We would like to place strictly necessary cookies and performance cookies on your computer to improve our website service.
To find out more about how we use cookies and how you can change your cookies settings, please read our  cookies statement.                
Otherwise, we'll assume you are OK to continue.   Please close this message

Moving patient data outside of the pharmacy

30 August 2016

Strict governance procedures apply to transferring patient data. It's vital to understand what you can and can't do.

In a previous article we have discussed the issues that pharmacists should consider prior to using their patients’ data, for example when sending targeted emails or letters promoting self care or encouraging use of a relevant service.

Patient data will usually be held at the place it was created: in the pharmacy itself. However, while an individual pharmacy can of course contact its patients directly, it may wish to do so from a location other than where data is stored, such as a head office or even a third party communications company. There are important data protection principles to consider when moving data around in this way.

One key issue is whether the pharmacy holding patient data can legally remove it from the pharmacy and disclose it to another location. Generally speaking, if the owner of a chain of pharmacies can be considered one entity (such as a company) under the NHS Terms of Service, the requirement to keep and maintain records should allow data to be passed between the different pharmacies within the chain.

Under the Data Protection Act, if a company that is also the data controller owns all pharmacies in a chain, then data may be passed between those pharmacies without significant restriction. But passing patient data to an outside organisation will engage further provisions of the Data Protection Act and must be considered carefully. Explicit, informed consent by each patient will usually be required.

In addition, the law requires that only ‘authorised persons’ (broadly, those who have a legitimate need to do so and who owe a duty of confidentiality) can handle patient data.

It is also important to remember that patient data must always be kept securely. If data is being moved, even between related pharmacies, strict data governance procedures should be in place.

This article was originally published by P3 Pharmacy Magazine on the 25th August 2016.

This article was written by Andrew Sweetman.
For more information please contact Andrew on +44 (0)20 7203 5044 or andrew.sweetman@crsblaw.com.