Finally, if you wish to sell personal data to third party organisations, explicit informed consent must be obtained from the patient. Such consent is unlikely to have been fairly obtained through use of an opt-out tick box (unless it is accompanied by a properly drafted consent statement), so using explicit opt-ins is generally considered a safer approach.

Despite being in force for nearly 20 years, the DPA remains a minefield for the unwary. Whilst Pharmacy2U has accepted the consequences of its actions, it is certainly not alone in falling foul of the DPA’s requirements.

We have also recently represented a healthcare practitioner whose attempts at implementing best practice and reducing errors led him unwittingly into the DPA minefield. Innovation and revenue generation are understandable goals for pharmacy businesses but if the utilisation of patient data forms part of these goals, don’t be tempted to turn a blind eye to the DPA.

Activity

Consider what types of patient data you hold, how it is collected, stored and used. Do all your processes for collecting, storing and handling patient data meet the eight principles of the Data Protection Act?

Plan how you could use the patient data that you hold to market a new service while ensuring you meet all relevant data protection requirements.

Author Richard Hough is partner, pharmacist and head of healthcare at Brabners LLP.
Contact him on 0151 600 3302, or at richard.hough@brabners.com