Providers of NHS services within England, including community pharmacy contractors, are required to give information governance assurances to the NHS each year via the online self-assessment: the Data Security and Protection Toolkit (previously called the ‘IG toolkit’). The deadline for completing the mandatory questions is 31st March 2019.
PSNC has published new guidance including the Toolkit completion: Overview and its associated new documents (read more below).
Representatives from PSNC and NHS Digital will be available to talk you through the new Toolkit in our workshop on 30th January. Click here to learn more and register your place.
Completing the Toolkit and related guidance: PSNC guidance (updated)
Key documents completion guidance
These new documents may assist community pharmacy contractors to complete the Toolkit (published December 2018):
- Toolkit completion: Overview – this outlines six steps to complete the Toolkit.
- Toolkit completion: Question-by-question guidance (mandatory questions) (PDF ver) – this can be used to work your way down the Toolkit questions from top to bottom completing the mandatory questions not already marked completed.
- Toolkit completion: Question-by-question guidance (all, spreadsheet ver) this Excel spreadsheet, covering all mandatory and optional questions, provides an alternative to using the PDF.
PSNC has developed and this week published a series of guidance documents to assist community pharmacy contractors as they work towards their information governance (IG) declaration for 2018/19. Previously known as the IG Toolkit, this year contractors must complete the new ‘Data Security and Protection Toolkit’ no later than 31st March 2019.
PSNC and NHS Digital have been working together on the development of the Toolkit and NHS Digital have informally endorsed the information in the Toolkit completion: Overview (see link below).
As part of this work PSNC achieved agreement with NHS Digital in key areas which will significantly reduce the work contractors need to do to complete the Toolkit. Firstly, any contractor who completed our General Data Protection Regulation (GDPR) Workbook earlier this year can simply tick a box to confirm this and around half of the questions will be auto-completed. Secondly, with support from a number of PMR suppliers, many contractors will have access to information to help answer up to 12 technical questions.
PSNC has made our guidance materials available to contractors as soon as possible and would encourage contractors to consider this annual requirement in their planning as it coincides with a number of other events, including the introduction of the Falsified Medicines Directive (FMD) and the Quality Payments review point.
PSNC recommends that contractors register now, take a look at our guidance documents, as time allows, and start to get familiar with the new Toolkit.
Some pharmacy contractors may consider it beneficial to finish the Toolkit questions after:
- their PMR supplier may have added some relevant information against some technical questions (scheduled for early 2019); or
- the batch submission feature (for owners of multiple pharmacies) has been made available in early 2019.
Community pharmacies are expected to meet all mandatory evidence requirements which means that all questions marked as mandatory must be completed. The Toolkit has been significantly updated to incorporate GDPR and the National Data Guardian’s Ten Data Security Standards for the healthcare sector.
Requirements for IG change annually.
Pharmacy multiples that want to use the batch submission feature in the Toolkit are advised to register and begin completion of a ‘master’ Head Office submission. The ability to apply this as a ‘batch’ assessment to all your pharmacies will be developed in the coming months, in good time for the 31st March 2019 deadline.
Pharmacies are expected to meet all “mandatory” evidence requirements.
Read more about training and all of the training options at: IG training.
Note about the new Toolkit question 3.3.1 which says: “Staff pass the data security and protection mandatory test… Level 1 Data Security Awareness training” but equivalent training is acceptable. NHS Digital has confirmed to PSNC that the question can be marked completed if equivalent training has taken place including the GDPR guidance for Community Pharmacy (Part 2) staff training booklet. In advance of the Toolkit deadline (31st March 2019) most contractors will already have trained all staff to this level during the GDPR implementation period which began in May 2018. If not, you must ensure 95% of all current staff have been trained.
As part of the 2009/10 community pharmacy contractual framework funding settlement, the DHSC and PSNC agreed an allocation of £23 million funding to support the implementation of the Information Governance requirements. This equates to over £2000 for the average pharmacy contractor. This was paid out through the general funding arrangements rather than via a specific fee.
PSNC is currently in discussion with the Department of Health and NHS England to finalise the funding allocation for business continuity planning. To date £12m has been allowed. As with the Information Governance funding, this was paid out through the general funding arrangements rather than via a specific fee.
There are also ongoing costs, in maintaining compliance with the requirements, making annual Information Governance returns via the Toolkit and implementing changes made to the requirements by the NHS. As part of the funding arrangements for the national contractual framework, annual adjustments are made to pharmacy funding to reflect costs necessitated by significant additional regulatory burdens on contractors. Regulatory burdens are assessed on a retrospective basis and included in funding negotiations.
Q. Does the Toolkit apply to pharmacies within the devolved nations.
The Toolkit requirements apply to England only; different arrangements apply in Scotland, Wales and Northern Ireland.
Q. Are pharmacies still exempt from the requirement to have a business continuity plan?
No, pharmacies are no longer exempt from that requirement and they therefore need to have a business continuity plan in place. Guidance on developing a plan can be found in the clinical governance section of the website.
Q. Is the PSNC covered by the Freedom of Information Act 2000?
No. PSNC is not a “public authority” so FOI does not apply.
However, some of the organisations we deal with are public authorities and caught by FOI. For example, the NHS including health authorities, NHS Trusts and other national health bodies responsible for public health in England. Additionally, local government (including local bodies and local authorities) in England are also covered. The Freedom of Information Act 2000 grants a general right of access to information held by public authorities. This means that any person under FOI making a valid request for information is entitled to be informed in writing by the public authority whether it holds the information requested, and if that is the case, to have that information communicated to them.
Please note that there are exemptions which allow a public authority not to disclose information in response to an FOI request e.g. where PSNC and NHS England during pharmacy funding negotiations share confidential information.
Q. I have missed the Toolkit submission deadline. What can I do?
This is very regrettable – technically, this is a breach of the terms of service which could ultimately, result in action being taken by NHS England. All NHS providers, including community pharmacies need to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the Toolkit. Therefore, compliance with the Toolkit submission deadline should be well planned in advance.
Nevertheless, PSNC would encourage all pharmacy contractors in this situation to submit, if possible, as soon as practicable. If not, then to contact their local NHS team for further guidance.
Read more FAQs at: Further FAQs.
Queries and support
Pharmacies can obtain support with queries linked to the Toolkit from the Exeter Helpdesk (email@example.com or 0300 3034034). The Exeter Helpdesk will be able to support pharmacies with the day-to-day administration of their account on the Toolkit, for example re-setting forgotten passwords and can provide technical support in using the Toolkit.
For support regarding the IG requirements, please see our IG Frequently Asked Questions page.
NHS Digital also have Frequently asked questions: Toolkit answers page.
Pharmacy contractors can continue to obtain general support on the IG requirements, by contacting us.
Related resources and templates
Read more at: IG templates and resources