Data Security and Protection Toolkit
Data Security and Protection Toolkit
Providers of NHS services within England, including community pharmacy contractors, are required to give information governance assurances to the NHS each year via the online self-assessment: the Data Security and Protection Toolkit (previously called the ‘IG toolkit’). The deadline for completing the mandatory questions is 31st March 2020.
PSNC recommends contractors reviewing these new briefings and proceed with will assist community pharmacy contractors completing the Toolkit:
- Toolkit completion: Five steps to complete the Toolkit (overview)
- Toolkit completion: Question-by-question guidance (mandatory questions) (PDF ver)
- Toolkit completion: Question-by-question guidance (all questions) (spreadsheet ver)
- Toolkit completion: Using the Data Security and Protection Toolkit’s HQ batch submission feature – step-by-step guide and associated Checking pharmacies linked to HQ code using ODS portal factsheet. These explain how to request the feature is set-up for you. Contractors with three or more pharmacies may benefit from using the feature.
- Register for our Toolkit (2019/20) Workshop: February 6th 2020 webinar. PSNC will be holding a webinar to help support community pharmacy contractors in completing the Toolkit for 2019/20 and all contractors completing the Toolkit are encouraged to register.
PSNC has been working with NHS Digital on some Toolkit matters and the overview briefing and some other aspects have been informally endorsed.
Some of the Toolkit guidance references: General Data Protection Regulation (GDPR) and the related guidance including GDPR workbook and the GDPR staff training booklet.
The guidance also refers to IG templates (updated January 2020) which help the Toolkit requirements to be met.
Toolkit Workshop webinar on-demand
PSNC held a webinar to help support community pharmacy contractors in completing the Data Security and Protection Toolkit for 2019/20 on Thursday 6th February at 7.00pm. It will be made available on-demand shortly.
PSNC and NHS Digital have been working together on those changes needed for the Toolkit and we are keen to assist contractors as they work through it.
During the 60-minute on-demand webinar representatives from PSNC and NHS Digital will discuss the questions in the Toolkit, talk you through the guidance materials available and answer viewers’ questions on how to make the declaration.
To make the most of this webinar, we would advise taking a look at PSNC’s guidance documents and before watching the webinar and to log into your Toolkit to re-look at the questions including new ones in advance of watching the webinar. You may also ask questions after you have watched it: contact email@example.com).
With contractors required to finalise their pharmacy’s Data Security and Protection Toolkit submission by 31st March 2020, this webinar provides the perfect opportunity to make good headway in its completion.
|Who should watch the webinar
All contractors are required to give IG, data and security assurances to the NHS each year via the online self-assessment. Find out more about data and security protection at: psnc.org.uk/ig
How do I register to watch it?
Technical questions and the Toolkit PMR feature
PSNC has been working with PMR suppliers on some Toolkit matters. We are aware that some PMR suppliers will provide information to support your completion of up to 14 technical questions in a variety of ways, e.g. via guidance documents or via their helpdesk.
Some PMR suppliers may choose to utilise the improved Toolkit PMR feature. This feature involves your PMR supplier setting up an email address (e.g. firstname.lastname@example.org) to be communicated to you and entered by you (within the ‘Admin’>’User List’ section of the Toolkit, the email account can be added as ‘Member’) so that info can be bulk-inserted for the mandatory technical questions. This is likely to be at a pre-set time which your PMR supplier would advise you of. You would be able to add or amend the answers entered by your PMR supplier to include more information after the final bulk-insertion if needed. Your supplier as a ‘Member’ would technically be able to have visibility of answers but would promise not to collect, read or review these. You are advised not to wait for your PMR supplier to use the Toolkit PMR feature, in case they choose not to use the feature this year.
Headquarters (HQ) batch submission feature for pharmacies with three or more premises
Pharmacy contractors with three or more pharmacies should review:Toolkit completion: Using the Data Security and Protection Toolkit’s HQ batch submission feature – step-by-step guide and associated Checking pharmacies linked to HQ code using ODS portal factsheet. These explain how to request the feature is set-up for you. Contractors with three or more pharmacies may benefit from using the feature.
Contractors that want to use the HQ batch submission feature in the Toolkit are advised to register and begin completion of a ‘master’ HQ submission. The ability to apply this as an assessment to apply to all your pharmacies continues to be developed in the coming weeks for greater numbers of pharmacy contractors, in good time well before the 31st March 2020 deadline.
Pharmacies are expected to meet all “mandatory” evidence requirements.
