Data Security and Protection Toolkit

Data Security and Protection Toolkit

Providers of NHS services within England, including community pharmacy contractors, are required to give information governance assurances to the NHS each year via the online self-assessment: the Data Security and Protection Toolkit (previously called the ‘IG toolkit’). In light of the ongoing COVID-19 pandemic the final deadline for completing the mandatory questions has been re-scheduled from March 31st 2020 to September 30th 2020.

PSNC recommends contractors reviewing these new briefings and proceed with will assist community pharmacy contractors completing the Toolkit (some of newer guidance highlighted gold):

PSNC has been working with NHS Digital on some Toolkit matters and the overview briefing and some other aspects have been informally endorsed.

Some of the Toolkit guidance references: General Data Protection Regulation (GDPR) and the related guidance including GDPR workbook and the GDPR staff training booklet.

The guidance also refers to IG templates (updated 2020) which help the Toolkit requirements to be met.

Toolkit Workshop webinar on-demand

PSNC held a webinar to help support community pharmacy contractors in completing the Data Security and Protection Toolkit for 2019/20 on Thursday 6th February at 7.00pmIt will be made available on-demand shortly.

PSNC and NHS Digital have been working together on those changes needed for the Toolkit and we are keen to assist contractors as they work through it.

During the 60-minute on-demand webinar representatives from PSNC and NHS Digital will discuss the questions in the Toolkit, talk you through the guidance materials available and answer viewers’ questions on how to make the declaration.

To make the most of this webinar, we would advise taking a look at PSNC’s guidance documents and before watching the webinar and to log into your Toolkit to re-look at the questions including new ones in advance of watching the webinar. You may also ask questions after you have watched it: contact

With contractors required to finalise their pharmacy’s Data Security and Protection Toolkit submission by 31st March 2020, this webinar provides the perfect opportunity to make good headway in its completion.

Webinar Details

Who should watch the webinar
All contractors are required to give IG, data and security assurances to the NHS each year via the online self-assessment. Find out more about data and security protection at: do I register to watch it?
Please sign up here

Data Security and Protection Toolkit Workshop webinar

COVID-19 update: Changes to the Data Security and Protection Toolkit deadline

Community pharmacy contractors and others can continue to remain vigilant of data security risks during this period of COVID-19 response.  The Toolkit helps pharmacy contractors to check that they are in a good position to do that. PSNC discussed the upcoming deadline with NHSE&I and NHS Digital in light of the COVID-19 response.

The current submission deadline was amended from March 31st 2020 to September 30th 2020.

Pharmacy teams can choose to complete the Toolkit before that deadline date. If they do so, and if they fully meet the standard, those organisations will be awarded ‘Standards Met’ status, as in previous years.

Where organisations have separate agreements with commissioners or information sharing partners, existing deadlines might remain unaltered unless agreed between relevant parties but we would encoruage all to recognise that the date has changed.

Whilst the Toolkit submission deadline is being relaxed to account for COVID-19, the data and cyber security risk remains high.

PSNC worked with NHS Digital on guidance to support completion of the Toolkit and this guidance remains available on this webpage.

The opt-out system deadline is also re-scheduled from March 31st 2020 to September 30th 2020. See: PSNC Briefing: The national data opt-out system for patients, and how to align with the opt-out system which advises that your privacy notice can reference the patient opt-out system.

Technical questions and the Toolkit PMR feature

PSNC has been working with PMR suppliers on some Toolkit matters. We are aware that some PMR suppliers will provide information to support your completion of up to 14 technical questions in a variety of ways, e.g. via guidance documents or via their helpdesk.

Some PMR suppliers may choose to utilise the  improved Toolkit PMR feature. This feature involves your PMR supplier setting up an email address (e.g. to be communicated to you and entered by you (within the ‘Admin’>’User List’ section of the Toolkit, the email account can be added as ‘Member’) so that info can be bulk-inserted for the mandatory technical questions. This is likely to be at a pre-set time which your PMR supplier would advise you of. You would be able to add or amend the answers entered by your PMR supplier to include more information after the final bulk-insertion if needed. Your supplier as a ‘Member’ would technically be able to have visibility of answers but would promise not to collect, read or review these. You are advised not to wait for your PMR supplier to use the Toolkit PMR feature, in case they choose not to use the feature this year.

Headquarters (HQ) batch submission feature for pharmacies with three or more premises

Pharmacy contractors with three or more pharmacies should review:Toolkit completion: Using the Data Security and Protection Toolkit’s HQ batch submission feature – step-by-step guide and associated Checking pharmacies linked to HQ code using ODS portal factsheet. These explain how to request the feature is set-up for you. Contractors with three or more pharmacies may benefit from using the feature.

