Providers of NHS services within England, including community pharmacy contractors, are required to give information governance assurances to the NHS each year via the online self-assessment: the Data Security and Protection Toolkit (previously called the ‘IG toolkit’). The previous deadline for completing the mandatory questions is 31st March 2019.
PSNC will be publishing further updates for pharmacy contractors in due course regarding the 2019/20 toolkit submission after further discussion with NHS Digital. The guidance on this webpage relates to the 2018/19 toolkit submission.
Completing the Toolkit and related guidance: PSNC guidance (updated)
Key documents completion guidance
These documents may assist community pharmacy contractors to complete the Toolkit (updated for 2018/19) toolkit submission:
- Toolkit completion: Overview which outlines five steps to complete the Toolkit.
- Toolkit completion: Question-by-question guidance (mandatory questions) (PDF ver) which can be used to work your way down the Toolkit questions from top to bottom completing the mandatory questions not already marked completed.
- Toolkit completion: Question-by-question guidance (all, Excel spreadsheet ver) which covers all mandatory and optional questions, and provides an alternative to using the PDF.
- Toolkit FAQs factsheet answer some common queries received by PSNC from those who have already or are in the process of completing their Toolkit.
PSNC and NHS Digital also have produced a Toolkit completion webinar available for on-demand viewing.
PSNC has developed and this week published a series of guidance documents to assist community pharmacy contractors as they work towards their information governance (IG) declaration for 2018/19. Previously known as the IG Toolkit, this year contractors must complete the new ‘Data Security and Protection Toolkit’ no later than 31st March 2019.
PSNC and NHS Digital have been working together on the development of the Toolkit and NHS Digital have informally endorsed the information in the Toolkit completion: Overview (see link below).
As part of this work PSNC achieved agreement with NHS Digital in key areas which will significantly reduce the work contractors need to do to complete the Toolkit. Firstly, any contractor who completed our General Data Protection Regulation (GDPR) Workbook earlier this year can simply tick a box to confirm this and around half of the questions will be auto-completed. Secondly, with support from a number of PMR suppliers, many contractors will have access to information to help answer up to 12 technical questions (NHS Digital are planning to add this feature at the end of February 2019).
PSNC has made our guidance materials available to contractors as soon as possible and would encourage contractors to consider this annual requirement in their planning as it coincides with a number of other events, including the introduction of the Falsified Medicines Directive (FMD) and the Quality Payments review point.
PSNC recommends that contractors register now, look at our guidance documents including the overview and question-by-question PDF document, and complete and submit the entire Toolkit. It can be submitted multiple times rather than once only. That is in case you wish to make a change after the first submission.
Some features continue to be worked on or refined:
- Information for technical/PMR questions: The mentioned question-by-question pdf guidance mentions how to complete technical (plus other) questions. You can complete all questions including technical ones now using that guidance. If required, you may use information supplied by your PMR supplier or seek assistance from your supplier. For some questions, you may enter text into the ‘document location information’ box rather than the ‘comments’ box. Previously a ‘PMR selection’ feature had been announced: During mid-March 2019, NHS Digital added a feature so that PMR suppliers could use a specific email address (e.g. email@example.com) which their customers could enter (into the ‘User List’ section of the Toolkit). PMR suppliers which create this email for this use, will have ability to bulk-insert some information for up-to 12 technical questions. After the final bulk insertion, contractors can amend or add to the information for those technical questions. Given that your supplier probably won’t have time to make use of the feature for many of their customers, all contractors should use the question-by-question guidance mentioned earlier and submit their entire Toolkit rather than waiting for their PMR supplier to add the feature.
- The batch submission feature (for owners of multiple pharmacies) is available (and continues to be refined so that it may become more suitable for more multiples).
Community pharmacies are expected to meet all mandatory evidence requirements which means that all questions marked as mandatory must be completed. The Toolkit has been significantly updated to incorporate GDPR and the National Data Guardian’s Ten Data Security Standards for the healthcare sector.
Requirements for IG change annually.
Pharmacy multiples that want to use the batch submission feature in the Toolkit are advised to register and begin completion of a ‘master’ Head Office submission. The ability to apply this as a ‘batch’ assessment to all your pharmacies continues to be developed in the coming weeks for greater numbers of pharmacy contractors, in good time for the 31st March 2019 deadline.
Pharmacies are expected to meet all “mandatory” evidence requirements.
