All NHS providers, including community pharmacies need to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the Data Security and Protection (DSP) Toolkit replaces the IG toolkit that contractors have completed in previous years.
PSNC has been working with NHS Digital to ensure that the DSP Toolkit is optimised for completion by pharmacy contractors and that appropriate support materials will be available to help contractors to complete it. One PSNC proposal to make completion as straightforward as possible, which NHS Digital have agreed to implement, is that where a contractor declares that they have completed the PSNC GDPR Workbook for Community Pharmacy, the number of questions they will be asked to respond to in the Toolkit will be significantly reduced.
Contractors should register to access the new Toolkit via the DSP Toolkit registration page (contractors will need their pharmacy’s ODS code to register).
The DSP Toolkit will include some technical questions which need to be completed, but on which contractors are likely to need to get the answers from their PMR supplier. PSNC has agreed with NHS Digital and PMR suppliers that they will work together to pre-populate the answers to the technical questions based on information provided by individual PMR system suppliers. Cegedim, EMIS, Positive Solutions and RxWeb have confirmed support for this approach and have started to prepare text for inclusion in the DSP Toolkit during October and the first half of November 2018.
Requirements for IG change annually, and Data Security and Protection (DSP) Toolkit for 2018/19 is now available for completion.
Please note: these requirements apply to England only; different arrangements apply in Scotland, Wales and Northern Ireland.
Pharmacies are expected to meet all “mandatory” evidence requirements. The deadline for submitting this year’s return is 31st March 2019.
Further support materials and guidance documents will be available (and this website page updated) by the end of 2018.
Guidance on the requirements
Read more at: https://www.dsptoolkit.nhs.uk/Help.
PSNC will be developing further guidance to support toolkit completion and once this is available it will be highlighted on this website and in our email newsletters. Requests for support can also be made by email to email@example.com or telephone 0300 3034034.
Pharmacy multiples that want to use the batch submission feature in the Toolkit are advised to register and begin completion of a ‘master’ Head Office submission. The ability to apply this as a ‘batch’ assessment to all your pharmacies will be developed in the coming months, in good time for the 31st March 2019 deadline.
A contractor workbook was published by PSNC in 2009/10. This should be read in conjunction with an update published in 2010/11. Click on the links below to access these resources (hard copies are no longer available):
Guidance on using the Online Toolkit
Technical support in using the Toolkit including obtaining access rights and password re-sets can be obtained from the Exeter Helpdesk (Exeter.firstname.lastname@example.org or 0845 3713671).
There are a number of additional IG training options available including two interim training products:
- IG and DS Essentials – Workbook – 20-12-2016.docx (NHS Digital)
- IG and DS Essentials – PowerPoint presentation – 30-12-2016 (NHS Digital)
Using these training options is not mandatory. If you have any suggestions as to this content while you are using these materials, then the suggestions will be considered by NHS Digital for improving an e-learning module which is in development (and if necessary amending the interim products). If you would like to provide feedback about the content please use the NHS Digital contact form, or email email@example.com and mark your query for the attention of the IGTT refresh project.
The Cyber Essentials scheme is a recognised cyber security assurance certification. The Department of Health and Social Care recommended in their report that all NHS organisations meet this cyber security standard. In October 2018, it was reported in the HSJ that NHS Digital which runs the NHS’s national cyber services opposed adopting the recommendation.
Community pharmacies are not NHS organisations and it is not a requirement for pharmacy contractors to meet this cyber security standard. But contractors may wish to do so. Contractors already submit IG assurances to NHS England via the Data Security and Protection Toolkit (formerly the IG Toolkit).
Read more at: IG training.
As part of the 2009/10 community pharmacy contractual framework funding settlement, the DHSC and PSNC agreed an allocation of £23 million funding to support the implementation of the Information Governance requirements. This equates to over £2000 for the average pharmacy contractor. This was paid out through the general funding arrangements rather than via a specific fee.
