GDPR Flashcards

1
Q

When is GDPR applicable from?

A

25 May 2018

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The EU has outlined that:

A fine of up to €__ million, or _%, of the organisation’s global turnover (whichever is higher), for infringements including the failure to notify the Information Commissioner’s Office (ICO) of a data breach, and the failure to follow data controller or processor obligations.

A

A fine of up to €10 million, or 2%, of the organisation’s global turnover (whichever is higher), for infringements including the failure to notify the Information Commissioner’s Office (ICO) of a data breach, and the failure to follow data controller or processor obligations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Under the GDPR data controllers will need to notify the supervisory authority (in the UK this is likely to be the ICO) of a personal data breach “without undue delay and, where feasible, not later than __ hours after having become aware of it”. Where a notification is not made within __ hours, reasons for the delay will need to be provided.

A

Under the GDPR data controllers will need to notify the supervisory authority (in the UK this is likely to be the ICO) of a personal data breach “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. Where a notification is not made within 72 hours, reasons for the delay will need to be provided.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is a Data Protection Officer?

A

The GDPR will require some organisations to designate a DPO, for example, organisations whose activities involve the regular and systematic monitoring of data subjects on a large scale. The important thing is to ensure that a named individual in pharmacy business, or an external data protection advisor, takes proper responsibility for your data protection compliance and has the knowledge, support and authority to do so effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Under GDPR, there is greater control for data subjects, data subjects include who?

A

Data subjects which include any living person whom the pharmacy holds / processes personal data on have the “right to erasure” also known as the “right to be forgotten”. This gives patients the right to direct the Data Controller – the pharmacy – to erase any of their personal data in certain situations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Under Article 17 of the GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances.

How long do pharmacies have to respond to a request for erasure?

A

The GDPR introduces a right for individuals to have personal data erased.
The right to erasure is also known as ‘the right to be forgotten’.
Individuals can make a request for erasure verbally or in writing.
You have one month to respond to a request.
The right is not absolute and only applies in certain circumstances.
This right is not the only way in which the GDPR places an obligation on you to consider whether to delete personal data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The EU/GDPR stipulates that:
A fine of up to €__m, or _% of the organisation’s global turnover (whichever is higher), for infringements including non-compliance of orders from the ICO, failure to follow the basic principles for processing (including consent), and infringement of an individual’s rights.

A

A fine of up to €20m, or 4% of the organisation’s global turnover (whichever is higher), for infringements including non-compliance of orders from the ICO, failure to follow the basic principles for processing (including consent), and infringement of an individual’s rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

There will be a duty for all organisations to report certain data breaches to the ICO, and in some cases, report the data breaches to the affected individual(s). Examples of data breaches which must be reported include what? (5)

A
Damage to reputation
Discrimination
Financial loss
Loss of confidentiality
Other economic/social disadvantages.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Under GDPR, Do I need to obtain consent from each patient who presents a prescription?

A

No. Under GDPR, consent does not need to be obtained from each patient presenting a prescription for dispensing, because consent is not the lawful basis for processing.

A patient provides implied consent to enable the pharmacy to process their personal data for the purpose of dispensing a prescription. Therefore the pharmacy’s lawful basis for processing the personal data present on the prescription is that “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

If a GP surgery asks for a prescription to be delivered urgently to a patient, what is the lawful basis for a pharmacy to fulfil this request?

A

The lawful basis for processing the patient’s personal data for the purpose of urgent delivery, in this case, is that “processing is necessary in order to protect the vital interests of the data subject or of another natural person”. It is advisable that the pharmacy clearly documents the lawful basis of this processing on the patient’s medication record (PMR).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Who can be the Data Protection Officer?

Can it be the information governance lead?

A

The ICO has stated that an organisation’s DPO can be an existing employee of an organisation, or the role can be contracted out externally to another organisation. This individual’s professional duties should be compatible with their DPO duties, and there must be no conflicts of interests.

A pharmacy’s information governance (IG) lead can potentially act as the DPO, as long as the above criteria are fulfilled. This concept is similar to how the IG lead can currently be the pharmacy superintendent pharmacist, while acting independently.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Can patients request to access their data free of charge?

A

YEs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly