IG frequently asked questions
IG frequently asked questions
Click on a heading below to reveal FAQs on that topic. Queries on specific IG requirements can be found towards the bottom of the page.
The Online Toolkit
(new) Q. Do I need to login on two occasions to complete the assessment (i.e. initial login and then on the following day, publishing the submission once the exemption to 319 has technically been applied)?
A. This is not necessary. It is possible to complete the assessment in one session – if it is your first time logging in to version 12 of the Toolkit (2014/15) and you would like to submit the assessment on the same day, then there is a need to give a score for requirement 319 to allow submission of the assessment – however, regardless of what score is given for requirement 319, this requirement will be changed to ‘exempt’ after submission during the overnight update process. The exemption will also be applied to any Version 12 assessments that have already been submitted.
Q. What happens if I don’t complete my submission by the deadline?
A. The Toolkit isn’t ‘locked’ at midnight on the 31st March therefore it may be technically possible to still make a submission after the deadline. If a pharmacy has missed the 31st March deadline, we would recommend contacting your local NHS England Team to discuss this.
Q. I have completed the Toolkit for 2014/15 but for some reason the ‘publish’ button is greyed out and I can’t select this. What should I do?
A. Any scores, evidence and comments entered into a pharmacy’s 2013/14 assessment will automatically be rolled over to the 2014/15 assessment. However, there is still a need to tick to confirm that scores, evidence and comments have been reviewed and to update the information entered where necessary. It is only possible to click the ‘publish’ button once the ‘requirement reviewed’ checkbox on each requirement page has been ticked.
Q. Whilst my current score is showing ‘satisfactory’, my target score is showing ‘unsatisfactory’, why is this?
A. As part of the submission, pharmacies have to tick various boxes and from this, the site automatically generates the pharmacy’s level of compliance (current score). For each requirement, pharmacies should enter a ‘target score’ and ‘target date’, this can be typed in at the bottom of each requirement page. The target date could be 31st March 2015. If each requirement has been marked as having a target of either Level 2 or not relevant, the overall target score will be satisfactory. Whilst optional, it is not currently mandatory for pharmacies to have evidence to comply with the Level 3 requirements.
Q. On the Information Governance Toolkit, there are fields linked to each requirement to record the location of evidence or to upload evidence. Do I need to complete these fields?
A. No. It is important to make some comments to support your score, this could be by making some comments in the comments box or ticking the relevant evidence obtained boxes but it is not mandatory to complete the optional fields to record where each piece of evidence is located or to upload evidence such as policies and procedures. Note some evidence will include commercially sensitive information and would therefore be inappropriate to upload.
Q. For a multiple pharmacy, when registering for access to the IG Toolkit, is it possible to register using the same name and log-in email for each premises and just change the ODS code?
A. Yes, this is possible.
Q. Can a Head Office staff member view the submissions of individual stores?
A. It is now possible for a Head Office staff member to centrally view the submissions of individual stores through a central log-in. To access this functionality, contact the Helpdesk (0845 3713671) with the name and address of the pharmacy head office.
Q. When submitting the Online Toolkit Assessment, if you get interrupted and have to exit the Toolkit, is the data saved so you can come back and finish the assessment at a later date?
A. If a pharmacist is interrupted part-way through recording information against an individual requirement, click the ‘save’ button and work done will be saved.
Q. If there is a change of ownership of the pharmacy and the pharmacy ODS Code (F Code) remains the same, how should the new owner register to access the tookit?
A. The new owner would need to contact the Exeter helpdesk (0845 3713671). The account of the previous owner can be locked and the new owner registered against that ODS Code.
Q. To register for the IG Toolkit, I need to provide my email address. What will this be used for other than the initial registration process, for example will I receive a reminder email of the deadlines to complete the Toolkit?
A. The Toolkit does not currently generate any reminder emails but it is hoped that this option will be introduced at a later date.
Q. Once I’ve registered for the IG Toolkit, how do I update my registered email address?
A. To update details users need to log-in and then select the ‘My Details’ tab on the left hand side, this will allow them to edit both their email address and their telephone number. Users can also change their password using the ‘My Password’ tab.
Q. I have already submitted my baseline IG Assessment. When can I next submit an assessment?
A. Pharmacies are required to make an annual assessment. Once an assessment has been submitted it is not possible to withdraw a submission so it is important to ensure that the scores accurately reflect the assessment status of the pharmacy. Any improvements in the scores should be entered into the next version of the Information Governance Toolkit.
