NORTH EAST LONDON LOCAL PHARMACEUTICAL COMMITTEE
ALLOCATION OF RESPONSIBILITY
Data Controller: The North East London LPC
As the data controller, the North East London LPC is responsible for implementing GDPR and is accountable for data protection.
North East London LPC Secretary/ Senior Information Risk Owner: Hemant Patel
Data Protection Officer: Rebecca Dew
For queries, concerns and requests please contact Rebecca Dew using the following details
Phone: 01277 849219
LPC Data Protection Office (DPO) responsibilities
The LPC data protection officer is appointed to ensure the data processing activities at the North East London LPC are lawful and in compliance with GDPR guidelines; to inform and advise staff on the regulations in accordance with the company policies and as a contact at the organisation for data privacy issues and requests.
The data protection officer is able to provide you with information on your rights as a data subject and support you through the process of exercising these rights.
For more information on the responsibilities of a Data Protection Officer, please visit the ICO website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/
This policy applies to the data collection and handling processes of the North East London LPC, this includes the North East London Public Pharmacy Partnership division. The following outlines the type of data we process, our reasons for doing so and how we collect, use and protect this data.
TYPES OF DATA WE COLLECT
The North East London LPC deals with business data and anonymised statistics on a regular basis, this data in itself is not subject to current data protection regulation. However, personal data is collected by the LPC in relation to business data and by the Public Pharmacy Partnership division.
The North East London LPC collect the following data in relation to the business data handled in our usual practice:
- Home Address
- Personal Contact details (Phone number, mobile, personal email address)
- Personal and professional interests (such as training, clinical, political)
- IP Address (when accessing our website)
- Training attendance details
- Job title
- Work Address
The North East London Public Pharmacy Partnership collect the following information from their members and potentially website visitors:
- Home Address
- Personal Contact details (Phone number, mobile, personal email address)
- Personal interests
- Health Interests
- IP Address (through website)
LAWFUL BASIS AND PURPOSE OF DATA COLLECTION
The purpose of the data collection outlined above is for the North East London LPC to update internal records; communicate with and support contractors and pharmacy staff in their daily business, as well as provide opportunities to benefit the pharmacy and local communities across the following boroughs of North East London:
- Barking and Dagenham
- Tower Hamlets
- Waltham Forest
The activities of the North East London LPC (and PPP division) falls under the following as lawful basis for data processing
Article 6 (1) (e) “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;”
Article 6 (1) (f) “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data…”
Pseudonymised Health Data
On occasion, the LPC may be required to process pseudonymised patient data. The LPC would not be able to identify the patient by their name, address or contact information but can access health and medicine information. Therefore, this pseudonymised data falls under the scope of GDPR and is classed as a special category.
The purpose of the LPC exposing this data would be with respect to the care of the patient or potentially due to a payment or service disruption issue from a contractor, NHSE or the commissioner. This would fall under the same lawful basis as the LPC, with the addition of the following for special categories:
Article 9 (2) (b) “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;”
HOW IS DATA COLLECTED
The North East London LPC receive data from communications with contractors and commissioners, as well as NHS England, PSNC, NHSBSA and PCSE as appropriate. This information is mostly business data but may contain the personal data mentioned previously, which is therefore subject to regulation.
The North East London LPC receives personal data from our website form submissions, when attendees register for events or local health and social care staff indicate interests in training or services. The LPC also hold an annual contractor support survey to ensure our databases are up to date, these submissions may include the personal data mentioned previously.
The North East London Public Pharmacy Partnership collects personal data from members when they register. This is done in the following two ways:
- Completing an online registration form
- Completing a hard copy registration form, which is then sent to the LPC office to register electronically.
Pseudonymised Health Data – As appropriate, any data of this nature would be shared with the LPC from the data processor such as Pharmaoutcomes or Sonar Informatics. The North East London LPC would not be able identifying patients using this data.
HOW IS DATA USED
The North East London LPC (Including the NEL PPP division) uses data for the following:
- Communication to inform and support contractors, pharmacy staff and pharmacy users
- To represent contractors where appropriate
- Updating internal databases
- Advertising local training and opportunities
- Establishing health and social care training needs in the local area
- Making business cases when discussing opportunities with commissioners
Pseudonymised Health Data – is used by the North East London LPC for analysis purposes, such as at the end of a pilot to measure the need, impact, usefulness and sustainability.
