46

Q: What are examples of data breaches and the consequences of them?

Answer 46

A: Examples of a data breach include: Access by an unauthorized third party. Sending personal data to the incorrect recipient. Alteration of personal data without permission. Loss or theft of computing devices containing personal data. Deliberate or accidental actions by a controller or processor. Consequences: Data breaches should be documented. Breaches likely to affect rights must be reported to the ICO within 72 hours. If a breach is high-risk, affected individuals must be informed. The Information Commissioner’s Office (ICO) can fine up to 4% of global turnover or €20 million, whichever is higher.