GDPR issue in Pharmacy

Princess Calla

What gets to me is that rather than dealing with the issue directly with the employer you chose to try and find a label to put on it that you could obviously then take back to the shop owner.[/quote]

I think that's abit unfair!

She had dealt with the matter, she complained to management and considered it case closed and went about her day!

Then lo and behold the complaint appears on Facebook! So she again complained to management and by chance got the owner.

Regardless of what label you want to put on it, it's shockingly unprofessional.

If you made a confidential complaint would you like your details plastered all over Facebook?

I'm sure the OP is extremely upset by this, and I'm sure the owner is too.

If I was the owner of the pharmacy or any other business and someone was contacting my customers telling them not to use my services, costing me money I would be absolutely livid!

Not to mention the reputation of the pharmacy is being dragged through the mud by no fault of the owner!

qo2cj1dsne8y4k

Hi all, just to update you on this.
Spoke to the data protection commissioner this morning who informed me it is a data protection issue, and advised me to put my complaint in writing and get their response in writing, and advised me to submit the complaint to them.

antix80

Kinslee Angry Scrabble wrote: »

Hi all, just to update you on this.
Spoke to the data protection commissioner this morning who informed me it is a data protection issue, and advised me to put my complaint in writing and get their response in writing, and advised me to submit the complaint to them.

To a hammer everything's a nail.

You actually sound like a trouble-maker op.

the_pen_turner

antix80 wrote: »

To a hammer everything's a nail.

You actually sound like a trouble-maker op.

not sure wy you think that.
most people would be prity pissed off if in the same situation
this is a very serious issue , its borderline slander and completely harrament

i would hope the woman get very seriously reprimanded. there are far too many people out there that like to gossip and talk behind peoples back

Sleeper12

antix80 wrote:

You actually sound like a trouble-maker op.

I don't see that at all. OP has been bullied and harassed. OP is perfectly right to take any avenue open to her to get this to stop. She is definitely the victim in this imo

Dav010

antix80 wrote: »

To a hammer everything's a nail.

You actually sound like a trouble-maker op.

So the op is right to be aggrieved, has had the DP issue confirmed, as the minority here, including a barrister specialising thought it would be, but the op is a trouble maker? I think you are trolling.

qo2cj1dsne8y4k

antix80 wrote: »

To a hammer everything's a nail.

You actually sound like a trouble-maker op.

Whether I am or not, I won’t passively roll over and allow my business be spread around, including social media, by someone who has no business doing so.
I can only take responsibility for my actions and I won’t be harassed or bullied on social media because the staff member is unable to conduct herself in a professional manner.

AtomicHorror

antix80 wrote: »

To a hammer everything's a nail.

You actually sound like a trouble-maker op.

It's hard to understand how anyone could have read this thread in full and come to this conclusion.

hullaballoo

hullaballoo wrote: »

Don't know many people who would go to their pharmacist for legal advice, with every respect.

I'm a barrister who specialises in data protection. I have a masters in it and advise large multinationals on this stuff.

It is very much a data protection issue.

What I think people don't grasp is the level of safeguards around sensitive data. Maybe it's a case of unintended consequences but the GDPR expressly regulates scenarios many people treat with casual disregard. Including gossiping about "torments" in work if you work in healthcare.

As for proving x, y or z about it. The standard of proof for these things isn't "establish as a matter of absolute objective truth". It's on the balance of probabilities and on balance, the fact that the complaint/altercation was made known to a third party and published establishes in the absence of any evidence to the contrary that a breach occurred.

With regards GDPR, it is about systematic collection of data and minimising the amount that can be held/minimisation.
This was a disagreement between two individuals, it is 100 percent not a GDPR issue. Hypothetically, if I as the pharmacist had acted as the shop attendant did, the OP would be right to lodge a complaint with my regulator but not the data protection commissioner.

cnocbui

antix80 wrote: »

To a hammer everything's a nail.

You actually sound like a trouble-maker op.

No, but you do.

ytpe2r5bxkn0c1

antix80 wrote: »

To a hammer everything's a nail.

You actually sound like a trouble-maker op.

So you'd let a breach like this just go?

Have you read the thread?

The OP is dead right and more people need to stand up to people who overstep the mark.

Sounds like A (rightly) got in trouble after your first complaint and complained to B.

I can't imagine why B then went and messaged you directly / posted it publically.

Sleeper12

Deleted User wrote:

With regards GDPR, it is about systematic collection of data and minimising the amount that can be held/minimisation. This was a disagreement between two individuals, it is 100 percent not a GDPR issue. Hypothetically, if I as the pharmacist had acted as the shop attendant did, the OP would be right to lodge a complaint with my regulator but not the data protection commissioner.

