Who Owns the Patient Data?

By Quintus Liu, CEO and Data Protection Officer

We often get asked this question by our pharmacy customers. The short answer is: the patient owns their own data. But we think the real reason that pharmacies ask this question is that they’re uncertain about the relationship we have with patient data. We completely understand this - Healthera is a new, innovative solution in the market that aims to help upgrade the pharmacy’s experience, and as a new entity it is our responsibility to give our customer base the full, honest picture of all aspects of our business.

We hope this blog will not just answer your question, but candidly paint a picture that explains the relations that patients, pharmacies, and Healthera have with data under GDPR.

Patients are data subjects. Under GDPR they have the ultimate control over their own data, which means they can opt-in/opt-out of services and ask for their data to be deleted. Organisations need their consent in order to process their data, and only for purposes that they agree to.

Under GDPR, organisations must safeguard and protect personal data that they handle. No organisation technically owns personal data anymore. Organisations simply process personal data and must comply with GDPR by upholding the rights and freedoms of the data subjects.

When the pharmacy takes responsibility over the patient’s prescriptions and healthcare needs, the pharmacy is the data controller and it must protect and safeguard the patient’s data both offline and the data they receive through the Healthera platform. In conversational terms, the pharmacy “owns” the patient data because patients have shared their data with the pharmacy, and have given their consent for the pharmacy to operate with the data.

When Healthera processes patient data, we also have data controller responsibilities because we store patient data and ensure that it is electronically protected on our database and platform, employing data protection controls such as encryption, authentication, and others as and when required.

Ultimately, being a data controller is our legal obligation due to the level of service we provide. It is a byproduct of our technical responsibility, not a choice we can opt in or opt out of. It means we have an even greater responsibility to protect your patients’ data. This does not change or take anything away from the relationship between pharmacies and patients.

 

Why is Healthera a data controller?

Under GDPR, organizations must operate as either a data processor or a data controller. As part of our implementation for GDPR, we have looked carefully at how we process data relating to patients and pharmacies through Healthera. From that analysis and taking into account UK and EU-wide regulator guidance, industry practice and legal advice, we've determined that we act as a data controller in respect of patients.

These are the differences between the two:

  • Data processors process personal data on behalf of the controller, but they don’t decide the purpose (the ‘why’) or the means (the ‘how’).
  • Data controllers determine the purpose of the processing and the means to achieve that purpose. Essentially they decide why and how the processing should take place.

In order to help our customer pharmacies achieve their end purpose of helping patients manage medication, repeat prescriptions, and facilitating communications, Healthera has designed a sophisticated software system which makes a number of determinations on the purpose (“why”) and means (“how”) patient’s data is used.

As we’re improving our healthcare platform day by day, we must make more decisions on how to use personal data to meet all the relevant requirements of our pharmacies and patients. For example, we must:

  • Decide the data schema and graphic user interface for patients to input their personal and medication data, and obtain their permission to share their data with their chosen pharmacies and GP’s
  • Set up medication alarms for patients using an algorithm according to how the patients enter their medication schedule
  • Periodically change the way data is collected, and what data is collected, in order to comply with national and international requirements (GDPR)
  • Comply with local regulatory requirements, automatically routing patient-initiated prescription requests to GP clinical systems and Prescription Ordering Direct services where necessitated by the local NHS CCG’s

With all these logical decision and designs, it is quite clear that Healthera, on the architectural level, decides the purposes and means of processing personal data, and therefore is legally required to be the data controller. It would not be possible for Healthera to offer these services otherwise.

 

What does it mean for you as a Healthera pharmacy customer?

Largely, it means our pharmacy customers can expect the comprehensive digital service from us that they currently receive. Being a data controller also allows us to better support your patients when they get in touch with us. For example, when patients call or message us to ask for guidance on setting up their medicines, finding their pharmacy, or to enquire about the status of their repeat prescriptions, we can provide them with clear and accurate support, helping ease the pharmacy’s workload. It also allows us the potential to provide pharmacies with more sophisticated services in the future, maximising the value of each patient engagement.