Q. I have just discovered I have made a mistake in my submission. Can I correct the answers after clicking the submit button?
A. It is not possible to withdraw or edit a submission once the ‘submit’ button has been pressed. If a significant error has been made, contact the Exeter Helpdesk (Exeter.email@example.com or 0845 3713671) who will consider the request. Alternatively if it is a significant error and the Helpdesk is unable to provide support, contact your local NHS England Team.
Q. Can a local NHS England Team take action against a pharmacy contractor who does not achieve Level 2 compliance by the 31st March 2015?
A. A number of changes were made to the Terms of Service requirements (Clinical Governance) in October 2011 to require pharmacies to comply with an approved information governance programme. In practice, this means achieving Level 2 compliance with the nationally specified NHS Information Governance requirements, and making an annual declaration via the Information Governance Toolkit.
Pharmacies are also required to be compliant with the Data Protection Act 1998 and the NHS Code of Practice on Confidentiality.
The Information Commissioner’s Office (ICO) enforces and oversees the Data Protection Act. In April 2010, the ICO was given new powers which include the power to fine organisations up to £500,000 as a penalty for serious breaches of the Data Protection Act. When serving monetary penalties, the Information Commissioner will carefully consider the circumstances, including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches. The ICO has published guidance on what they consider to be ‘reasonable steps’. This includes things like putting in place appropriate policies and procedures, undertaking risk assessments and putting in place appropriate mitigation to safeguard data and having good governance/audit arrangements to prevent contraventions of the Data Protection Act. These are all actions that the NHS requires evidence of through the NHS Information Governance Toolkit.
The ICO may also prosecute those who commit criminal offences under the Data Protection Act.
A local NHS England Team may investigate a pharmacy that has not completed an annual return via the Information Governance Toolkit to satisfy itself that the pharmacy is meeting the Terms of Service requirements.
Q. I have both an LPS Contract and a General Pharmaceutical Services contract. Both are linked to the same premises. Do I need to complete 2 submissions?
A. Given that both contracts are linked to the same premises, it may be appropriate to have only one submission which provides assurances to the on the management of information obtained under both contracts at the premises. But there may be differences depending on the nature of services provided under the LPS, therefore we recommend discussing this with your local NHS England Team.
Local NHS England Team support
On the 1st April 2013, responsibility for monitoring and supporting pharmacy information governance passed from PCTs to NHS England Area Teams (now local NHS England teams).
Q. My local NHS England Team has asked me to share a copy of my action plan with them. Do they not have access to this through the Toolkit?
A. No – local NHS England Teams cannot access your action plan through the Information Governance Toolkit.
Whilst carrying out an assessment you should enter both a current score (your pharmacy’s assessment score for the current year) and a target score (the score you intend to attain on your next assessment), by doing this an action plan is created (known as an ‘implementation plan’ or ‘improvement plan’ in the Toolkit). This can be downloaded to Microsoft word and printed.
Pharmacies should ensure that their action plan is filed locally so that it is available to show to local NHS England Team officials during support visits (which may be part of contractor monitoring visits) to the pharmacy. There is no mandatory requirement to post or fax action plans to local NHS England Teams, however, where the local NHS England Team is working to provide support to pharmacies in meeting the requirements, pharmacies may find it helpful to submit their copy.
Q. Where is the funding for pharmacies initially implementing the IG requirements coming from?
A. As part of the 2009/10 community pharmacy contractual framework funding settlement, the Department of Health and Social Care (DHSC) agreed to make provisions against the excess margin available to contractors as established by the Margins inquiry (ie money already with contractors) over the £500 million agreed as part of the CPCF funding. It was identified for a number of one-off costs pharmacy contractors are facing, including information governance. £90 million of investment was agreed for these unavoidable one-off infrastructure costs. Further to detailed negotiations on the work involved, the DHSC and PSNC agreed that over £23 million of this sum was to support the implementation of the IGT, which equates to over £2000 per pharmacy.
PSNC is currently in discussion with the DHSC to finalise the funding allocation for business continuity planning. To date £12m has been allowed. As with the Information Governance funding, this was paid out through the general funding arrangements rather than via a specific fee.
