Skip to content


05 May 2017

Whose data is it anyway?

Pharmacists hold a lot of information about their patients.  Indeed the law requires pharmacists to keep records of every supply of a prescription medicine, and NHS pharmacies must keep and maintain records of the services provided.

The most obvious issue that will arise in most people’s minds when we think about patient data is the Data Protection Act, but there are other sources of guidance and obligations, including from the GPhC Code of Ethics and NHS Codes.

There are several broad principles that can be drawn from these various sources that must be considered in relation to patient data:

  1. it must be held and used fairly and lawfully
  2. it should be obtained only for one or more specified and lawful purposes, and should not be further used in any manner incompatible with that purpose or purposes.
  3. it should be adequate, relevant and not excessive
  4. it should be accurate and kept up to date
  5. it should not be kept for longer than necessary
  6. appropriate measures must be in place to prevent unauthorised or unlawful access or use

Where information is held by the pharmacy, it should only be used where there is consent.  In many circumstances, consent may be implied (for example, it will be assumed that patients consent to information about their medication history being stored on the PMR and accessed by the pharmacist or their staff, or information being shared with other health professionals where this is necessary).

Patients should be provided with or have made readily available to them the purpose(s) for which the data are intended to be processed.  For pharmacists, that usually means having a paragraph about data use in the practice leaflet.

Once patient data has been obtained, a pharmacist is under an obligation to use it where it is necessary or desirable to do so “in order to facilitate the continued care of the patient”. 

This raises an interesting question: what is the scope of the obligation to use PMR data “to facilitate the continued care of the patient”, particularly in the context of the specific conditions mentioned in the Terms of Service?

The NHS Terms of Service in England require that where a person presents a prescription and it appears that the person has diabetes, is at risk of coronary heart disease, especially those with high blood pressure or smokes or is overweight, the pharmacist must provide advice to that person with the aim of increasing that person’s knowledge and understanding of the health issues which are relevant to that person’s personal circumstances. 

Advice may be backed up by provision of written materials or referral to other sources of advice. 

Pharmacy owners who provide NHS services are therefore under an obligation to use information on their PMR to provide their patients with information relevant to their health.  How information is provided to patients will, of course, depend on the needs of each patient.  However, pharmacy owners might consider contacting patients (for example by post or email) to provide relevant information.  This might include information regarding services that the pharmacy provides which are, or are likely to be, of benefit to the patient.

Care should be taken with such mailshots. For example, the pharmacy owner would want to avoid excessive mailing, which may be more likely to lead to complaints.  Also, mailshots should avoid including any specific information about the patient’s condition or medication because there is a risk that mail might be delivered to the wrong address or opened by another person in the household.

If patients request to opt-out of receiving this information, then this preference should be recorded and adhered to.

Whilst patients may be assumed to have consented to being contacted in this way because of the obligations on pharmacy owners within the Terms of Service, implied consent may not be assumed for patient data to be used in other ways.  For example, it is unlikely that consent would be implied for the pharmacy owner to send patient information to a third party marketing company which will then contact patients about matters unrelated to their health.

In conclusion information held by the pharmacy can and should be used.  Using information appropriately can bring benefits not only to the patient, but also to the pharmacy.  Patients will be better informed about their health and the services available to them, and the pharmacy has an opportunity to promote its services and build patient loyalty. 

However, if pharmacists overstep the mark, there can be serious consequences.  Care should therefore be taken to ensure that patients are fully informed about how their data will be used, and preferences should be recorded and respected.  If in doubt, explicit and informed patient consent should be obtained or advice sought before the data is used.

This article was written by Noel Wardle. For more information please contact Noel on +44 (0)20 7203 5065 or at

A previous version of this article was published by P3 magazine in August 2016. This article was also published in Pharmacy Business magazine April 2017.