confidentiality

Question 1

what does the GDPR ensure?

Answer 1

•Intended to ensure that data is processed lawfully, fairly and in a transparent manner in relation to individuals across the EU

Question 2

what was the GDPR linked with in 2018?

Answer 2

GDPR is accompanied by a new Data Protection Act which came into force in May 2018
•The new Act is all about personal information and the way that it is collected, stored and used

Question 3

who oversees the data protection act 2018?

Answer 3

information commissioner (IC)

Question 4

what does the data protection act 2018 oversee?

Answer 4

•The Act requires anyone who records and uses personal information to be registered with the IC

Question 5

define data subject

Answer 5

•An identified or identifiable living ‘natural individual’

Question 6

define data processor

Answer 6

• Collecting, recording, organising, structuring, storing, retrieval, consulting, use and disclosure of data
• Someone who does any of the above is a data processor

Question 7

define data controller

Answer 7

•A person with overall responsibility for the processing of information (decides what data to process and how)

Question 8

who is the informations commission officier?

Answer 8

•the independent authority for the UK which will uphold information rights in the public interest

Question 9

what is classed as personal information?

Answer 9

Name and address
•Telephone number
•Email address
•Details of medicines dispensed
•NHS number
•Age
•Any information which could potentially be used to identify a person could be classed as PI

Question 10

how should organizations handle personal information?

Answer 10

• Be transparent in explaining the use of people’s PI
• Provide choices about how PI is used where appropriate to do so
• Keep it secure
• Only collect and retain the minimum amount of PI necessary to carry out their functions
• Only retain data for as long as it is required
• Report any loss of PI promptly

Question 11

what happens if you do not comply with how PI should be handled?

Answer 11

severe penalties

Question 12

what is special category data?

Answer 12

personal information that is especially sensitive

Question 13

what would happen if you disclosed special category data?

Answer 13

•Disclosure of this data could significantly impact the rights and freedoms of data subjects and potentially be used against them for unlawful discrimination.

Question 14

what are examples of special category data?

Answer 14

• Race and ethnic origin
• Religious or philosophical beliefs
• Political opinions
• Trade union memberships
• Biometric data used to identify an individual
• Genetic data
• Health data
• Data related to sexual preferences, sex life, and/or sexual orientation

Question 15

when can you process special category data?

Answer 15

• The data subject has given explicit consent to the processing for one or more specified purposes
• Processing is necessary for the purpose of the provision of healthcare or treatment •The processing must be done under the responsibility of a professional

Question 16

what are the rights of individuals when it comes to PI?

Answer 16

1. The right to be informed
2. The right of access
3. The right to rectification
4. The right to erasure
5. The right to restrict processing
6. The right to data portability
7. The right to object to data processing
8. The right not to be subject to automated decision-making including profiling

Question 17

what rights of individuals are applied to pharmacy?

Answer 17

1.The right to be informed
2.The right of access
3.The right to rectification
7The right to object to data processing

Question 18

what is patient confidentiality?

Answer 18

is a professional obligation for all pharmacy professionals

t is a professional requirement to gain consent from the patient for the provision of care or pharmacy services

Question 19

what type of consent applies to marketing purposes?

Answer 19

GDPR consent

Question 20

what does consent mean?

Answer 20

Consent means ‘express willingness, give permission, agree’

•GPhC Standards for Pharmacy Professionals: ‘Obtain consent to provide care and pharmacy services’

Question 21

what are the two types of consent?

Answer 21

•Explicit consent
•Implied consent
-must be active consent- not silent- must not assume

Question 22

when is a pre-ticked consent box ok?

Answer 22

never

Question 23

what must be provided to a pateient when giving consent?

Answer 23

Information must be provided on the right to withdraw consent and how to do this

Question 24

how is explicit consent now the same as service consent?

Answer 24

•Consent or explicit consent is a lawful basis for processing personal data
•This is not the same as consent for service provision (consent to the activity) e.g. in a pharmacy
therefore may have to ask for consent twice

Question 25

whats an example of where you may have to ask for consent twice?

Answer 25

Consent to provide the service

•Consent to process the data associated with the service

Question 26

how can a person give consent?

Answer 26

• have the capacity to do so
• be acting voluntarily
• have enough information to allow them to make an informed decision (including material risks)
• Be capable of weighing up the information provided

Question 27

when obtaining consent what should the information be like?

Answer 27

• Information provided should be clear, accurate and presented in a way the patient can understand
• No assumption should be made about a person’s level of knowledge
• Patients should be given the opportunity to ask questions
• In an emergency, if a person needs urgent treatment and consent cannot be obtained, then treatment can be given (unless there is a valid and applicable advance decision to refuse treatment)

Question 28

when can disclosure of confidential information happen?

Answer 28

• A patient agrees to their information being disclosed (assuming the patient has capacity to make the decision)
• The Law requires the information to be disclosed
• It is in the public interest to disclose the information

Question 29

when disclosuing information what info should be given?

Answer 29

only what is required

Question 30

who can requrest disclosure of information?

Answer 30

•The police or another enforcement, prosecuting or regulatory authority
•A healthcare regulator
•An NHS counter-fraud investigation officer
•A coroner, judge or relevant court
- they should have a legmit reason

Question 31

when are disclosures made in the oublic interest?

Answer 31

This could included information that is required to prevent:•A serious crime
•Serious harm to a person receiving care or to a third party
•Serious risk to public health

Question 32

what should be protected in the pharmacy?

Answer 32

•Visibility of Rx forms – left in a place where other people can see them (also Rx awaiting collection) •Visibility of PMR screen to other people•Having discussions about customers both in and outside of work•Physical security breaches to the premises•Errors when bagging/handing out/delivering prescriptions•Shouting out patients’ details when collecting a Rx•Security of smart cards•Secure sign on for access to PMR•Lost prescriptions•Lost keys to premises or filing cabinets•Faxing information to an incorrect number•Lack of encryption of electronic data•Sending an email with data to the incorrect recipient

Question 33

give a few examples of data breaches?

Answer 33

•Access by an unauthorised third party•Sending personal data to an incorrect recipient•Alteration of personal data without permission•Computing devices containing personal data being lost or stolen•Deliberate or accidental action by a controller or processo

Question 34

what happens when a data breach occurs?

Answer 34

• Any data breaches should be documented •Personal data breaches that are likely to result in a risk to a person’s rights must be reported to the ICO within 72 hours of the breach
• If there is a high risk that the breach is likely to affect the rights of individuals, the individuals affected must be informed
• The IC has the power to fine controllers or processors who breach GDPR by up to 4% of global annual turnover or up to €20 million, whichever is the highest