Get Started
GPhC logo beside a computer screen displaying a padlocked patient record portal, representing unauthorised data access

GPhC warns pharmacist over unauthorised access to rival's patient data

Source: Chemist+Druggist07/05/2026

A pharmacist has received a formal warning from the GPhC after being found to have accessed a competitor pharmacy's patient data without authorisation on approximately 14 occasions. This case is a stark reminder that professional integrity extends far beyond the dispensary counter — it applies to how you handle data, competition, and your conduct outside working hours. For pre-reg candidates preparing for the GPhC registration assessment, the standards underpinning this case are directly examinable.

What's happened

The GPhC investigated a pharmacist who obtained and used login credentials belonging to a rival pharmacy's online platform to access that pharmacy's patient data. The unauthorised access took place on approximately 14 separate occasions and was carried out from the pharmacist's own home, meaning this was not incidental or opportunistic — it was repeated and deliberate. Following its investigation, the GPhC found the pharmacist to be lacking in integrity and issued a formal warning.

A formal warning is a regulatory sanction that sits on a pharmacist's record. It is issued when the GPhC determines that conduct fell below the standards expected of a registered professional, but that the public is not at immediate risk requiring suspension or removal from the register. It is not a trivial outcome.

Why it matters for pre-reg pharmacists

This case may initially seem remote from the everyday pressures of a pre-reg placement — dispensing accuracy, clinical checks, medicines reconciliation. But the regulatory principles it touches are fundamental, and the GPhC assesses whether candidates understand them.

Integrity is not optional. The GPhC's standards make clear that registrants must behave with honesty and integrity at all times — not only when dispensing, counselling patients, or interacting with prescribers, but in every aspect of professional life. Accessing data you are not authorised to access, regardless of how you obtained the credentials, is a breach of that standard. The fact this occurred at home underlines that registration does not clock off when you leave the building.

Patient data is protected by law and professional duty. Patient records — whether held digitally or on paper — carry some of the strongest legal and ethical protections in healthcare. Patients share information with pharmacy teams because they trust it will be held confidentially and used solely for their care. Accessing a competitor's patient portal, even without directly using that data to harm anyone, violates that trust at a fundamental level. It treats patient data as a commercial asset rather than a confidential clinical record.

The competitive environment does not create exceptions. Community pharmacy operates in a competitive market. Pharmacies vie for patients, delivery services, and NHS contracts. None of that commercial reality creates any justification — legal, ethical, or professional — for accessing another organisation's systems or patient information without authorisation. The means of access matters too: obtaining and using someone else's login credentials compounds the breach. It raises questions about how those credentials were obtained and whether additional laws — such as the Computer Misuse Act — may apply alongside regulatory proceedings.

Repeated conduct is always more serious. A single, accidental, immediately self-reported breach looks very different from approximately 14 deliberate acts carried out over time, from home. Regulatory panels weigh the pattern of behaviour heavily. Repetition demonstrates that the pharmacist had multiple opportunities to stop, self-report, and correct course — and did not take them.

GPhC exam relevance

The GPhC registration assessment tests candidates across the full breadth of pharmacy practice, including professionalism, law, and ethics. This case maps directly onto several areas you are expected to understand.

GPhC Standards for Pharmacy Professionals — the standards require registrants to be honest and trustworthy and to demonstrate integrity. They also require you to respect and maintain the privacy and dignity of patients. A case in which a pharmacist systematically accessed patient records they had no right to see engages both of these standards simultaneously.

Data protection law — the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 govern how patient data must be handled. Accessing personal data without a lawful basis is unlawful. Patient data is classified as special category data under UK GDPR, attracting the highest level of protection. Pre-reg candidates are expected to understand the principles of lawful processing, data minimisation, and confidentiality as they apply in pharmacy practice.

Confidentiality and disclosure — the MEP (Medicines, Ethics and Practice guide) covers the professional duty of confidentiality and the circumstances in which disclosure may be lawful or required. Accessing a competitor's data falls entirely outside any recognised disclosure framework. There is no legitimate purpose, no patient consent, no legal requirement, and no overriding public interest that could justify it.

Fitness to practise — the assessment also expects candidates to understand how the GPhC's fitness to practise processes work, what sanctions are available (from advice through to erasure), and what standard of conduct is required to remain on the register. A formal warning, as issued here, is an important point on that spectrum to understand.

Scenario-based questions — the registration assessment uses scenario-based questions that ask you to identify the correct professional course of action. Scenarios involving data breaches, confidentiality dilemmas, or conduct outside the workplace are well within scope. Knowing that integrity applies at home, on personal devices, and outside contracted hours is testable knowledge.

Career angle

For those currently in their pre-reg year or foundation training, this case carries a direct message: your registration is yours, and it travels with you everywhere. The behaviours you develop now — how you handle patient information, how you respond when you make mistakes, how you conduct yourself when no one from your organisation is watching — form the foundation of your professional identity as a pharmacist.

Pre-reg trainees often work in competitive environments, particularly in community pharmacy, where patient volume and service provision matter commercially. You may at times have incidental access to information about other local pharmacies, their systems, or their staff. The professional boundary is clear: information obtained in the course of your work is not yours to use, share, or exploit.

If you ever encounter a situation where you are given, or stumble across, access credentials or confidential information that does not belong to you, the correct action is straightforward — do not use them, report the situation to your line manager or responsible pharmacist, and document what happened. That response reflects the integrity the GPhC expects and demonstrates the professional judgement that distinguishes a safe and trustworthy registrant.

From an employment perspective, a GPhC warning on your record is something that future employers — NHS trusts, multiples, CCGs commissioning services — will see and will ask you to explain. Pre-reg and early-career pharmacists sometimes underestimate how much professional conduct during training shapes their employability and their reputation within pharmacy networks. Community pharmacy in particular is a sector where reputation travels quickly.

What's next

For you as a candidate, the immediate action is straightforward: use this case as a revision anchor.

  • Review the GPhC Standards for Pharmacy Professionals, paying particular attention to the standards on honesty, integrity, and patient confidentiality.
  • Revisit the MEP sections on confidentiality, data protection, and fitness to practise to ensure you can apply those principles in scenario-based questions.
  • Refresh your understanding of UK GDPR as it applies to special category data and the pharmacy context — this is a live and examinable area of law.
  • Think about how you would respond in a scenario where you were offered, or accidentally received, access to systems or information you were not authorised to use. Practise articulating the correct professional response.

Watch for further GPhC fitness to practise decisions published on the GPhC register — these are publicly available and provide some of the most realistic scenario material available for pre-reg revision. Cases like this one, where the facts are clear and the principles well-established, are exactly the kind of grounding that builds confident, safe, exam-ready judgement.

Source: Chemist+Druggist — https://www.chemistanddruggist.co.uk/news/regulation/lacking-integrity-pharmacist-accessed-competitors-patient-data-72NT5P5RU5FBZBE2EM6XWANDHE/

Read original article at Chemist+Druggist

Preparing for the GPhC Exam?

Practice with 2,000+ GPhC exam questions and unlimited timed mock exams.

Try 15 Free Questions