Q. Will funding be available in future years to reflect the ongoing costs in continuing to comply with the requirements?
A. There are ongoing costs, in maintaining compliance with the requirements, making annual Information Governance returns via the Toolkit and implementing changes made to the requirements by the NHS. As part of the funding arrangements for the national contractual framework, annual adjustments are made to pharmacy funding to reflect costs necessitated by significant additional regulatory burdens on contractors. Regulatory burdens are assessed on a retrospective basis and included in funding negotiations.
General confidentiality queries
Q. In Version 8, a number of the requirements ask for a policy or procedure to be signed off by a contractor representative. Who is the ‘contractor representative’?
A. A “contractor representative” could be anyone who has been authorised to represent a contractor for a particular purpose. This has not been defined further as different pharmacies will have different business models, for example it could be a director of the company, a board of directors, or someone appointed within a company to undertake the role. An IG Lead could be given the authority to sign off policies linked to IG. It is also possible for the person responsible for developing the policy to be the same as the person that has the authority to sign off the policy (e.g. if the owner of an independent pharmacy is preparing the policy them self ). The representative doesn’t need to be a pharmacist.
Q. How often should the pharmacy IG policies and procedures be updated?
A. Once IG policies and procedures are in place, pharmacy contractors should review these annually to ensure they remain relevant and appropriate, for example to ensure they continue to be in line with law in this area.
A data breach may trigger the need to review procedures during the year, for example to ensure they take into consideration lessons learned to prevent future breaches.
Q. Do I need to register with the Information Commissioner’s Office?
A. Yes. The Data Protection Act requires organisations to notify the Information Commissioner’s Office (ICO) if they are processing personal data – all pharmacies process personal data. Guidance on notification can be found on page 47 of the Pharmacy Contractor Workbook and the ICO have further information. If a pharmacy has not notified the ICO, this would be a breach of the Data Protection Act and a criminal offence.
Q. Do the requirements apply to hardcopy data e.g. prescription forms as well as information held electronically?
A. Yes. Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. Information held in hardcopy or in electronic format must be protected but the safeguards may differ. Some of the NHS IG requirements therefore have a specific focus on either digital or hardcopy information.
Q. Are the template SOPs good enough to comply with the NHS Requirements?
A. The template SOPs have been developed by PSNC and the RPSGB with support from the DHSC, NHS Connecting for Health and NHS Employers. They have undergone two phases of consultation led by the PSNC.
A contractor would have to review the template and consider whether they were sufficiently relevant to local circumstances, adapting the templates where necessary. For example the data transfer SOP includes suggested procedures linked to different data transfer methods – if a pharmacy uses a method of transferring information which isn’t covered by the template SOP; the contractor would have to add information on this particular data transfer method into the SOP.
Q. When patients return waste medicines, I currently put these in my controlled waste (DOOP) bin, complete with labels. Is this acceptable?
A. Within the Terms of Service, there is no requirement to process waste other than place it in a bin. It is the responsibility of the NHS England Area Team to organise the disposal of waste. In the terms of the contract which the NHS England Area Team has negotiated with the waste contractor, provision should have been made to safeguard confidential information.
Q. I have had a call from a local police station. They want me to disclose the details of the medication that an individual in custody is taking. Do I need to do this?
A. Personal data (which may be sensitive) includes patient information e.g. name, address, dob etc. should not normally be disclosed without patient consent or otherwise allowed by law. There are a number of exceptional circumstances in which personal data can be disclosed without patient consent, for example, where disclosure of personal data is necessary to prevent serious injury or damage to the health of a patient. If so, only the minimum amount of personal data necessary should be disclosed. A key consideration is whether there are any other sources of this data. If a decision is made to disclose without consent, an accurate record must be made of: who the request came from, the reasons for releasing the data without consent, whether you attempted to obtain patient consent, and if not why not, why patient consent was refused and what information was disclosed.
Q. Pharmacies have a duty to protect the confidentiality of patient’s sensitive data. How is this duty reconciled when a police officer asks to discuss the prescribing of CDs for patients. Does this mean I must comply, or should I withhold patient details?
A. Police officers or other persons authorised by the Secretary of State who are engaged to routinely check CD registers and officers monitoring the prescribing of CDs may demand production of and to inspect any books or documents relating to CDs – this includes the CD register and any prescriptions that have been retained on the premises. This is carried out to ensure compliance with the Misuse of Drugs legislation, but sometimes it is undertaken to detect persons who are obtaining prescriptions from more than one prescriber.
