Do you have to hand over your personal data to a pharmacist?
At Hayes Connor, we want to reduce the number of data violations taking place across the UK. To do this, we are helping to raise awareness of data privacy matters and educating people and businesses to prevent mistakes from happening. And, after seeing some of our advice on how to keep your personal data safe, one concerned individual contacted us after being given a medication service questionnaire from her local pharmacy.
What was the problem?
The questionnaire asked for a whole range of sensitive medical information including:
- Her name and contact details
- Details of her GP practice
- A list of any medical conditions
- Whether she is pregnant
- Whether she smoked
- Any mental health requirements
- A list of the medications she takes and any side effects of these medications
- Whether she has dementia
- If she had an impairment of the liver, heart, kidneys or lungs
- Whether she has any visual or hearing impairments
- If she has any physical impairments.
Contacting Hayes Connor Solicitors with a copy of the questionnaire, the woman said: "I'm quite disturbed at the way this has been issued. There is no indication about whether the questionnaire is voluntary and I fear that many people will hand over this extremely sensitive data without question."
Does the pharmacy need this information?
Pharmacies across the UK are providing an extremely valuable service to patients while removing some of the burden from doctors. And, certainly having this information could help them to provide more tailored medical advice. But, the way in which this particular survey has been issued is worrying.
Crucially, we think that it breaks data protection laws.
What does the law say?
Unless you have been living under a rock, you will have heard about the General Data Protection Regulations (GDPR). Under the GDPR, any organisation that handles personal information such as names, email addresses, phone numbers, payment details and medical information has to put robust measures in place to keep this safe.
The more you know about the GDPR, the easier it is to make sure you hold organisations to account when it comes to keeping your data safe.
Under the GDPR you have the following rights (among others):
- The right to be informed if your personal data is being used. This includes things like why an organisation is using your data, how it is using it, what type/types of data it is using, how long the data will be kept, if it shares this data with any third parties, and more
- The right to limit how organisations use your data. You can restrict the way an organisation uses your personal data. To exercise your right you should make your request directly to the organisation in questions and be clear why you want the data to be restricted. In some circumstances you can also object to an organisation using your data at all
- The right of access to your data. You have the right to find out if an organisation is using or storing your personal data. To exercise this right all you have to do is ask for a copy of this data. This is called making a subject access request (SAR). You can make a subject access request at any time. For example, you can make a SAR if you want to find out if information is being held about you and how it is being used
- The right to get your data corrected or deleted. You can challenge the accuracy of any personal data that an organisation holds about you and ask for it to be corrected, added to, or deleted.
This survey does not provide customers with any of this information. And, to make matters worse, there is no communication explaining that providing this data is voluntary. Likewise, the pharmacy hasn't provided any details on how it will handle and keep this sensitive medical information safe, and that is very worrying.
Our advice in this situation would be to:
- Not complete the survey
- To inform the pharmacy about your apprehensions. Surprisingly in this instance it does not look like they are aware of their GDPR obligations. You can use this template letter to raise your concerns.
If the pharmacy does not respond satisfactorily you should then inform the Information Commissioner's Office.
Committed to upholding your data protection rights
At Hayes Connor Solicitors, we are committed to making sure that people across the UK understand their data protection rights, and know what they can do when these rights have been ignored, overlooked or abused.
Find out more about your rights on the ICO website.
For more advice on how to keep your data safe, you can also follow us on Twitter and Facebook.
Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth.