GDPR issue in Pharmacy

cnocbui

Kinslee Angry Scrabble wrote: »

No no, sorry if I’m not clear.
I walked into the chemist. Lady approached me, I greeted her with hello and she responded and was really rude to me. I looked at her for a second and she was staring me down. I said, actually I’ll leave it. She replied “okay so” and I walked out. I rang pharmacy and spoke to manager who apologized and said she’d address it with staff member.

Few days later staff members brothers girlfriend posted it publicly to find another chemist to torment and when I messaged her privately (naming the chemist asking when she became spokeswoman) she screenshot it and shared it on social media. She followed it up with “please leave my in laws alone”

I wouldn't say that is a GDPR issue in any way, it is however a breach of professional ethics on the part of the Pharmacy, which is likely as big an issue as a GDPR breach would be. If it had involved any details about your reason for being in the chemist - wanting to buy something only available in a chemist - then that probably would make it a GDPR issue. If you had got as far as telling the employee what you were after, then you might be expected to justifiably have a suspicion that the employee might have divulged that to a third party, making it a GDPR issue.

Sleeper12

the_pen_turner wrote:

the woman went outside her job and told a 3rd party that the OP has made a complaint against a staff member at x pharmacy.

That's not is in the opening post.

Opening post does not mention that op made a complaint. Opening post says that the fact that he/she was in the shop. I am finding some of OPs posts a little confusing tbh

the_pen_turner

Sleeper12 wrote: »

That's not is in the opening post.

Opening post does not mention that op made a complaint. Opening post says that the fact that he/she was in the shop. I am finding some of OPs posts a little confusing tbh

fair enough but it is in post 14

Dav010

Darc19 wrote: »

Some posters are reading "pharmacy" and not reading the OP.

The op was not getting any medical requirements and therefore no data was accessed by the sales assistant. It was purely a retail transaction and the assistant knew the op's name from either talking to her or through people they both knew.

Therefore gdpr simply does not come into the equation.


Now, if the OP went in with a prescription and the assistant took the details from that data source, it would be a gdpr matter. But they didn't, so gdpr is not breached.

Rubbish.

By your rationale, only discussions relating to an illness with your GP would be confidential or subject to GDPR. Complete tosh. The op is a long standing patient at the Pharmacy, and as such has an expectation that what was said, and their name would not be passed on to a third party.

Pharmacies are covered by the same confidentiality and GDPR regs as other health care providers.

TheDriver

Was the OPs data shared with a 3rd party? Unknown.
What is for certain is a confrontation or bahaviour. That's not data, it's unprofessional gossip. Data commissioner wouldn't even look at this but the chemist owner should.

Dav010

TheDriver wrote: »

Was the OPs data shared with a 3rd party? Unknown.
What is for certain is a confrontation or bahaviour. That's not data, it's unprofessional gossip. Data commissioner wouldn't even look at this but the chemist owner should.

Yes it is data. Her name was passed on to a third party, and details of the interaction.

A pharmacy cannot for instance pass your name onto a third party with out your consent for marketing based on your interaction with the pharmacy, why would you think this would be different?

banie01

Kinslee Angry Scrabble wrote: »

No no, sorry if I’m not clear.
I walked into the chemist. Lady approached me, I greeted her with hello and she responded and was really rude to me. I looked at her for a second and she was staring me down. I said, actually I’ll leave it. She replied “okay so” and I walked out. I rang pharmacy and spoke to manager who apologized and said she’d address it with staff member.

Few days later staff members brothers girlfriend posted it publicly to find another chemist to torment and when I messaged her privately (naming the chemist asking when she became spokeswoman) she screenshot it and shared it on social media. She followed it up with “please leave my in laws alone”

That makes more sense as to why you feel you have a GDPR concern.
That the assistant shared the details of the complaint or its circumstance is more serious.

As your name was shared online in relation to that complaint by a 3rd party an unlawful disclosure may have occured.

However, I would assume that the liabity for it rests solely with the assistant rather than the pharmacy.
The pharmacist is unlikely to have disclosed the OPs info to the assistant during whatever complaint handling took place
It should be a discussion as to what happened and when, rather than the who.

The assistant then knows "ah, the OP dropped me in it" bitched to her sister and then it took legs.

The Pharmacy data handling was very likely correct.
That doesn't excuse the assistant from liability to disciplinary action from her employer or from personal defamation action.

The pharmacy liability for enforcement via GDPR will end with them ensuring their policy is correct and offering an apology for an errant action by a likely former employee, or confirming training in their GDPR policy should they not be dismissed.

hullaballoo

hullaballoo wrote: »

The irony of people tut tutting and saying things like "read up on GDPR before you bandy the term about" etc is delicious.