New functionality is now available on the Toolkit enabling many head offices to publish an assessment on behalf of its branches – particularly where a batch submission was submitted last year. When you log in to the Toolkit as your HQ organisation (with HQ ODS code) you will be able to complete your assessment, review your list of branches and publish your Toolkit assessment for your branches. Your HQ’s branch list has been populated from data held by the ODS team. If your list is not accurate, please raise a support call with Exeter Helpdesk and request for it be corrected. If there has been a change with a pharmacy (e.g. during the last year) such as ownership, this may impact which pharmacies are listed against HQ codes.
- If you have already published, you will need to publish again once you have checked your HQ’s branches.
- If you have already registered but with a “branch” ODS code, please contact the the Helpdesk and they will give you access to your HQ organisation.
- If you can’t see the new HQ functionality (e.g. – the ability to check a list of your branches within the Toolkit) please contact the Helpdesk and ask for the feature to be switched on.
If you have any comments on the batch submission feature functionality you wish to pass to PSNC please contact: email@example.com.
Q. Does the Toolkit apply to pharmacies within the devolved nations.
The Toolkit requirements apply to England only; different arrangements apply in Scotland, Wales and Northern Ireland.
Q. Are pharmacies still exempt from the requirement to have a business continuity plan?
No, pharmacies are no longer exempt from that requirement and they therefore need to have a business continuity plan in place. Guidance on developing a plan can be found in the clinical governance section of the website.
Q. Is the PSNC covered by the Freedom of Information Act 2000?
No. PSNC is not a “public authority” so FOI does not apply.
However, some of the organisations we deal with are public authorities and caught by FOI. For example, the NHS including health authorities, NHS Trusts and other national health bodies responsible for public health in England. Additionally, local government (including local bodies and local authorities) in England are also covered. The Freedom of Information Act 2000 grants a general right of access to information held by public authorities. This means that any person under FOI making a valid request for information is entitled to be informed in writing by the public authority whether it holds the information requested, and if that is the case, to have that information communicated to them.
Please note that there are exemptions which allow a public authority not to disclose information in response to an FOI request e.g. where PSNC and NHS England during pharmacy funding negotiations share confidential information.
Q. I have missed the Toolkit submission deadline. What can I do?
This is very regrettable – technically, this is a breach of the terms of service which could ultimately, result in action being taken by NHS England. All NHS providers, including community pharmacies need to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the Toolkit. Therefore, compliance with the Toolkit submission deadline should be well planned in advance.
Nevertheless, PSNC would encourage all pharmacy contractors in this situation to submit, if possible, as soon as practicable. If not, then to contact their local NHS team for further guidance.
Q. What are the funding arrangements for the Toolkit completion?
As part of the 2009/10 community pharmacy contractual framework funding settlement, the DHSC and PSNC agreed an allocation of £23 million funding to support the implementation of the Information Governance requirements. This equates to over £2000 for the average pharmacy contractor. This was paid out through the general funding arrangements rather than via a specific fee. PSNC is in discussion with the Department of Health and NHS England to finalise the funding allocation for business continuity planning. To date £12m has been allowed. As with the Information Governance funding, this was paid out through the general funding arrangements rather than via a specific fee.
There are also ongoing costs, in maintaining compliance with the requirements, making annual Information Governance returns via the Toolkit and implementing changes made to the requirements by the NHS. As part of the funding arrangements for the national contractual framework, annual adjustments are made to pharmacy funding to reflect costs necessitated by significant additional regulatory burdens on contractors. Regulatory burdens are assessed on a retrospective basis and included in funding negotiations.
Read more FAQs at: Further FAQs.
Queries and support relating to Toolkit
Pharmacies can obtain support with queries linked to the Toolkit from the Exeter Helpdesk (firstname.lastname@example.org or 0300 3034034). The Exeter Helpdesk will be able to support pharmacies with the day-to-day administration of their account on the Toolkit, for example re-setting forgotten passwords and can provide technical support in using the Toolkit.
For support regarding the IG requirements, please see our IG Frequently Asked Questions page.
NHS Digital also have Frequently asked questions: Toolkit answers page.
Pharmacy contractors can continue to obtain general support on the IG requirements, by contacting us.
Related resources, templates, training and information
See also within the data security and information governance section:
- Templates, resources and policies
- General Data Protection Regulation (GDPR) and the related guidance and workbook
Additionally read more at:
- Access control methods (e.g. passwords, Smartcards)
- Cyber and technical security advice about how to prevent and deal with data and cyber issues
- Data Quality
- Information Commissioner’s Office (ICO) good practices for pharmacy
- National data opt-out system for patients (for data processing for planning/research)
- System settings and IT updates
- Ten steps to help improve data and cyber security within your pharmacy (factsheet)
- Windows 7/10 transition guidance
Return to Data security and information governance