Powers are granted under the Misuse of Drugs Act 1971 to carry out these routine checks . The persons described above may take copies of documents or in some cases remove from the pharmacy premises original documents as part of their CD responsibilities under the Misuse of Drugs Act. Disclosure in these cases is specifically authorised by the law, and this overrides the duty to protect patient confidentiality. Before disclosing patient data, pharmacists would need to satisfy themselves that the person requesting the data is properly authorised under the Misuse of Drugs Act and that the request for information is consistent with the carrying out of routine checks.
Occasionally a pharmacy may be visited by a police officer who is undertaking an investigation into an alleged serious criminal offence (i.e. not routinely exercising powers under the Misuse of Drugs Act 1971). As this may not be the police officer who normally visits to inspect the registers, pharmacy contractors will wish to verify the identity of the police officer, and receive confirmation that the police officer is investigating a possible serious offence.
Further guidance on the powers of authorised persons under the Misuse of Drugs legislation may be available from the Home Office, the Association of Police Controlled Drugs Liaison Officers, the General Pharmaceutical Council, the NPA (for members) and from the RPS (for members).
The other instances that arise where police officers may visit the pharmacy is to collect CDs on behalf of patients who are held in police custody. General guidance from Public Health England’s ‘Access to supervised doses of opioid substitution for people in police custody advice’ available here may be useful.
Q. I recently ordered some ‘made to measure’ hosiery but the manufacturer has requested the patient’s details as part of the ordering process. Is this allowed?
A. To support the efficiency of future orders, ‘made to measure’ hosiery manufacturers may ask for a patient identifier when the order is placed, for example so that the template produced for that individual patient can be re-used in future. It is not appropriate to provide the patient’s name without prior consent. An alternative to the patient’s name could be using the patient’s PMR record number which can be traced back to the patient by the pharmacy or alternatively a unique identification number provided by the manufacturer that the pharmacy can record on the patient’s PMR record for future reference.
Q. I have received an FP10 prescription for an unlicensed “named patient supply” product. Does this mean that I need to provide the manufacturer with the name of the patient?
A. The commonly used term“named patient supply” is incorrect in that the term used in the legislation is “individual patients” and although there must be an audit trail which ultimately leads to an individual patient, there is no need for those involved in the supply chain to know the name of that patient. Patient identifiable information should not be shared without patient consent.
Q. I can’t obtain a common branded product from my wholesaler. The manufacturer is requesting that I share the prescription form serial number. Does the prescription form identifier link to the patient?
A. A number of manufacturers are requesting that contractors fax anonymised copies of prescriptions before stock is released. PSNC does not believe that this is appropriate as an ongoing measure in managing supply. It is exceptionally burdensome for pharmacies and there is a risk that patient identifiable information will be inadvertently disclosed.
The NHS (Pharmaceutical and Local Pharmaceutical Services) Regulations 2013 require that contractors have an “acceptable” information governance programme – if it is considered acceptable by NHS England and includes an information governance programme which provides for compliance with approved procedures for information management and security. Compliance with ‘Confidentiality: the NHS Code of Practice’ and the Data Protection Act 1998 are key elements (this means all community pharmacies need to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the NHS Information Governance Toolkit (IGT). Requirements for IG change annually. This requires that personal data (which may be sensitive) such as patient identifiable information is not shared without patient consent or is otherwise allowed by law. Similar requirements on the disclosure of personal data exist under the common law duty of confidentiality. Therefore, before faxing a prescription to a manufacturer, any information that could be used to identify the patient must be obscured / redacted in black ink unless the patient has consented to their personal data being disclosed. A detailed briefing on the legal and ethical provisions that limit or prohibit the use of personal information can be found in the NHS Information Governance: Pharmacy Contractor workbook.
Although the pre-printed serial number on prescription forms is a unique identifier, this identifies the paper form, not an individual patient. For security reasons, local NHS England Team’s record details of which forms were issued to which prescribers. This information should not normally be in the public domain.
Specific requirement queries
Requirement 114: Pharmacy IG Lead
Q. Does the IG lead have to be a named individual (for example “Fred Bloggs”) or can it be a position (for example “Pharmacy Manager”)?
A. The pharmacy must be able to show that the role has been appropriately assigned. In the pharmacy’s records, it would be acceptable to document a position, for example, ‘the pharmacy manager’ or ‘Clinical Governance Lead’ rather than a named individual, as long as the staff member(s) concerned are clear from this that they are responsible and it is clear to other staff who the IG Lead is.