As ever the cluelessness around GDPR abounds amongst the amateur enthusiasts.

This is squarely and 100% a GDPR issue. It just also happens to be problematic for the pharmacy for numerous other reasons such as straightforward patient confidentiality and customer service.

But it is a GDPR issue too. And a serious one. I'm not surprised the pharmacy owner is taking it seriously because they are potentially in hot water on a number of fronts here.

I'm a pharmacist. This isn't a GDPR breach. Patient confidentiality, potentially if the person who made the breach has a regulator.

Dav010

[Deleted User] wrote: »

I'm a pharmacist. This isn't a GDPR breach. Patient confidentiality, potentially if the person who made the breach has a regulator.

I’m surprised, and concerned by your reply, If a staff member at my clinic divulged info about a patient, including their conduct, it would be a serious issue. . It might be worth googling the case I referred to earlier about a receptionist who discussed patients treatment and behaviour at a party, I am sure you are aware of the case, it was high profile.

As the pharmacy owner, you are the data controller, and responsible for your staff.

Dav010

Dav010 wrote: »

I’m surprised, and concerned by your reply, If a staff member at my clinic divulged info about a patient, including their conduct, it would be a serious issue. . It might be worth googling the case I referred to earlier about a receptionist who discussed patients treatment and behaviour at a party, I am sure you are aware of the case, it was high profile.

As the pharmacy owner, you are the data controller, and responsible for your staff.

Was patient's medical issues discussed? I don't believe so. How could you prove that the worker in the shop definitely gave the information? Like if it was a shop attendant in spar, would there be this hand wringing occuring?

If you have concerns about my practice. I will gladly.give you my PSI registration number and you can make an official complaint.

qo2cj1dsne8y4k

Well considering the complaint was made over the phone the only people privvy to it was
- me
- the pharmacist
- the staff member

There was no show down, no confrontation. I left the store, politely. The staff members brothers squeeze had it up on her Facebook. If I didn’t tell her, and the pharmacist didn’t tell her, it leaves one person

Kinslee Angry Scrabble

Kinslee Angry Scrabble wrote: »

Well considering the complaint was made over the phone the only people privvy to it was
- me
- the pharmacist
- the staff member

There was no show down, no confrontation. I left the store, politely. The staff members brothers squeeze had it up on her Facebook. If I didn’t tell her, and the pharmacist didn’t tell her, it leaves one person

But can you prove this?

Dav010

[Deleted User] wrote: »

Was patient's medical issues discussed? I don't believe so. How could you prove that the worker in the shop definitely gave the information?

If you have concerns about my practice. I will gladly.give you my PSI registration number and you can make an official complaint.

Are only medical related issues covered by GDPR when discussing them with a GP, Dentist, Pharmacist? They most certainly are not. All personal data, including confidential conversations are covered.

I am astonished.

qo2cj1dsne8y4k

Deleted User wrote: »

But can you prove this?

Yes!

The cctv will show I spoke to the lady for approx 10 seconds and left. The pharmacist called me back, and apologized so she will be able to clarify who she told or spoke to about it.

Dav010

[Deleted User] wrote: »

But can you prove this?

The op was the only one in the chemist, the person who posted it on Facebook has a close relationship to the employee involved.

Sleeper12

Post 14

Kinslee Angry Scrabble wrote:

I went in there for a medical reason, yes. She was behind the dispensary when I walked in and she walked out to me and was rude, I left and complained and now her brothers girlfriend has it publicly on Facebook that I should find another chemist to torment.

the_pen_turner wrote:

fair enough but it is in post 14

Post 14 does not say that they posted online that she complained. It says that they say op ne to find another chemist.

This is new information posted only a few hours ago. If they did post on Facebook that she complained then that could definitely be a GDPR breach. But up until a few hours ago it seemed that the only supposed breach was stating that op was in a public place and that wouldn't be a breach.

No offence to op but I find some posts hard to make out.

ebbsy

Were ye in for the blue pills Op ?

Sleeper12

Kinslee Angry Scrabble wrote:

Few days later staff members brothers girlfriend posted it publicly to find another chemist to torment and when I messaged her privately (naming the chemist asking when she became spokeswoman) she screenshot it and shared it on social media. She followed it up with “please leave my in laws aloneâ€

I read here that you shared the data with the sales assistant as a private citizen and not as a staff member of the shop. You messaged her personal account and not the business. This is a conversation between two private citizens and she can share what she wants. That's not to say that I agree her actions

This is how I see it. I'm not taking sides & genuinely feel op has be treated terribly & bullied. I genuinely worry that this nutcase won't stop the online bullying even when sacked.

