I'm sure that in your household, like millions of others, the Pharmaceutical Journal forms the bedrock of breakfast table reading. One story (also covered in the obscure publication The Daily Mail) was about a company, Pharmacy2U, being fined £130,000 ( about $200,000) for the selling of over 20,000 customer records to anybody willing to stump up £130 per thousand records.
Quoted in tPJ, David Smith deputy commissioner of the Information Commissions Office said: "Patient confidentiality is drummed into pharmacists. It is inconceivable that a business in this sector could believe these actions were acceptable. A reputable company has made a serious error of judgement and today faces the consequences of that. It should send out a clear message to other companies that the customer data they hold is not theirs to do with as they wish."
To be fair to the company, Pharmacy2U has accepted the fine and offered sincere apologies. This is not enough though. The computer systems in the NHS are still not joined up and under current rules cannot be owing to the risk to client confidentiality. It is still not unusual for a qualified pharmacist having to take a trip across town to collect records of a new patient because she has no direct computer access to those records: a shocking waste of skill and resources. The breach of patient (not customer) confidentiality by Pharmacy2U may well put back progress in having an integrated patient database available to health professionals.
The double standards though comes with how accountable a company is compared to an individual pharmacist working in the NHS. Pharmacy2U sold the records of over 20,000 patients, has been found out and fined £130,000. Beyond some damage to its professional reputation, that is pretty much it. No individual is held to legal account. Contrast this to a NHS pharmacist would takes an unauthorised look at a patient's records. All data searches are traced to individual users so if the person searching does not have the right to look at the data, they stand not only to face disciplinary action and being struck off the register of practicing pharmacists, but also the criminal sanction of imprisonment. This is not theoretical: pharmacists do get struck off for data breaches and prescription mistakes.
While individual pharmacists who breach rules are left without a profession and possibly with a criminal record, a pharmacy company takes a rap on the knuckles. "Why?" one irate pharmacist asked me. "Isn't any of the directors being sent to prison?"
Even if it is decided that prison is too tough a sanction, surely it is right that those who have responsibility for patient data should face the possibility of being declared as unfit persons to hold a directorship, if that confidentiality is breached.