Although it is accepted that for practical reasons the role may need to be assigned to a position in some scenarios, where possible, best practice is that the lead is a named individual.
Q. Can one person be the IG lead for more than one pharmacy?
A. Yes. There is flexibility in how the pharmacy structures co-ordination of information handling within the pharmacy. For example if a contractor owns multiple pharmacies, he may feel it appropriate to appoint one central lead with local leads in each store to provide information on local circumstances and support pharmacy implementation of the requirements.
Q. Can a self-employed locum pharmacist be the IG lead for a pharmacy?
A. The IG lead needs to have the appropriate responsibilities to be able influence procedures and deliver implementation. A locum may be able to fulfil this role, but this will be for local decision. Remember, the IG Lead doesn’t need to be a pharmacist so if the pharmacy does not have a permanent pharmacist, one option would be for a senior dispenser or non-pharmacist manager to act as IG lead.
The locum will have to give consideration to whether this impacts on their self-employed status for tax purposes.
Requirement 116: Contractual Confidentiality Clauses
Q. Do I need to have a confidentiality clause in the contracts of third party contractors who don’t have access to patient identifiable information?
A. The NHS requirements relate only to protecting patient identifiable information therefore Requirement 116 relates only to the contracts of contractors who have access to patient identifiable information, for example PMR suppliers.
There may be other reasons to include confidentiality clauses in contracts for example protecting information relating to the business that is commercially sensitive. This would be for the contractor to decide and is outwith the scope of the NHS requirements.
Requirement 118: IGSoC
This was removed as a requirement in 2010/11 (version 8 of the Toolkit).
Requirement 208: Mapping and Risk Assessing Information Flows
Q. I’m currently in the process of data mapping and risk assessing all flows of personal information (as set out in Requirement 208). How can I assess the risk of a particular flow?
A. The level of risk is normally established by considering the impact of a potential data loss occurring and the likelihood of a loss taking place. One method of risk assessment is detailed in Appendix 7 of the workbook.
The likelihood of an incident occurring will differ depending on local circumstances, for example if a trusted member of the pharmacy team has been hand-delivering small numbers of prescriptions to a local GP surgery 100m away for many years and there has never been an incident, this would suggest that the likelihood of a data loss occurring in transit is negligible. The impact of that loss is likely to be moderate (small number of patients affected) therefore the risk is low.
In another area, if there have been problems with hand-delivering prescriptions to the surgery, for example problems with the GP surgery reporting they didn’t receive the forms, this would be a higher risk and the pharmacy would have to consider options to mitigate the risk.
Note this requirement was merged with requirement 308 from version 8 of the Toolkit (2010/11) onwards. The evidence requirements remain the same.
Requirement 209: Overseas Transfer
Q. My system supplier doesn’t store data outside of the UK but provides remote assistance from outside of the UK, how do I make sure I comply with the Data Protection Act 1998 and DHSC guidelines?
A. If there are flows outside of the UK, it is important to undertake an appropriate risk assessment and put in place mitigating controls, for example contractual requirements on the supplier. Access should be on a strict need to know basis and only where there are no appropriate alternatives.
Further information available on the Information Commissioner’s website here.
Q. In Requirement 209 what does “data processed outside of the UK” relate to?
A. As part of Requirement 209, you need to consider if information about patients is being transferred outside of the UK (e.g. checking with your PMR supplier that any personal data transmitted electronically remains in the UK). There are no templates for this requirement – it is sufficient to document that the checks have been undertaken e.g. that someone in the pharmacy contacted suppliers and they have confirmed no transfers outside of the UK.
If overseas processing is found to be happening, you need to follow the detailed guidance on overseas transfers and the Data Protection Act 1998 on pages 22-23 and 48 of the workbook.
Requirement 212: Patient Consent
Q. Does requirement 212 relate only to the use of personal information for purposes not directly related to the service for which the information was collected?
A. No. As part of requirement 212, pharmacies must have guidelines in place on seeking consent to use personal data. Depending on the scenario, the consent required may be implied or may need to be explicit. The guidelines should cover how the pharmacy ensures that patients’ decisions to restrict the disclose of their personal data are appropriately respected as well as procedures to ensure that patients are generally asked before information is used for purposes that are not directly related to the service. It is for the pharmacy to decide how the guidelines are presented. One option would be to include this information in the Staff Confidentiality Code of Conduct.
