Visit our Clinical Hub ยป
07 June 2018
print version

Q. We have a lot of people who would have their prescriptions or sick certs picked up at the practice front desk by someone else for various reasons, for example, it could be an elderly parent, or a person with mobility problems. Can you please advise if this is okay to do so now that GDPR is in place?

A. It is important to be clear about the duties and responsibilities
of the data controller. You have a duty to keep the patient's information private and confidential and only to share information with a third party if patient consent to do so is in place. Thus, for example, giving a prescription out to the wrong patient would be a data breach and giving a copy of laboratory results out to the wrong person would be a data breach.

When it comes to third parties picking up prescriptions and social welfare certs on someone else's behalf, you should consider the following:

  • Does this behaviour expose the practice to a data breach?
  • If so, how can I best minimise this exposure while fulfilling my duty of care to the patient and ensuring the practice can continue to function?
  • Should all certs and prescriptions being collected by third parties go in an envelope addressed to the patient and
    marked 'private and confidential'?
  • Should I require that signed patient consent be documented in the notes before a prescription can be picked up by a third party?
  • In urgent cases, should verbal patient consent be recorded
    in the patient notes before collection by a third party?

This is a new issue and it is likely that advice will evolve
as experience is gained at the front line.