DATA RETENTION & SECURITY
The North East London LPC’s digital records are stored on password protected, desktop computers in the LPC office. Access to these computers is strictly authorised employees only, to which each employee is subject to a confidentiality agreement. All desktops are routinely monitored using virus and breach detection software.
Digital records for the pharmacy is held until they are no longer an LPC contractor and for 7 years after. However, the personal details of the staff members at the pharmacy will be changed when they cease employment (once we are notified of this change). Training and event attendance information is also held by the LPC for 7 years after the event has taken place, at which point the details will be anonymised for the purposes of training analysis, your personal data will not be kept.
North East London PPP membership records are held in a password protected database in the LPC office. Membership records are erased when membership is cancelled.
Any physical, paper records are kept in the North East London LPC office, which is both locked and alarmed during non-working hours. Again, access to these records are strictly employees only.
These records are kept for the duration of the project they serve and then disposed of annually via an accredited, secure disposal company. The LPC is provided with certification for the destruction of confidential materials.
Information that is submitted to the North East London LPC website is stored on the LPC server until downloaded onto the office desktops. Once downloaded, data completely removed from the website and then adheres to the ‘digital record’ guidelines above. Only office employees have access to any form submissions.
Personal Information that is stored on the NELPPP website (membership information) is privately stored on the site on the same server as is used for nellpc.org.uk, with the consent of the member upon registration. This data will be retained until membership is cancelled, at which point a data subjects details will be removed upon request and destroyed.
Only those who work in the LPC office are exposed to your personal data. Each member of staff has signed and returned a confidentiality agree of which they must adhere to during their employment at the LPC.
Both the North East London LPC and North East London PPP will obtain your consent before storing any of your personal information.
The LPC will never sell or rent your information to a third-party organisation.
The LPC will not share your personal information to a third party without your prior consent. Once consented, the North East London LPC will only share the information agreed but cannot be held responsible for the third party’s handling and protection of the data shared. Any Third Party’s processing of data will be in accordance with their relevant privacy policies and procedures.
EXTERNAL WEBSITE LINKS
Our newsletters, emails, websites (nellpc.org.uk and nelppp.org.uk) and their associated subdomains may provide links to external sites. The North East London LPC is not responsible for the sites content, the website will be subject to its own privacy policies and procedures which you are encouraged to read in the first instance.
RIGHTS OF DATA SUBJECT
Under GDPR, as a data subject you have the following rights:
- The right to be informed on why and how your personal data is processed
- The right to request access to your personal data and information on how and why it is processed
- The right to rectify any inaccurate or incomplete personal data
- The right to the erasure of your personal information (to ‘be forgotten’)
- The right to restrict the processing of your personal data
- The right to data portability (copying or transferring your personal data)
- The right to object to the processing of your personal data
- Rights in relation to automated decision making and profiling (where there is no Human involvement)
Not all of these rights are appropriate for all data. If you have any queries, concerns or wish to exercise any of the above rights, please contact our Data Protection Officer, who will support you further.
You have the right to a copy of the data we hold for you, should you wish to request it there would be no charge for this service.
NEL LPC DETAILS
The NEL LPC represents the persons providing pharmaceutical services in the following Primary Care Trusts located within the London Strategic Health Authority area: Barking and Dagenham; Havering; Newham; Redbridge; Tower Hamlets; and Waltham Forest.
NEL LPC is an unincorporated association recognised under the National Health Service Act 2006 as representative of the pharmacy contractors in NE London areas and operates under an agreed constitution and governance arrangements. As such, it is required to act independently of all the contractors it represents but represent the general body of the contractors. In common with all LPCs, all the members and staff are bound by a standard confidentiality agreement that they are required to sign on appointment.
The North East London LPC
Registration number: ZA206705
Date registered: 21 September 2016
Registration expires: 20 September 2022
Data controller: North East London LPC
Phone: 0208 124 9006
Data Protection Officer:
Phone: 0208 124 9006