The Hound Gone Wild

GDPR covers the collection and storage of your data and your ability to manage that data. So your PMR falls under GDPR, however, a staff member of a Pharmacy posting about you on Facebook about a complaint made against them is not covered.

The Pharmacist is ethics bound to not discuss your medical information unless it's in your best interest. As far as I can tell no medical information has been disclosed.

The behaviour is entirely unprofessional and I'd be having a serious word with the person concerned (upto and including dismissal) if it were my staff but nothing illegal has happened.

hullaballoo

Deleted User wrote: »

I'm a pharmacist. This isn't a GDPR breach. Patient confidentiality, potentially if the person who made the breach has a regulator.

Don't know many people who would go to their pharmacist for legal advice, with every respect.

I'm a barrister who specialises in data protection. I have a masters in it and advise large multinationals on this stuff.

It is very much a data protection issue.

What I think people don't grasp is the level of safeguards around sensitive data. Maybe it's a case of unintended consequences but the GDPR expressly regulates scenarios many people treat with casual disregard. Including gossiping about "torments" in work if you work in healthcare.

As for proving x, y or z about it. The standard of proof for these things isn't "establish as a matter of absolute objective truth". It's on the balance of probabilities and on balance, the fact that the complaint/altercation was made known to a third party and published establishes in the absence of any evidence to the contrary that a breach occurred.

AndrewJRenko

Deleted User wrote: »

I'm a pharmacist. This isn't a GDPR breach.

Is GDPR within your professional competence?

Sleeper12

hullaballoo wrote:

It is very much a data protection issue.

Exactly what data that was collected & stored by the business was shared?

OP sent a private message to the woman's private Facebook account and not the business account. OP then revealed to a private citizen that she reported it to her boss. Sales assistant then shared this information on Facebook.

FutureTeashock

Sleeper12 wrote: »

Exactly what data that was collected & stored by the business was shared?

OP sent a private message to the woman's private Facebook account and not the business account. OP then revealed to a private citizen that she reported it to her boss. Sales assistant then shared this information on Facebook.

The source of this river of misery originates from the Pharmacy, where all data concerned is at risk due to the employees' access to said data.


The angry employee had the potential to access and release sensitive medical data and, given the behavior of said employee, that is absolutely plausible.


I wouldn't feel my data was secure with the employee who plastered this matter over facebook.


My judgement: GDPR breach.

Cee-Jay-Cee

Dav010 wrote: »

Op, Can we take it for granted that the info did not come from another customer in the shop?

To those who say this is not a GDPR issue, you are incorrect. Also, it could be more serious than that for the pharmacy, a customer has a right to expect confidentiality when getting medications, this includes the conversation.

In this case, the op was identified, and private details about the conversation were given to another member of the public by a staff member. If you google, you will find a well publicised case of where a member of staff at a health clinic discussed details about treatments and personality of patients at a party, a few mins later those details were on Facebook, the clinic is now closed.

The potential downside for you op, is that if you have a history of being difficult to deal with, other health care/medication providers may be wary of accepting you as a patient/customer.

As a Clinic owner, I would look at this as a serious breach of confidence, the staff member acted wholly unprofessionally in every way. After hearing all the facts, disciplinary action would certainly be considered.

It’s still not GDPR, no data pertaining to the OP was leaked or divulged other than their name which isn’t a breach of GDPR laws. It’s a breach of confidence and to try and dress it up as anything else is just another typical example of how fcuked up our society has become where GDPR, discrimination, racism, LYGBT etc cards are played at every opportunity and usually in the context of looking for compensation.

Sleeper12

FutureTeashock wrote:

The source of this river of misery originates from the Pharmacy, where all data concerned is at risk due to the employees' access to said data.

OP gave the information directly to the sales assistant via both of their private Facebook accounts. The information was provided by OP directly to the sales assistant in a private Facebook account. It didn't originate from the business. A Facebook PM to a private Facebook account isn't covered in any shape or form by GDPR.

qo2cj1dsne8y4k

Sleeper12 wrote: »

Exactly what data that was collected & stored by the business was shared?

OP sent a private message to the woman's private Facebook account and not the business account. OP then revealed to a private citizen that she reported it to her boss. Sales assistant then shared this information on Facebook.

No.
I had an off putting experience with let’s call her A.
Remaining polite, I left the chemist.
I called chemist from outside the shop.
Manager called me back and apologized and said she would address the issue with A.