New functionality is now available on the Toolkit enabling many head offices to publish an assessment on behalf of its branches – particularly where a batch submission was submitted last year. When you log in to the Toolkit as your HQ organisation (with HQ ODS code) you will be able to complete your assessment, review your list of branches and publish your Toolkit assessment for your branches. Your HQ’s branch list has been populated from data held by the ODS team. If your list is not accurate, please raise a support call with Exeter Helpdesk and request for it be corrected. If there has been a change with a pharmacy (e.g. during the last year) such as ownership, this may impact which pharmacies are listed against HQ codes.
- If you have already published, you will need to publish again once you have checked your HQ’s branches.
- If you have already registered but with a “branch” ODS code, please contact the the Helpdesk and they will give you access to your HQ organisation.
- If you can’t see the new HQ functionality (e.g. – the ability to check a list of your branches within the Toolkit) please contact the Helpdesk.
If you have any comments on the batch submission feature functionality you wish to pass to PSNC please contact PSNC by email. PSNC has received feedback that ODS code lists vs HQ codes are being further worked on.
Read more about training and all of the training options at: IG training. That page explains information such as:
- Note about the new Toolkit question 3.3.1 which says: “Staff pass the data security and protection mandatory test… Level 1 Data Security Awareness training” but equivalent training is acceptable. NHS Digital has confirmed to PSNC that the question can be marked completed if equivalent training has taken place including the GDPR guidance for Community Pharmacy (Part 2) staff training booklet. In advance of the Toolkit deadline (31st March 2019) most contractors will already have trained all staff to this level during the GDPR implementation period which began in May 2018. If not, you must ensure 95% of all current staff have been trained.
- Information about the Cyber Essentials scheme and how it applies to pharmacy.
As part of the 2009/10 community pharmacy contractual framework funding settlement, the DHSC and PSNC agreed an allocation of £23 million funding to support the implementation of the Information Governance requirements. This equates to over £2000 for the average pharmacy contractor. This was paid out through the general funding arrangements rather than via a specific fee.
PSNC is currently in discussion with the Department of Health and NHS England to finalise the funding allocation for business continuity planning. To date £12m has been allowed. As with the Information Governance funding, this was paid out through the general funding arrangements rather than via a specific fee.
There are also ongoing costs, in maintaining compliance with the requirements, making annual Information Governance returns via the Toolkit and implementing changes made to the requirements by the NHS. As part of the funding arrangements for the national contractual framework, annual adjustments are made to pharmacy funding to reflect costs necessitated by significant additional regulatory burdens on contractors. Regulatory burdens are assessed on a retrospective basis and included in funding negotiations.
Q. Does the Toolkit apply to pharmacies within the devolved nations.
The Toolkit requirements apply to England only; different arrangements apply in Scotland, Wales and Northern Ireland.
Q. Are pharmacies still exempt from the requirement to have a business continuity plan?
No, pharmacies are no longer exempt from that requirement and they therefore need to have a business continuity plan in place. Guidance on developing a plan can be found in the clinical governance section of the website.
Q. Is the PSNC covered by the Freedom of Information Act 2000?
No. PSNC is not a “public authority” so FOI does not apply.
However, some of the organisations we deal with are public authorities and caught by FOI. For example, the NHS including health authorities, NHS Trusts and other national health bodies responsible for public health in England. Additionally, local government (including local bodies and local authorities) in England are also covered. The Freedom of Information Act 2000 grants a general right of access to information held by public authorities. This means that any person under FOI making a valid request for information is entitled to be informed in writing by the public authority whether it holds the information requested, and if that is the case, to have that information communicated to them.
Please note that there are exemptions which allow a public authority not to disclose information in response to an FOI request e.g. where PSNC and NHS England during pharmacy funding negotiations share confidential information.
Q. I have missed the Toolkit submission deadline. What can I do?
This is very regrettable – technically, this is a breach of the terms of service which could ultimately, result in action being taken by NHS England. All NHS providers, including community pharmacies need to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the Toolkit. Therefore, compliance with the Toolkit submission deadline should be well planned in advance.
Nevertheless, PSNC would encourage all pharmacy contractors in this situation to submit, if possible, as soon as practicable. If not, then to contact their local NHS team for further guidance.
Read more FAQs at: Further FAQs.
Queries and support
Pharmacies can obtain support with queries linked to the Toolkit from the Exeter Helpdesk (firstname.lastname@example.org or 0300 3034034). The Exeter Helpdesk will be able to support pharmacies with the day-to-day administration of their account on the Toolkit, for example re-setting forgotten passwords and can provide technical support in using the Toolkit.
For support regarding the IG requirements, please see our IG Frequently Asked Questions page.
NHS Digital also have Frequently asked questions: Toolkit answers page.
Pharmacy contractors can continue to obtain general support on the IG requirements, by contacting us.
Related resources and templates
Read more at: IG templates and resources