Skip to content

GDPR Policy Primity Medical

Professional pharmaceutical care delivered with modern elegance and expertise

1. Purpose

This policy ensures that Primity Medical: Pharmacy & Clinic complies with the General Data Protection Regulation (GDPR) and protects the personal data of customers, employees, and other stakeholders.

2. Scope

This policy applies to all personal data processed by Primity Medical: Pharmacy & Clinic, including information collected from customers, staff, suppliers, and any third parties. It covers data in electronic, paper, and any other formats.

3. Principles of Data Protection

If you handle personal information about individuals (patients and/or employees), you have a number of legal obligations to protect that data. These obligations are imposed under statute and common law, for example the Data Protection Act 2018 and the Common Law Duty of Confidentiality. As an employee of the company, you also have an obligation to the company to protect its data, as set out in your contract of employment. Where applicable, your professional registration sets out your responsibilities to keep confidential the information you obtain during the course of your professional practice.

We adhere to the following data protection principles as outlined in GDPR:

  1. Lawfulness, Fairness, and Transparency: Personal data is processed lawfully, fairly, and transparently.
  2. Purpose Limitation: Data is collected for specific, legitimate purposes and not used inappropriately.
  3. Data Minimisation: Only necessary data is collected and processed.
  4. Accuracy: Personal data is kept accurate and up-to-date.
  5. Storage Limitation: Data is retained only for as long as necessary for its intended purpose.
  6. Integrity and Confidentiality: Data is processed securely to protect against unauthorised access or loss.

4. Legal Bases for Processing

Company sensitive information is information relating to the business and includes contracts, minutes of meetings and financial details. Personal data means information which a living individual could be identified from. This can include (but is not limited to) name, address, age and personal circumstances. Personal sensitive data means data which could be used in a discriminatory way, and is likely to be of a private nature which includes data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health, sex life or sexual orientation. Information is confidential when it is personal information given to someone who has a duty of confidence (the pharmacy employees) in the expectation that it will not be disclosed without the consent of the provider of the information. Personal confidential information may be known or stored on any medium. Photographs, videos, etc. are subject to the same requirements as information stored in health records, on a computer, or given verbally.

We process personal data under the following lawful bases:

  • Consent: For services requiring explicit permission (e.g., marketing).
  • Contractual Obligation: To provide pharmacy services.
  • Legal Obligation: To comply with healthcare regulations and other legal requirements.
  • Legitimate Interests: For purposes such as improving services or fraud prevention.

5. Data Subject Rights

Under GDPR, individuals have the following rights regarding their personal data:

  • Right to Access: Request a copy of their personal data.
  • Right to Rectification: Request correction of inaccurate or incomplete data.
  • Right to Erasure: Request deletion of their data under specific circumstances.
  • Right to Restrict Processing: Limit the processing of their data.
  • Right to Data Portability: Obtain and reuse their data across services.
  • Right to Object: Object to the processing of their data for certain purposes.
  • Right to Withdraw Consent: Revoke previously given consent at any time.

Requests can be made by contacting Primity Medical: Pharmacy & Clinic at info@primity.co.uk.

6. Data Security

All employees, whether permanent, temporary or contracted are responsible for ensuring that they remain aware of the requirements incumbent upon them for ensuring compliance on a day to day basis.

We implement robust security measures to protect personal data, including:

  • Encrypted electronic records.
  • Controlled access to patient records and staff information.
  • Secure storage for physical documents.
  • Regular staff training on data protection policies and procedures.

7. Data Sharing and Third Parties

Personal information may be disclosed on the basis of informed consent where the disclosure is necessary for healthcare purposes and is undertaken by a health professional or a person owing an equivalent duty of confidentiality. The pharmacy will inform patients, employees and any other data subject why, how and for what purpose personal information is collected, recorded and processed. This will be achieved by leaflets available or poster displayed in the pharmacy and via any online privacy policy or provided face to face in the course of a consultation.

Explicit consent of the data subject will be required where a disclosure of personal information is not directly concerned with the healthcare/treatment of a patient e.g. medical research, health service management, financial audit, personnel data or where disclosure is to a non-healthcare professional. Explicit consent may be given in writing or verbally. A basic explanation of what information is to be disclosed and why/what further uses may be made of it, must be provided to the person together with a description of the benefits that may result from the proposed sharing of information and any risks if consent is withheld.

Under common law, personal information may be disclosed without consent in certain circumstances, for example:

  • In order to prevent abuse or serious harm to others.
  • Where the public good that would be achieved by the disclosure outweighs both the obligation of confidentiality to the service user concerned and the broader public interest in the provision of a confidential service.

All requests for disclosure without the consent of the data subject, including requests from the Police, should be referred to Primity Medical: Pharmacy & Clinic. All third parties are vetted to ensure compliance with GDPR.

8. Data Retention

We will keep written records of processing activities which are high risk, ie which may result in a risk to individuals’ rights and freedoms or involve sensitive personal information or criminal records information, including:

  • the name and details of the employer’s organisation (and where applicable, of other controllers, the employer’s representative and DPO);
  • the purposes of the processing;
  • a description of the categories of individuals and categories of personal data;
  • categories of recipients of personal data;
  • where relevant, details of transfers to third countries, including documentation of the transfer mechanism safeguards in place;
  • where possible, retention schedules; and
  • where possible, a description of technical and organisational security measures.

9. Breach Management

If a data breach occurs:

  1. It will be reported to the Data Protection Officer (DPO) immediately.
  2. Affected individuals will be notified if there is a high risk to their rights and freedoms.
  3. Serious breaches will be reported to the Information Commissioner’s Office (ICO) within 72 hours.

10. Responsibilities

Data Protection Officer (DPO): Oversees compliance with GDPR and acts as the point of contact for queries.

All Employees: Must follow this policy and report any data breaches or concerns promptly.

11. Accountability and Responsibility for this Policy

The designated Information Governance Lead in the pharmacy is responsible for overseeing and coordinating Information Governance and confidentiality within the pharmacy on a day to day basis. This includes ensuring on-going compliance with the policy and its supporting standards and guidelines.

Contact Information

For questions or concerns regarding this policy, please contact:

Data Protection Officer: Nathaniel Makuwi

Email: nathaniel.makuwi@primity.co.uk

Phone: 01509734217