What do I have to provide or do at the request of the data subject under the GDPR? #GDPR

Data subjects had various rights under the Data Protection Act 1998 and broadly, these rights remain and are developed and clarified under the GDPR. Some rights only apply to personal data which is collected by consent, on the basis that if you consent to the collection of data you ought to be able to retract that consent. The key rights that data subject have are:

  1. Right of access – the data subject has a right to obtain from you a copy of the personal data you hold on the person (e.g. from the PMR), free of charge on the first occasion, and the following information
  2. Purpose of the processing
  3. Categories of personal data concerned
  • To whom you disclose the data
  1. How long the data is stored or how this is calculated
  2. The existence of the right to rectification or reassure (not erasure for health data)
  3. Right to lodge a complaint with the ICO
  • If not collected from the data subject, where the personal information came from
  • Additional information related to automated decision-making  and transfer of personal data overseas)
  1. Right to rectification – the data subject may ask for incorrect or inaccurate information to be corrected, which may be more appropriate by way of a supplementary statement, because, for example, the record of what was prescribed or dispensed my need to be retained for professional or legal reasons.
  2. Right to erasure – particularly relevant if the only ground for processing personal data is consent (or explicit consent if the information is special category personal data). The right to erasure does not apply to data concerning health.
  3. Right to restrict processing – in some cases the data subject may restrict your normal processing and may, for example, not to delete data you would otherwise delete because the data subject needs the data for a legal case.
  4. Right to have others notified of any rectification, erasure or restriction - any rectification, erasure or restriction must be notified to each person to whom the data has been disclosed unless this proves impossible or would involve a disproportionate effort.
  5. Right to data portability – this applies only where the processing is based on consent or a contract (and therefore in most cases should not apply to data concerning health)

Right to object – which could apply to pharmacies – in which case the pharmacy should provide a copy of the fair processing notice and will need to show in the specific case that it has compelling legitimate grounds for processing the personal data that overrides the interest, rights and freedoms of the data subject; or the pharmacy may retain the data for the establishment, exercise or defence of legal claims.

View our GDPR page for more information