As more & more information came out yesterday it became clear that it is a GDPR breach. For the first 7 pages I was reading that someone posted on Facebook that OP was in a public place. Obviously nothing to do with GDPR but the last few pages it turns out that sales assistant shared a discussion between OP & the shop owner. This is 100 percent GDPR breach.

I'd love to follow this case & see what happens to the shop owner. Assuming they store data in the same way that all pharmacy's store data & they followed all the correct procedures you would think that they aren't responsible. They are responsible for their staff members obviously. I mean what more can they do to protect data. They can empty staffs brains at the end of the day to remove data that they took in throughout the day. I'm not sure if there are penalties for staff members who deliberately steal or misuse data

It would seem unfair in my mind for the store owner to be hit with penalties and the person who deliberately misused the data not to face penalties

laros

Hello....
I have a question for the O/P... Were you specifically mentioned in the Facebook post...?

strandroad

Cee-Jay-Cee wrote: »

It’s still not GDPR, no data pertaining to the OP was leaked or divulged other than their name which isn’t a breach of GDPR laws.

This is completely incorrect. Identifying information, such as person's name, is "personal data" and well covered under GDPR. Customer interaction related to a named customer leaking out is definitely a GDPR breach.

This is regardless of whether the sales assistant knows the customer socially or not (in this case she didn't anyway); if they are interacting in the context of the business with customer's data stored or processed GDPR applies.

strandroad

Deleted User wrote: »

With regards GDPR, it is about systematic collection of data and minimising the amount that can be held/minimisation.

GDPR is also about data protection. Releasing customer's name (which is "personal data" and therefore protected by GDPR) to any unauthorised third party is definitely a breach.

hullaballoo

Deleted User wrote: »

With regards GDPR, it is about systematic collection of data and minimising the amount that can be held/minimisation.
This was a disagreement between two individuals, it is 100 percent not a GDPR issue. Hypothetically, if I as the pharmacist had acted as the shop attendant did, the OP would be right to lodge a complaint with my regulator but not the data protection commissioner.

Look I'm not here to rub salt in the wounds but although one on the objectives of GDPR is data retention management/minimisation, there are many other objectives. A vital one that you appear to have missed being that data controllers and processors cannot divulge data to third parties without consent of the data subject. This is a manifestation of the EU legislature's views on privacy, which are very strongly protective of individuals' privacy rights. (Clearly there are very many more objectives in play with GDPR but I only have 5 minutes! )

If you are a pharmacist with an outlet, presumably you have staff who deal with customers while you inexplicably take 30 minutes to put 12 tablets in a brown bottle (I jest!) Those staff are at the very least data processors and you, as the data controller, are obliged to have sufficient structures in place to ensure anyone who processes data on your behalf, including simply maintaining a register of names, do not do so in such a way as to offend any of the many provisions of the GDPR.

This is vital stuff for any business and frankly, posts like the above highlight just how deficient the GDPR readiness industry (so-called GDPR "consultants") was in making businesses GDPR-ready.

On the other hand, the lack of any real knowledge about data protection and privacy is good for business.

antix80

strandroad wrote: »

GDPR is also about data protection. Releasing customer's name (which is "personal data" and therefore protected by GDPR) to any unauthorised third party is definitely a breach.

The op was in a public place and she made a bit of a show of herself by storming out of it because she felt slighted by the sales assistant.
I know the op protests she doesn't know the sales assistant or the woman she got into a slanging match with on facebook. I think there's enough animosity there for the sales assistant to say "guess who stormed out on me earlier and then made a complaint to my manager?" and for her relative to know exactly who she was talking about.

L1011

antix80 wrote: »

The op was in a public place and she made a bit of a show of herself by storming out of it because she felt slighted by the sales assistant.
I know the op protests she doesn't know the sales assistant or the woman she got into a slanging match with on facebook. I think there's enough animosity there for the sales assistant to say "guess who stormed out on me earlier and then made a complaint to my manager?" and for her relative to know exactly who she was talking about.

You are being less than helpful here.

I'd suspect the GDPR discussion may be more suited to Legal Discussion at this stage but I'm not sure a thread-split is practical at this point. If anyone wants to continue that I think a new thread in LD may be best.

strandroad

antix80 wrote: »

The op was in a public place and she made a bit of a show of herself by storming out of it because she felt slighted by the sales assistant.
I know the op protests she doesn't know the sales assistant or the woman she got into a slanging match with on facebook. I think there's enough animosity there for the sales assistant to say "guess who stormed out on me earlier and then made a complaint to my manager?" and her relative to know exactly who she was talking about.

It wouldn't matter even if it was true. Businesses are public places by definition. GDPR applies to public places. The OP is a named customer of a business, on the premises of the business, engaging in a business interaction. The pharmacy is the data controller here and the sales assistant is data processor who cannot release customer data to anyone if there is no valid professional purpose. The pharmacy has a duty to train and enforce data protection protocols. The assistant failed them.

