Personal data, special category data, and lawful handling

ICO guidance defines personal data as information relating to an identified or identifiable living person. Much of what pharmacies handle is also special category data because health information is more sensitive and requires extra protection.

What this means in pharmacy practice

• Personal data: names, addresses, phone numbers, dates of birth, NHS numbers, signatures, collection records and delivery details.
• Special category data: medicines, diagnoses, service use, notes about symptoms, consultation records and other health-related information.
• Inferences can still be sensitive: a text about methadone, an emergency contraception consultation or repeated visits for a particular service may reveal health information even when brief.

Lawful handling in simple terms

The pharmacy must have a lawful basis under Article 6 of UK GDPR to use personal data, and an additional condition under Article 9 to handle special category data. Front-line staff usually do not choose those legal conditions, but they must apply the rules in practice:

• Only use information for a legitimate pharmacy purpose: not out of curiosity, gossip or personal interest.
• Use the minimum necessary: collect, view, share and store only what the task requires.
• Be accurate and careful: incorrect addresses, contact details or recipient records can cause breaches.
• Follow privacy information and SOPs: do not create your own shortcuts for how data should be used or shared.

Data protection consent is not the same as clinical consent. In many routine pharmacy situations the organisation's lawful basis for processing is not "consent" in the data protection sense. Staff should avoid suggesting information will only ever be used because someone ticked a consent box, since legal and care-related duties may require other uses.