Q. Requirements 212 and 214 are very similar. What is the difference between these requirements?
A. Requirement 214 requires pharmacy’s to have a confidentiality code of conduct. This includes guidance for staff on things like a staff member’s individual responsibility for compliance with the law and how a staff member can ensure information stays confidential. Requirement 212 requires pharmacies to put in place guidelines on seeking consent to use personal information including for purposes that are not directly related to the service for which the information was collected, and on respecting patient decisions relating to the disclosure of their personal information. The Workbook suggests that the guidelines for collecting consent could be included in the staff confidentiality code of conduct.
Requirement 213: Patient Awareness
Q. I run a wholly mail order business. Do I need to have a patient leaflet on the use of patient information?
A. Yes. By 31st March 2011, all pharmacies are required to make a leaflet available with comprehensive information on how patient information is used by the pharmacy. The pharmacy will need to give consideration to how pharmacies can access the leaflet, for example sent regularly to all patients, sent once to all patients and then to new patients who use the service or made available on the website with a pointer to it.
It could be a stand-alone leaflet or relevant content in existing practice leaflets could be adapted and expanded.
Note, it is a legal requirement through the Data Protection Act to make “fair processing information” available. More information about ‘privacy notices’ can be found on the Information Commissioner’s website.
Requirement 304 (was 119): RA01 / Smartcards
Q. I am currently using EPS Release 1 and no staff in my pharmacy have EPS Release 2 Smartcards (RA01 Terms and Conditions). Do I need to comply with requirement 304 (Smartcards)?
A. No. This requirement relates to monitoring and enforcement processes to ensure staff compliance with the RA01 terms and conditions that apply to EPS Release 2 smartcards. This requirement can be marked ‘not relevant’ if no staff in the pharmacy have EPS Release 2 cards. Following requests from contractors who do need to comply with this requirement, PSNC has developed a simple ‘ensuring staff compliance with RA01 terms’ template SOP. This can be downloaded from the Templates section of the site.
Q. Where can the RA01 form be found?
A. This is available from Registration Authorities. All pharmacists and relevant staff will be required to sign up to the conditions set out in the RA01 form to gain access to EPS Release 2. Pharmacy contractors were not required to sign up to these terms for Release 1.
Requirement 316: Information Asset Register
Q. I currently maintain a comprehensive list of the hardware and software I own for insurance purposes. Do I need to also maintain this information in a separate Information Asset Register?
A. There are no mandatory requirements for how the information asset register should be structured but it should include information on information stored (e.g. patient databases), hardware, software and services (e.g. broadband connectivity). Where the pharmacy maintains information on software, hardware or services in a separate asset register for accounting, insurance or business continuity purposes, an option is to do a cross reference from the relevant sections in the information asset register to the relevant register or location that this information is stored to prevent duplicating effort.
Q. I use a laptop in the pharmacy for connecting to the internet for drug information but it does not hold any patient sensitive information. Do I need to declare this in my Information Asset Register?
A. The concept behind having an information asset register is identifying all relevant hardware, software and information to ensure it can be appropriately protected. Although the laptop does not contain patient information, it still may pose risks to information held on the local network and therefore actions may still need to be taken to manage any risks. For example, if the laptop connects to the pharmacy network and is used to access the internet, one risk is that if the anti-virus on the laptop isn’t updated regularly, the laptop could introduce viruses to the local network that could compromise the security of information held on other computers connected to the network. Pharmacies should use their judgement based on local circumstances on which pieces of hardware should be recorded on the asset register.
Q. On the template ‘Portable Equipment: Asset Control Form’, there is a section for “Asset number” and “Mobile number”. What do these refer to?
A. The intention of including ‘asset number’ in the template register was to provide a reference to link between the register and the asset itself for tracking purposes. For example, a pharmacy may find it helpful to include a sticker on the asset with an assigned asset reference number.
The intention of the ‘mobile number’ field was to record mobile phone numbers however note that under this requirement, it is only necessary to track mobile phones that are being used to store personal information.
The templates are a guide but should be customised, where necessary, to suit local circumstances.
Requirement 317: Physical Security of Premises
Q. I am about to undertake my premises risk assessment. I have developed a risk assessment form based on the template on the PSNC Website. For many of the questions, I don’t have the specific physical security controls in place however I am in an area of low crime. Do I need to invest in e.g. security cameras?
A. The level of risk is normally established by considering the impact of a data loss and the likelihood of that loss taking place. One method of risk assessment is detailed in Appendix 7 of the workbook.
