Data security top tips and case studies

This webpage sets out for pharmacy contractors and teams how to align with top tips.

With the expansion of services being offered by the community pharmacy sector, it is important for pharmacy contractors to consider best practices.

Community Pharmacy England and NHSX data security communication tips

See: Community Pharmacy England: Cyber security tips IT factsheet

Community Pharmacy England Ten steps to data and cyber security 

See: Data security: Ten steps to improve it (briefing)

ICO community pharmacy study to identify top tips

The ICO is the regulator responsible for ensuring that organisations comply with the Data Protection Act 1998 (the DPA) and for promoting good practice in information handling.

Information Commissioner’s Office (ICO) previously published the findings from its work relating to community pharmacies. The ICO findings are intended to promote good practices and make recommendations about how to further improve data protection within community pharmacies.

The ICO Good Practice department undertook a series of voluntary visits with organisations operating community pharmacies in England, Scotland and Wales. In addition, the ICO also ran a survey asking community pharmacists to provide information. The research focussed on measures relating to:

• information governance and security;
• data protection issues in public-facing websites;
• staff training and awareness;
• fair processing provided to customers;
• records management, and disposal of data;
• usage of portable media devices; and
• transmission of personal and sensitive personal data.

Top tips from the ICO study

The study identified that generally staff and organisations have a good awareness of the requirement to keep personal data safe/confidential and are motivated to do so.

Recommendations, good practices, and practical tips were highlighted within the report, including:

  Training

• Regular and ongoing training should be made available to all staff who handle sensitive information;
• IG training should cover confidentiality and information security;

  IT

• Website fair processing notices on pharmacy websites should deal with both how that website uses information, and how the pharmacy contractor uses it;
• The importance of regularly updating software on computers which are processing sensitive personal data;
• There should be a mechanism, such as “Safe Haven” procedures, in place to maximise the secure use of fax machines where there are no other alternatives and their use remains necessary;
• Individual user logons should be used for all systems that contain patient identifiable data to enable a full audit trail of view and change events to a patient’s record;
• Smartcards should only be used by the registered holder;

  Policies and procedures

• Ensure these are in place to:
  • control the removal of personal data from the pharmacy premises; and
  • monitor staff for compliance with standards.
• Policies and procedures should be easily available so staff can learn from them and refer to them when necessary.

If you have queries on this webpage or you require more information please contact it@cpe.org.uk.

Return to the section: Data security and information governance

Return to the section: Data Security and Protection Toolkit

Return to the Pharmacy IT hub