Princess Calla

antix80 wrote: »

To a hammer everything's a nail.

You actually sound like a trouble-maker op.

The OP is getting bullied and harassed on Facebook, she doesn't need that here!

She is the injured party here, though I do have sympathy for the owner also.

Mango Joe

Assuming all happened as you have said and theres not 2 sides to every story......(Ahem)

Pharmacy worker sounds like a very unpleasant and unprofessional piece of work, ditto for her malicious and vindictive Facebook using friend.

If I was the Pharmacy owner I'd be horrified at my Employee for being hostile to Customers and then bringing my businesses name onto Facebook in such a bad light.

Yes people do go through the door of a Pharmacy with very confidential and sensitive business in mind - Pharmacy staff should be sympathetic professionals not small time eejitts carrying on like a gang of 12 years old hanging around outside a Centra shop looking for trouble.

NickNickleby

Purple Mountain wrote: »

It's definitely a customer confidentiality issue and a serious one.
Not GDPR like stated above.
Sounds like she got told off for being rude to you, went home and blabbed, which she absolutely should not have done.
Her sister in law has less sense than she has to contact you.
They've both made their own bed, I'd be glad to see them both get a boll*king.

Kinslee Angry Scrabble wrote: »

The owner was very nice and took this very seriously when I spoke to him and I don’t want to damage his business without giving him the opportunity to remedy the situation. I’m sure they all have a bitch about customers from time to time but he couldn’t control the third party posting it to Facebook.

I will meet with him and if I’m not satisfied with what he has to say, I’ll be filing a case with the psi and the data commissioner

I think we've all met these types, in Pharmacies, Doctors Surgeries and Dentists. Assistants who forget that they are the assistants, instead thinking they are the like the Pope - God's representative to the little people. If it wasn't for the Facebook post, I'd have just said "Ah, sure let it go, this person isn't worth your effort". The addition of the Facebook post is definitely horrendous, but my rage would be more about the cheek of someone to call me a torment on Facebook, along with the implied suggestion that the pharmacy wouldn't miss me. This somehow gives more weight to the scurrilous post, albeit without the pharmacists knowledge or consent - presumably. Actually, presumably is not a strong enough word. Who could imagine a pharmacist would deliberately permit this to happen. No one.

First bolded bit above I would consider a reasonable outcome.

The second bolded bit.... You've contacted the Data Commissioner, would not not wait until the owner comes back with his suggestion?

Can I ask, what outcome are YOU hoping for? We already know that you will have moral support from some on here asking for someone to be sacked, should that be the outcome. Is THAT what you're hoping for? Or perhaps a large fine to be given to the business owner? (now that you've already initiated a process with the Data Commissioner, I suppose that now becomes a real possibility). It doesn't seem to me , from your posts, that you'd want either of these things to actually happen. There are a few posters in this thread who already have the branding irons in the fire. That type of posting only serves to further inflame feelings, and I feel they (the suggestions, not the posters) are best ignored.

Lastly, while it might seem that I'm being antagonistic toward you, I'm really not that kind of person, I just feel you're using a sledgehammer to crack a nut, and I'm trying to persuade you that the sledgehammer route may be a little drastic - to say the least. I agree you have a real grievance, and I'm sure this kind of carry-on (I'm referring to the assistant et al). is the last thing you need in your life right now. I wish you well, and I hope this is resolved quickly and amicably, so that this needless additional stress is removed from your life. I'd suggest that the owner will go out of his way to remedy the situation.

homer911

I would be very surprised if there is not something in the employee's contract of employment related to customer confidentiality, and the implications of breaching this

qo2cj1dsne8y4k

On Thursday my relationship was dogged into the ground on Bs profile.
On Friday “please find another chemist to torment” was posted on social media, and followed up with a text message starting with “please leave my in laws in peace”.

I don’t want my business discussed with her as it’s fodder for social media. I am unsure what I expect the business to do; but I’m meeting him on Friday so I’ll hear what he says. If I’m unhappy with the outcome, I will lodge a complaint with the data protection commissioner but I will listen to what he has to say first.

This thread is an absolute car wreck.



Having read the whole thing I think some posters were reading a different thread because the OPs posts were perfectly clear to me.



It is a GDPR issue. Comparing it to being in Spar is nonsensical, it's not Spar. Spar does not keep information on as much as your spending habits never mind medical conditions.



Pharmacy attendant shared personal information to a 3rd party. Said attendant also has access to significant other personal information and could have shared that too. GDPR is about managing and securing personal data. In this situation personal data is at risk by the demonstrated misconduct of an employee.