It is for a contractor to assess the risk they face based on local circumstances. Two identical pharmacies holding the same information, computers and stock may have quite different physical security needs if one is located in an area of high crime and the other in a low crime area. While the impact of a burglary of either pharmacy will be the same – the actual probability of the burglary taking place will be quite different – and therefore the security measures at each will differ. The risk level needs to be kept under review as circumstances change.
Requirement 318: Mobile Computing Systems
Q. I currently don’t use any mobile computing systems in my pharmacy. There is no ‘Not Applicable’ option on the Toolkit, how should I record this requirement?
A. If the pharmacy does not use any mobile computing devices i.e. there are no laptops and PDAs, nor any portable device used to hold or transfer personal information (e.g. USB sticks and CDs/DVDs), ‘Level 3’ can be recorded but the pharmacy should insert a comment in the text field that states the requirement is not applicable, and that their policy is that they have no mobile computing devices. For example: “Requirement not applicable, this pharmacy does not use removable or portable computing equipment including CDs/DVDs and USB sticks.” The pharmacy should ensure that staff do not use mobile computing devices in their role.
Q. I have heard that I need to encrypt my computers to reach level 2 of the NHS Information Governance Toolkit. Is this correct?
A. Whilst there is not a specific requirement in the Data Protection Act to encrypt computers containing personal information, contractors must ensure that personal information is adequately protected. Encryption supports the protection of information and therefore supports compliance with the Data Protection Act.
The Information Commissioner’s Office has issued guidance on their approach to encryption. The guidance states that, “There have been a number of reports recently of laptop computers, containing personal information which have been stolen from vehicles, dwellings or left in inappropriate places without being protected adequately. The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.
The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information. Personal information, which is stored, transmitted or processed in information, communication and technical infrastructures, should also be managed and protected in accordance with the organisation’s security policy and using best practice methodologies such as using the International Standard 27001.
There are a number of different commercial options available to protect stored information on mobile and static devices and in transmission, such as across the internet.”
All contractors should therefore be giving consideration to the encryption of computers containing personal information.
Encryption is referred to in relation to NHS IG requirement 318 (mobile computing). The guidance for this requirement states, “Patient identifiable information stored on a PC hard drive or other removable device in a non-secure area or on a portable device such as a laptop, PDA or mobile phone should be encrypted. It is recognised however that this may take some time to achieve. Therefore, as an interim measure, if following a risk assessment it is felt that continued reliance upon unencrypted data is necessary for the benefit of patients, the outcome of the risk assessment must be reported to the most senior person in the organisation, so that he/she is appropriately accountable for the decision to accept data vulnerability or to curtail working practices in the interests of data security.” Therefore encryption is not mandatory to achieve Level 2 compliance with the NHS IG requirements as outlined in version 9 of the IG Toolkit.
Expert guidance on encryption of computers should be sought from system suppliers. There is a risk of some solutions slowing down or interrupting the operation of the PMR system if the solution isn’t tested or if implementation isn’t properly managed. System suppliers are giving consideration to the most appropriate solutions for their customers.
The 2010/11 community pharmacy contractual framework funding settlement included provision for the costs of PC renewal in community pharmacies.
Q. I would like to arrange encryption of my laptop. How can this be achieved?
A. We would recommend taking expert advice from your system supplier.
Q. I have a laptop in my consultation area that I use to store patient information but it is used like a desktop and never removed from the pharmacy. Is it still regarded as ‘mobile computing’?
A. Yes. The requirement is aiming to ensure that all portable devices are secure. If the device has patient information on it, it must be protected. There is a greater risk of laptops etc being stolen even if they are not removed from the pharmacy, therefore the appropriate measures as outlined in requirement 318 must be taken.
Q. I use a mobile device for connecting to the internet for drug information but it does not hold any patient sensitive information. Do I need to take the actions outlined in Requirement 318?
A. Requirement 318 relates to safeguarding mobile devices that are used to store personal information. Therefore if the device contains no personal information, it would not be necessary under the NHS Information Governance requirements to record staff use and provide guidance on use of the device. However the pharmacy may still find benefits in doing this for other reasons, for example to minimise the risk of theft.
Requirement 319: Business continuity
Q. Are pharmacies required to have a business continuity plan?
A. Yes, in 2015 the requirement came in which meant that pharmacies are no longer exempt from having a business continuity plan in place. Guidance on developing a plan can be found in the clinical governance section of the website.