On Thursday, B started posting nasty comments on her Facebook status regarding my relationship, and accusing me of “mugging him off” which I ignored and did not address. On Friday night B posted “Please find another chemist to torment”

I messaged B by phone asking her “mugging my boyfriend off? Finding another chemist to go to? Have you something to say to me B?” To which she screenshot and posted on her Facebook.

She responded telling me my relationship was **** and to leave her and her in laws in peace. I had not contacted her, I had not spoken to her since June, I’ve nothing to do with her. As far as I was concerned, I had no hard feelings towards her at all.

I do not know A well enough to add her on Facebook, I don’t even know her marriage surname. I have never once interacted with A outside the chemist. We were not on chatty terms ever in the chemist, even before a and b knew each other. I have no issue with A outside the fact she was very rude to me when there was no need. A has not posted on Facebook to my knowledge but B knows about the incident and has seen fit to broadcast it. B has no business knowing when I frequent my local pharmacy but especially has no right to tell me where I can and can’t go on the back of what A said. She does not work there, she does not frequent there and she is not the spokesperson on who is and isn’t allowed in there. She accused me of “torment” and asked me to leave “my in laws in peace”.

qo2cj1dsne8y4k

Cee-Jay-Cee wrote: »

It’s still not GDPR, no data pertaining to the OP was leaked or divulged other than their name which isn’t a breach of GDPR laws. It’s a breach of confidence and to try and dress it up as anything else is just another typical example of how fcuked up our society has become where GDPR, discrimination, racism, LYGBT etc cards are played at every opportunity and usually in the context of looking for compensation.

I am not looking for compensation, I use a chemotherapy drug for a long term illness and that is the chemist that deals with me, I am immunocompromised and under the care of a consultant, and went in initially in relation to my condition but given her rude manner I wasn’t comfortable discussing with her so left and complained.

My complaint was carried out of the healthcare setting and used to humiliate me and bully me on Facebook, by a 3rd party.

I work a full time job. I’m not afraid of grafting. I’m not hoping for €€ I’m upset that my private business is being discussed with a toxic nasty individual giving her fodder for a social media show down I want no hand act nor part in.

qo2cj1dsne8y4k

Sleeper12 wrote: »

OP gave the information directly to the sales assistant via both of their private Facebook accounts. The information was provided by OP directly to the sales assistant in a private Facebook account. It didn't originate from the business. A Facebook PM to a private Facebook account isn't covered in any shape or form by GDPR.

No I didn’t. I have never ever ever introduced myself or contacted her outside of her profession. I messaged her sister in law who I used to be friends with who posted the aggressive comment.

Sleeper12

Kinslee Angry Scrabble wrote:

I do not know A well enough to add her on Facebook, I don’t even know her marriage surname. I have never once interacted with A outside the chemist. We were not on chatty terms ever in the chemist, even before a and b knew each other. I have no issue with A outside the fact she was very rude to me when there was no need. A has not posted on Facebook to my knowledge but B knows about the incident and has seen fit to broadcast it. B has no business knowing when I frequent my local pharmacy but especially has no right to tell me where I can and can’t go on the back of what A said. She does not work there, she does not frequent there and she is not the spokesperson on who is and isn’t allowed in there. She accused me of “torment†and asked me to leave “my in laws in peaceâ€.

I'm obviously misreading your posts. Obviously my fault not yours as I'm dyslexic.

Sorry I'm confusing things. I do hope this person & scummy friends stop harassing you.

Cee-Jay-Cee

Kinslee Angry Scrabble wrote: »

I am not looking for compensation, I use a chemotherapy drug for a long term illness and that is the chemist that deals with me, I am immunocompromised and under the care of a consultant, and went in initially in relation to my condition but given her rude manner I wasn’t comfortable discussing with her so left and complained.

My complaint was carried out of the healthcare setting and used to humiliate me and bully me on Facebook, by a 3rd party.

I work a full time job. I’m not afraid of grafting. I’m not hoping for €€ I’m upset that my private business is being discussed with a toxic nasty individual giving her fodder for a social media show down I want no hand act nor part in.

I wasn’t suggesting you were looking for compensation or anything else. My point is that in recent times every gripe or complaint appears to come under the racism, discrimination, GDPR banner.

What happened to you was simply a mouthy rude shop assistant blabbing to an even ruder and ignorant relative who then decided to contact you about it and it shouldn’t have happened and I sincerely hope the shop owner sacks them for it.

What gets to me is that rather than dealing with the issue directly with the employer you chose to try and find a label to put on it that you could obviously then take back to the shop owner.