The only advice I can give is to unfriend from Facebook the sister inlaw and limit future interactions with that family going forward. I expect the pharmacy owner to take it very seriously, and a letter from the Data Protection commissioner will see to that.



Finally, the attacks on the OP through-out this thread are really quite depressing.

NickNickleby

Kinslee Angry Scrabble wrote: »

On Thursday my relationship was dogged into the ground on Bs profile.
On Friday “please find another chemist to torment” was posted on social media, and followed up with a text message starting with “please leave my in laws in peace”.

I don’t want my business discussed with her as it’s fodder for social media. I am unsure what I expect the business to do; but I’m meeting him on Friday so I’ll hear what he says. If I’m unhappy with the outcome, I will lodge a complaint with the data protection commissioner but I will listen to what he has to say first.

Ah, I completely understand your anger. At least, internally, try to find a way round this. Remember 99.9% of people who heard the exchange in the Pharmacy or read the Facebook post (ok, it might be a bit of a stretch on Facebook:pac:) would be thinking "what an eejit" about the assistant or the Facebook poster! I imagine most people's immediate would reaction would be "fair play to your woman for walking out". YOUR reputation has not suffered here, theirs has. Your dignity has been assailed and yes, you're rightly annoyed. But in the end, YOUR dignity is still intact. You're already the winner here, you have the moral high ground.

Over years (or because I'm getting older) I've noticed this behaviour has gradually tapered off. Your assistant is the dinosaur. You were unlucky. Get her the bollocking and the admonition to treat you with perfect courtesy at the risk of her job, then watch as she tries to be smarmy, all the while squirming inside. Now, THERE's your reward!

Be well !!

Sir Oxman

Deleted User wrote: »

This thread is an absolute car wreck.



Having read the whole thing I think some posters were reading a different thread because the OPs posts were perfectly clear to me.



It is a GDPR issue. Comparing it to being in Spar is nonsensical, it's not Spar. Spar does not keep information on as much as your spending habits never mind medical conditions.



Pharmacy attendant shared personal information to a 3rd party. Said attendant also has access to significant other personal information and could have shared that too. GDPR is about managing and securing personal data. In this situation personal data is at risk by the demonstrated misconduct of an employee.


The only advice I can give is to unfriend from Facebook the sister inlaw and limit future interactions with that family going forward. I expect the pharmacy owner to take it very seriously, and a letter from the Data Protection commissioner will see to that.



Finally, the attacks on the OP through-out this thread are really quite depressing.

I find this happens all the time on forums like this.
I come into a forum like this one on the basis every OP is telling the truth.
That's the way it should be unless and until any OP is obviously holding something back/exaggerating/leaving bits out/making it up.


A liar will always slip up and some contributors haven't the sense they were born with.



PS I totally believe the OP here and I think she's been perfectly clear in what happened and I am at a loss as to the snipey post from one poster on here.
I was surprised it's a GDPR breach but I think GDPR for the ordinary soul is a minefield.

FutureTeashock

Sir Oxman wrote: »

I find this happens all the time on forums like this.
I come into a forum like this one on the basis every OP is telling the truth.
That's the way it should be unless and until any OP is obviously holding something back/exaggerating/leaving bits out/making it up.


A liar will always slip up and some contributors haven't the sense they were born with.



PS I totally believe the OP here and I think she's been perfectly clear in what happened and I am at a loss as to the snipey post from one poster on here.
I was surprised it's a GDPR breach but I think GDPR for the ordinary soul is a minefield.

The reason I believe her is because it's an all too familiar experience: you enter a business to pay for a product/service and the staff use you as an anger misplaced punching bag.
It's why I do 99% of my shopping online now.

Deleted User

Deleted User wrote: »

This thread is an absolute car wreck.



Having read the whole thing I think some posters were reading a different thread because the OPs posts were perfectly clear to me.



It is a GDPR issue. Comparing it to being in Spar is nonsensical, it's not Spar. Spar does not keep information on as much as your spending habits never mind medical conditions.



Pharmacy attendant shared personal information to a 3rd party. Said attendant also has access to significant other personal information and could have shared that too. GDPR is about managing and securing personal data. In this situation personal data is at risk by the demonstrated misconduct of an employee.


The only advice I can give is to unfriend from Facebook the sister inlaw and limit future interactions with that family going forward. I expect the pharmacy owner to take it very seriously, and a letter from the Data Protection commissioner will see to that.



Finally, the attacks on the OP through-out this thread are really quite depressing.

Is your name really priviledge information? This all sounds like a small town thing where everyone knows everyone, and their girlfriends and in-laws.

Nasty, but that's what also is going in small towns. If facebook wasn't invented it would be gossiped anyway.

Small towns are awful in many ways.

It is not right how people use facebook for mean ness, and am sorry for the OP. Is this happening in a place where everyone lives like in a box of hamsters?