In Services development

Follow this topic

Bookmark

Record learning outcomes

The data held within pharmacy patient medication records (PMRs) and the SCR both constitute ‘sensitive personal data’

Pharmacy law practitioner Richard Hough explains what access to the SCR means for pharmacy professionals in terms of legal requirements

The Health and Social Care Information Centre (HSCIC) and NHS England have announced that pharmacy professionals in community pharmacies in England will be given greater access to patients’ medical records.

Community pharmacy professionals will be given the opportunity to access the summary care record (SCR), which provides key clinical information about a patient, sourced from the patient’s GP’s records. Implementation is expected to begin in autumn 2015. More than 96 per cent of the population have an SCR, which is used by authorised healthcare professionals, with the patient’s consent, to support their care and treatment.

It is hoped that by allowing community pharmacy professionals to access the SCR, the need to signpost patients to other NHS care settings and for patients to contact their GP will be reduced. The GPhC is supportive of the move, saying it believes giving patients the choice to allow pharmacy professionals to access their records can help them to receive better care.

Whilst there may be some resistance from GPs and patients to pharmacy professionals having greater access to patient medical records, such concerns are largely unjustified, as access to, and processing of, such data is strictly controlled by the pharmacy’s information governance requirements and data protection legislation.

Handling sensitive data

The data held within pharmacy patient medication records (PMRs) and the SCR both constitute ‘sensitive personal data’ for the requirements of the Data Protection Act 1998 (the DPA). Schedule 1 of the DPA requires personal data to be processed ‘fairly and lawfully.’ The definition of ‘processing’ in relation to personal data includes the obtaining, recording and holding of data and the performance of any operation on the data, acts which are all already routinely undertaken by pharmacists in relation to the PMR.

In order for personal data to be processed ‘fairly and lawfully’, at least one of the conditions in Schedule 2 and, in the case of ‘sensitive personal data’, one of the conditions in Schedule 3 must be fulfilled. This latter requirement is of relevance to pharmacists’ access to PMRs and SCRs because the term ‘sensitive personal data’ includes data consisting of information relating to the data subject’s ‘physical or mental health or condition’.

Schedule 2 criteria include the requirement that the processing must:

1. Take place with the data subject’s consent
2. Be necessary for compliance with a legal obligation that applies to the data controller, or
3. Be necessary for the exercise of a statutory, governmental or public function.

Schedule 3 criteria include the requirement that any processing of ‘sensitive personal data’ in patient records must be:

1. Done with the explicit consent of the patient, or
2. Deemed ‘necessary for medical purposes’.

The distinction made between a ‘data controller’ and a ‘data processor’ under the DPA is also significant in relation to pharmacists’ access to the SCR. Whereas a ‘data controller’ is defined as the person who determines the purposes for which, and the manner in which, any personal data is processed, a ‘data processor’ is any person who processes the data on behalf of the data controller.

Data processors are not directly subject to the DPA, however most data processors will be data controllers if they process the data for their own administrative purposes. It would seem that pharmacists would be ‘data controllers’ of the data contained in the SCR and would therefore be subject to the requirements of the DPA, breach of which can lead to fines of up to £500,000, which in itself is a significant incentive to ensure that the strict protocols for accessing the SCR are followed.

Online medicines sales

Since July 1, any UK-based online retailer that sells medicines to consumers within any European Economic Area (EEA) country has had to be registered with the Medicines and Healthcare products Regulatory Agency (MHRA). They must also display the EU common logo for online retailers and pharmacies, together with a hyperlink to the retailer’s entry in the MHRA’s list of registered retailers, on every page of their website that offers to sell medicines to the public. These new requirements also apply to companies selling medicines through a third-party marketplace website.

Only one company can be named on each registration, but multiple websites can be registered against that company’s registration. The aim of the new requirements is to help the public check whether the website they are visiting can legally sell medicines and reduce the risk of buying counterfeit products.

The EU common logo was introduced under the Falsified Medicines Directive, which is transposed into UK law through amendments to The Human Medicines Regulations 2012. This is a different scheme to the one run by the GPhC. The EU common logo is a legal requirement across Europe whilst the GPhC runs a voluntary logo scheme, which is applicable only to registered pharmacies.

The penalty for selling medicines online without being registered and not displaying the common logo is up to two years in prison or a fine, or both.

Richard Hough is partner, pharmacist and head of healthcare at Brabners LLP. Contact him on 0151 600 3302, or at richard.hough@brabners.com.

Richard is running 12 marathons over 12 months for Alder Hey Children’s Charity. Follow his progress at www.justgiving.com/monthlymarathon.