The following statements confirm our obligations and compliance under GDPR in respect of our Pharmacy Manager PMR.

Pharmacy Manager stores patient data relating to the provision of medicines, appliances and pharmacy services. The following list is non-exhaustive, but indicates the main categories of data stored: patient name, date of birth, NHS identification number, address, telephone number, mobile telephone number, details of prescriber(s) for that patient, any clinically significant conditions that the patient may have, details of any clinical interventions conducted on behalf of that patient, details of medication prescribed and supplied to the patient, details of appliances prescribed and supplied to the patient, details of medicines usage reviews conducted for the patient. If the patient is in a care or nursing home the record will also include the details thereof.

Data stored in Pharmacy Manager is hosted and stored locally on a server at the pharmacy site.

If the Pharmacy utilises CRx Defence for back up, then a fully encrypted copy of the PMR data is taken nightly and stored in secure off-site UK data centres. Access to this data is restricted to secure IS teams.

Only the pharmacist and assigned staff have access to the data stored in Pharmacy Manager. Role based access controls protect data from unauthorised access.

It is important to note that Pharmacy Manager provides the ability for data to be shared across sites within the same group. This data sharing requires patient consent to enable the single view of the patient within a group setting.

 Pharmacy Manager does not capture consent from patients for their data to be stored. Consent is implied on the basis that a dispensing activity is dependent on data from a prescription being processed through the PMR.

 Levels of consent are captured for Message Dynamics to ensure permissions are captured for contacting patients about services appropriate to them. For example; prescription ready messages.

Pharmacy Manager currently holds patient data indefinitely and has no concept of patient deletion. In the context of GDPR, the expert view is that clinical patient safety requirements are more important than the right to be forgotten, so there will be no requirement to delete data at patient request. What is rather more complex is the setting of data retention policies over time, as this area is subject to many, potentially conflicting, pieces of legislation. The major pharmacy bodies have undertaken to deliver an agreed and accepted consensus on a data retention policy for pharmacy and Cegedim will provide the necessary tools for this once the requirements are better understood.