close

Log in

Access to premium content is restricted to healthcare professionals / registered members. Login with your email address to continue.

Forgot Your Password?

Don't have an account? Sign up

module menu icon

Understanding GDPR + Data protection

Contents

What is GDPR?

Personal data and GDPR responsibility

Privacy risks in the pharmacy

The role of the Data Protection officer (DPO)

The 6 GDPR principles

The 8 rights of data subjects

The use of mobile phones messaging platforms and social media sites

Data breaches

Responding to data breaches

Good practice for protecting data

Summary

Quiz time

GDPR quiz

Thats all folks

module menu icon The 8 rights of data subjects

Well done, you’re getting there.  (0% complete)

quiz close icon

module menu icon The 8 rights of data subjects

The 8 rights of data subjects

Data subjects (individuals) have enhanced rights under GDPR. When you collect data, you must inform the individual about the processing of their data and their enhanced rights. There are 8 key rights – not all of these are absolute and may only be applicable in certain circumstances.

    • The right to be informed
    • The right of access
    • The right to rectification
    • The right to erasure
    • The right to restrict processing
    • The right to data portability
    • The right to object
    • Rights in relation to automated decision making and profiling

The right to be informed means you must provide data subjects with various pieces of information about the data processing activities you carry out. This is usually in the form of a privacy notice which must be concise, transparent and use clear and plain language.

The right of access (often called a subject access request) means this information must now be provided free of charge and within one calendar month. You would need to verify the identity of the person making the request.

The right of rectification means data subjects can have their personal data rectified if it is inaccurate or incomplete.

The right to erasure (often called the right to be forgotten) gives an individual the right to have data erased/deleted in certain circumstances. It’s worth remembering that this is only applicable in certain circumstance – they do not have an absolute right to erasure.

The right to restrict processing Individuals have the right to restrict the processing of their personal data where they have a particular reason for wanting the restriction. This may be because they have issues with the content of the information you hold or how you have processed their data. In most cases you will not be required to restrict an individual’s personal data indefinitely but will need to have the restriction in place for a certain period of time.

The right to data portability The right to data portability gives individuals the right to receive personal data they have provided to a controller in a structured, commonly used and machine readable format. It also gives them the right to request that a controller transmits this data directly to another controller e.g. changing pharmacy prescription records from one pharmacy to another.

The right to object  Article 21 of the UK GDPR gives individuals the right to object to the processing of their personal data at any time. This effectively allows individuals to stop or prevent you from processing their personal data. An objection may be in relation to all the personal data you hold about an individual or only to certain information. It may also only relate to a particular purpose you are processing the data for.

Rights in relation to automated decision making and profiling refers to Automated individual decision-making (making a decision solely by automated means without any human involvement); and Profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

You can only carry out this type of decision-making where the decision is:

  • necessary for the entry into or performance of a contract; or
  • authorised by domestic law applicable to the controller; or
  • based on the individual’s explicit consent

So how do these 8 rights apply to pharmacy?

For example, you may be asked to provide a copy of any information held on the individual e.g. PMR record. Alternatively, you may be asked to correct information. This may be done via a note of correction as some information will need to be held even if incorrect e.g. record of what was on a prescription or dispensed.

Another example could be automation in pharmacy using electronic Repeat Dispensing (eRD) where the prescription is dispensed prior to the patient arriving at the pharmacy. The GP (with initial consent from the patient) authorises a certain number of repeat prescriptions over a set time period and the patient collects from the pharmacy when needed. A separate prescription is not needed each time and the patient doesn't have to order the prescription from the GP surgery each time.

NOTE: Always notify your DPO of any requests – do not try to process yourself!

Understanding GDPR + Data protection

Continue Module