Contractors that want to use the HQ batch submission feature in the Toolkit are advised to register and begin completion of a ‘master’ HQ submission. The ability to apply this as an assessment to apply to all your pharmacies continues to be developed in the coming weeks for greater numbers of pharmacy contractors, in good time well before the 31st March 2020 deadline.

Pharmacies are expected to meet all “mandatory” evidence requirements.

New functionality is now available on the Toolkit enabling many head offices to publish an assessment on behalf of its branches – particularly where a batch submission was submitted last year. When you log in to the Toolkit as your HQ organisation (with HQ ODS code) you will be able to complete your assessment, review your list of branches and publish your Toolkit assessment for your branches. Your HQ’s branch list has been populated from data held by the ODS team.  If your list is not accurate, please raise a support call with Exeter Helpdesk and request for it be corrected. If there has been a change with a pharmacy (e.g. during the last year) such as ownership, this may impact which pharmacies are listed against HQ codes.

Please note:

  • If you have already published, you will need to publish again once you have checked your HQ’s branches.
  • If you have already registered but with a “branch” ODS code, please contact the the Helpdesk and they will give you access to your HQ organisation.
  • If you can’t see the new HQ functionality (e.g. – the ability to check a list of your branches within the Toolkit) please contact the Helpdesk and ask for the feature to be switched on.

If you have any comments on the batch submission feature functionality you wish to pass to PSNC please contact:

Toolkit FAQs

Q. Does the Toolkit apply to pharmacies within the devolved nations.

The Toolkit requirements apply to England only; different arrangements apply in Scotland, Wales and Northern Ireland.

Q. Are pharmacies still exempt from the requirement to have a business continuity plan?
No, pharmacies are no longer exempt from that requirement and they therefore need to have a business continuity plan in place. Guidance on developing a plan can be found in the clinical governance section of the website.

Q. Is the PSNC covered by the Freedom of Information Act 2000?
No. PSNC is not a “public authority” so FOI does not apply.

However, some of the organisations we deal with are public authorities and caught by FOI. For example, the NHS including health authorities, NHS Trusts and other national health bodies responsible for public health in England. Additionally, local government (including local bodies and local authorities) in England are also covered. The Freedom of Information Act 2000 grants a general right of access to information held by public authorities. This means that any person under FOI making a valid request for information is entitled to be informed in writing by the public authority whether it holds the information requested, and if that is the case, to have that information communicated to them.

Please note that there are exemptions which allow a public authority not to disclose information in response to an FOI request e.g. where PSNC and NHS England during pharmacy funding negotiations share confidential information.

Q. I have missed the Toolkit submission deadline. What can I do?

This is very regrettable – technically, this is a breach of the terms of service which could ultimately, result in action being taken by NHS England. All NHS providers, including community pharmacies need to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the Toolkit. Therefore, compliance with the Toolkit submission deadline should be well planned in advance.

Nevertheless, PSNC would encourage all pharmacy contractors in this situation to submit, if possible, as soon as practicable. If not, then to contact their local NHS team for further guidance.

Q. What are the funding arrangements for the Toolkit completion?

As part of the 2009/10 community pharmacy contractual framework funding settlement, the DHSC and PSNC agreed an allocation of £23 million funding to support the implementation of the Information Governance requirements. This equates to over £2000 for the average pharmacy contractor. This was paid out through the general funding arrangements rather than via a specific fee. PSNC is in discussion with the Department of Health and NHS England to finalise the funding allocation for business continuity planning. To date £12m has been allowed. As with the Information Governance funding, this was paid out through the general funding arrangements rather than via a specific fee.

There are also ongoing costs, in maintaining compliance with the requirements, making annual Information Governance returns via the Toolkit and implementing changes made to the requirements by the NHS. As part of the funding arrangements for the national contractual framework, annual adjustments are made to pharmacy funding to reflect costs necessitated by significant additional regulatory burdens on contractors. Regulatory burdens are assessed on a retrospective basis and included in funding negotiations.

Read more FAQs at: Further FAQs.

Queries and support relating to Toolkit

Pharmacies can obtain support with queries linked to the Toolkit from the Exeter Helpdesk ( or 0300 3034034). The Exeter Helpdesk will be able to support pharmacies with the day-to-day administration of their account on the Toolkit, for example re-setting forgotten passwords and can provide technical support in using the Toolkit.

For support regarding the IG requirements, please see our IG Frequently Asked Questions page.

NHS Digital also have Frequently asked questions: Toolkit answers page.

Pharmacy contractors can continue to obtain general support on the IG requirements, by contacting us.

Related resources, templates, training and further information

See also within the data security and information governance section:

Additionally read more at:

If you have queries on this webpage or you require more information please contact



Return to Data security and information governance

Return to the Pharmacy IT hub or IT a-z index


Latest Contract & IT news

View more Contract & IT news >