PSNC is currently in discussion with the Department of Health and NHS England to finalise the funding allocation for business continuity planning. To date £12m has been allowed. As with the Information Governance funding, this was paid out through the general funding arrangements rather than via a specific fee.
There are also ongoing costs, in maintaining compliance with the requirements, making annual Information Governance returns via the Toolkit and implementing changes made to the requirements by the NHS. As part of the funding arrangements for the national contractual framework, annual adjustments are made to pharmacy funding to reflect costs necessitated by significant additional regulatory burdens on contractors. Regulatory burdens are assessed on a retrospective basis and included in funding negotiations.
Queries and support
Pharmacies can obtain support with queries linked to the NHS Information Governance Toolkit from the Exeter Helpdesk (firstname.lastname@example.org or 0300 3034034). The Exeter Helpdesk will be able to support pharmacies with the day-to-day administration of their account on the Information Governance Toolkit, for example re-setting forgotten passwords and can provide technical support in using the Toolkit.
For support regarding the IG requirements, please see our IG Frequently Asked Questions page.
NHS Digital also have Frequently asked questions: IG Toolkit answers page.
The pharmacy may have persons working for it (otherwise than under a contract of employment) e.g. locum pharmacists, or have persons visiting the pharmacy who are likely to have access to areas of the pharmacy not generally accessible by members of the public. One way to help safeguard the confidentiality of patients’ personal and sensitive personal data is by requiring the third party to agree to a confidentiality agreement. A template is available here
We recommend that the pharmacy retain the original signed confidentiality agreements for at least 6 years before considering disposal.
In September 2013 the Health and Social Care Information Centre (now NHS Digital) published a Guide to Confidentiality in Health and Social Care which explains the various rules about the use and sharing of confidential information. It has been designed to be easily accessible and to aid good decision making. It also explains the responsibility organisations have to keep confidential information secure.
The guide is supported by a references document which provides more detailed information for organisations and examples of good practice.
PSNC Briefing 109/13: Information: To Share or not to Share – Government Response to the Caldicott Review (December 2013)
This PSNC Briefing summarises Information: To Share or not to Share – Government Response to the Caldicott Review which was published by the Department of Health and Social Care (DHSC) in September 2013.
PSNC Briefing 044/13: A summary of the Caldicott Review on information governance (May 2013)
Dame Fiona Caldicott undertook an independent review of information governance within the NHS in England and her report Information: To Share or Not to Share? was published in April 2013. This PSNC Briefing summarises the key points in the report.
Pharmacy contractors can continue to obtain general support on the IG requirements, by contacting us.
Q. Are pharmacies still exempt from the requirement to have a business continuity plan?
No, pharmacies are no longer exempt from that requirement and they therefore need to have a business continuity plan in place. Guidance on developing a plan can be found in the clinical governance section of the website.
Q. Is the PSNC covered by the Freedom of Information Act 2000?
No. PSNC is not a “public authority” so FOI does not apply.
However, some of the organisations we deal with are public authorities and caught by FOI. For example, the NHS including health authorities, NHS Trusts and other national health bodies responsible for public health in England. Additionally, local government (including local bodies and local authorities) in England are also covered. The Freedom of Information Act 2000 grants a general right of access to information held by public authorities. This means that any person under FOI making a valid request for information is entitled to be informed in writing by the public authority whether it holds the information requested, and if that is the case, to have that information communicated to them.
Please note that there are exemptions which allow a public authority not to disclose information in response to an FOI request e.g. where PSNC and NHS England during pharmacy funding negotiations share confidential information.
Q. I have missed the IG toolkit submission deadline. What can I do?
This is very regrettable – technically, this is a breach of the terms of service which could ultimately, result in action being taken by NHS England. All NHS providers, including community pharmacies need to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the NHS Information Governance Toolkit (IGT). Therefore, compliance with the IG toolkit submission deadline should be well planned in advance.
Nevertheless, PSNC would encourage all pharmacy contractors in this situation to submit, if possible, as soon as practicable. If not, then to contact their local NHS team for further guidance.