ICO publishes good practice report for community pharmacies

ICO publishes good practice report for community pharmacies

May 8, 2017

The Information Commissioner’s Office (ICO) has published the findings from its work relating to community pharmacies. These findings are intended to promote good practices and make recommendations about how to further improve data protection within community pharmacies.

With the expansion of services being offered by the community pharmacy sector, it is important for pharmacy contractors to consider best practices related to information governance and security.

Who is the ICO?

The ICO is the regulator responsible for ensuring that organisations comply with the Data Protection Act 1998 (the DPA) and for promoting good practice in information handling.

The ICO community pharmacy study

The ICO Good Practice department undertook a series of voluntary visits with organisations operating community pharmacies in England, Scotland and Wales. In addition, the ICO also ran a survey asking community pharmacists to provide information. The research focussed on measures relating to:

  • information governance and security;
  • data protection issues in public-facing websites;
  • staff training and awareness;
  • fair processing provided to customers;
  • records management, and disposal of data;
  • usage of portable media devices; and
  • transmission of personal and sensitive personal data.

Findings and recommendations

The study identified that generally staff and organisations have a good awareness of the requirement to keep personal data safe/confidential and are motivated to do so.

Recommendations, good practices, and practical tips were highlighted within the report, including:

  Training

  • Regular and ongoing training should be made available to all staff who handle sensitive information;
  • IG training should cover confidentiality and information security;

  IT

  • Website fair processing notices on pharmacy websites should deal with both how that website uses information, and how the pharmacy contractor uses it;
  • The importance of regularly updating software on computers which are processing sensitive personal data;
  • There should be a mechanism, such as “Safe Haven” procedures (see archived HSCIC information), in place to maximise the secure use of fax machines where there are no other alternatives and their use remains necessary;
  • Individual user logons should be used for all systems that contain patient identifiable data to enable a full audit trail of view and change events to a patient’s record;
  • Smartcards should only be used by the registered holder;

  Policies and procedures

  • Ensure these are in place to:
    • control the removal of personal data from the pharmacy premises;
    • comply with marketing consent legislation and the relevant record keeping required;
    • identify which records, and when, are to be retained/destroyed; and
    • monitor staff for compliance with standards.
  • Policies and procedures should be easily available so staff can learn from them and refer to them when necessary.

 

Read more at: Information governance, cybersecurity and training



Posted in:


More Latest News >

Ask PSNC: Flu FAQs

The team at PSNC has received a number of queries on the NHS Flu Vaccination Service 2017/18. Below are some...