The costs of a Data Protection Officer (DPO) are likely to be ‘disproportionate to the benefits’, the Pharmaceutical Negotiating Committee (PSNC) has said.
PSNC is concerned that the General Data Protection Regulation (GDPR) requirement for a DPO would be ‘inappropriate for smaller pharmacy businesses, where the costs of engaging a DPO are likely to be disproportionate to the benefits’.
As stated in the Data Protection Bill, all primary care providers – which are considered as public authorities – must appoint a DPO regardless of their size.
This is despite the GDPR only requiring a DPO appointment if an organisation’s core activities ‘consist of large scale processing of special categories of data’, including healthcare data, according to the UK’s independent authority Information Commissioner’s Office (ICO).
‘Avoiding quirk of legislation’
PSNC director of operations and support Gordon Hockey said that ‘we must avoid a quirk of legislation leading to unnecessary expense for community pharmacy’.
He continued: ‘It is reasonable to ask those processing health data on a large-scale to have a DPO, but not smaller community pharmacies.
‘This burden would also come at a time when many pharmacy owners are experiencing cost pressures following funding cuts and increases in medicine prices.’
‘Unreasonable and unnecessary burden’
In a letter – calling on the Government to exempt NHS primary care providers from having a DPO – the PSNC, the National Pharmacy Association, the British Dental Association and the Optical Confederation said that ‘the Bill would put an unreasonable and unnecessary burden on small NHS primary health care providers, which are also private businesses’.
They added: ‘The DPO requirement in Clause 7 of the Bill is unlikely to provide any practical benefit for patients – whether in terms of care or improving data security.’
A DPO’s tasks include providing advice on the carrying out of a data protection impact assessment, conducting audits and training staff involved in processing operations among others.
The changes to GDPR will come into force in UK law on 25 May.
Have your say
Please add your comment in the box below. You can include links, but HTML is not permitted. Please note that comments are not moderated before publication and the views expressed are those of the user and do not reflect the views of The Pharmacist. Remember that submission of comments is governed by our Terms and Conditions. You can also read our full guidelines on article comments here – but please be aware that you are legally liable for any libellous or offensive comments that you make. If you have a complaint about a comment or are concerned that a comment breaches our terms and conditions, please use the ‘Report this comment’ function to alert our web team.