Applying for Registration under the Data Protection Acts, 1988 & 2003 - Guidance Notes for Pharmacists
Registration is a simple, inexpensive and straightforward process, which has the effect of putting into the public domain some general information about the types of personal data which you process, and your purposes for doing so. You should be aware that processing personal data in ways inconsistent with your register entry may involve the commission of an offence. Failure to register, if required to do so, is also an offence.
Completing the Registration Application Form
Although the registration application form is largely self-explanatory, the following notes indicate the level of detail, of particular relevance to pharmacies, that is required to enable your application to be speedily processed. Please note that the suggested answers to particular sections of the form are provided for illustrative purposes only, and you will need to amend and/or supplement them to fit the particular circumstances of your business.
You should also note that not all of the details which you provide in your application form will be made publicly available as part of the public register. Only the responses to section 1 to 6 (inclusive) form part of the public register; the other details are required for the purposes of the Office of the Data Protection Commissioner, and will be treated as confidential. For clarity, each section below includes an indication of whether the information under that section forms part of the public register.
You should give the registered name and address of the company or person carrying on business. If your business is transacted at more than one outlet, you should list separately the trading name and location of each outlet.
In the case of pharmacies that are part of a group, there is a requirement on each pharmacy to register separately, if it is a separate legal entity. In other words, pharmacies that are established as limited companies must register individually, even if the company is wholly owned by a separate holding company. Conversely, if a company does business through a number of separate pharmacy outlets or branches - which are not established as limited companies in their own right - then that company should have a register entry, and the details in that entry should reflect the practices of all of the outlets. (A company in this position may also choose to maintain a number of separate register entries, to separate the practices of its various outlets, if it wishes.)
Note: You must keep this Office informed of any change of address. Failure to do so is an offence under section 19 of the Act.
You should identify the person to whom members of the public may address any applications for access to their personal data under section 4 of the Act. It is sufficient to identify the contact person by title or position, e.g. 'Pharmacist, pharmacy manager’, if you wish.
Section 3: Purpose(s) - This information forms part of the public register
Usually the purpose might be described as ‘Provision of pharmaceutical services and administration of pharmacy’.
The requirement to set out publicly your purpose for holding personal data makes an important contribution towards meeting your requirement under section 2 of the Data Protection Act to keep and use personal data "only for one or more specified and lawful purposes". This is a requirement which applies to all data controllers, not just those who are obliged to register.
Note: Keeping or using personal data for a purpose, other than the purpose or purposes described in the entry, may involve an offence under section 19 of the Act.
Section 4: Description - This information forms part of the public register
This section is divided into ‘Applications’ and ‘Description of Personal Data’. You are required to identify the various applications, i.e. distinct areas or aspects of your work, for which personal data are held and to detail the types of personal data kept in respect of each application.
Personal data held for applications which are ancillary to your primary purpose, such as personnel and payroll data, should be recorded as separate applications.
Example: The following illustrative examples indicate how some of the applications of personal data might be listed for a pharmacist -
Note: Keeping personal data of any description other than that specified in the register entry may involve an offence under section 19 of the Act.
Section 2 of the Act requires inter alia that any disclosure of the data must be compatible with your specified purpose for holding the data. You should list in this section any third parties to whom you make such disclosures. You should also note that the inclusion of a particular disclosee in you registration does not, of itself, make disclosures to that person legitimate.
You do not need to include transfers of personal data to your employees or agents, to the extent that such transfers are necessary to enable them to carry out their duties. Such transfers do not fall within the definition of ‘disclosures’ under the Act. Similarly, you do not need to list disclosures which are permitted under section 8 of the Act, including disclosures which are:
In case of doubt, it is advisable to list the disclosure in any event.
Example: Possible disclosures for pharmacists are given below for illustrative purposes. Note that it is sufficient to identify each application by the letter assigned to it in section 4.
Note: Knowingly to disclose personal data to a person who is not described in the entry, other than a person to whom a disclosure of such data may be made in the circumstances specified in section 8 of the Act, may involve an offence under section 19 of the Act.
This section relates only to personal data when transferred abroad in automated form, and is unlikely to apply to pharmacists.
Note: Transferring personal data, directly or indirectly, to a place outside the State other than one named or described in the entry may involve an offence under section 19 of the Act.
"Sensitive data" means any data of the types listed in section 16(1)(c) of the Data Protection Act — see under Introduction above. Where such sensitive types of personal data are held (as will normally be the case for pharmacists who are required to register), this section must be completed.
Under heading (ii) of this section, you should state for which of the applications listed under section 4 the sensitive data are held.
Example: Minimum security arrangements would normally include the following —
Physical Safeguards - ‘Access to computers is restricted to authorised personnel only and screens are positioned out of public view; premises are alarmed and secure when not occupied.’
Technical Safeguards - ‘Access to computer system is password-protected; PC workstation is subject to password-protected lock-out after period of inactivity; anti-virus software is in use; a firewall is used to protect systems connected to the internet.' [Note: for especially sensitive data, it is also advisable to use additional technical safeguards, such as routine encryption of files and multi-level access control.]
This section is not usually applicable to pharmacists - so the "No" box should be ticked.
You should give the name and/or job status of the individual who will supervise the application of the Act within your pharmacy, and the person to whom this Office will address correspondence relating to your application.