Data security, IG and Toolkit FAQs
Published on: 23rd July 2013 | Updated on: 25th March 2022
This webpage sets out detailed data security FAQs set out below.
See also: A summary Data security one-page factsheet summarised the most common FAQs.
Q. What happens if I don’t complete my submission by the deadline?
The Toolkit isn’t ‘locked’ at midnight on the deadline date therefore it may be technically possible to still make a submission after the deadline. If a pharmacy has missed the deadline date, we would recommend contacting your local NHS England team to discuss this.
Q. On the Toolkit, there are fields asking to record the location of evidence or to upload evidence. Do I need to complete these fields?
No. It is important to make some comments to support your score, this could be by making some comments in the comments box or ticking the relevant evidence obtained boxes but it is not mandatory to complete the optional fields to record where each piece of evidence is located or to upload evidence such as policies and procedures. Note some evidence will include commercially sensitive information and would therefore be inappropriate to upload.
Q. For a multiple pharmacy, when registering for access to the Toolkit, is it possible to register using the same name and log-in email for each premises and just change the ODS code?
Yes, this is possible but the batch submission process should be followed.
Q. Can a Head Office staff member view the submissions of individual stores?
It is now possible for a Head Office staff member to centrally view the submissions of individual stores through a central log-in. To access this functionality, contact the Helpdesk (0845 3713671) with the name and address of the pharmacy head office.
Q. If there is a change of ownership of the pharmacy and the pharmacy ODS Code (F Code) remains the same, how should the new owner register to access the tookit?
The new owner would need to contact the Exeter helpdesk (0845 3713671). The account of the previous owner can be locked and the new owner registered against that ODS Code.
Q. To register for the Toolkit, I need to provide my email address. What will this be used for?
You may receive reminders.
Q. Once I’ve registered for the Toolkit, how do I update my registered email address or other information?
To update details users need to log-in and then select the ‘Organisation Profile’. Users can also change their password.
Q. I have already submitted my baseline data security Assessment. When can I next submit an assessment?
Pharmacies are required to make an annual assessment. Once an assessment has been submitted it is not possible to withdraw a submission so it is important to ensure that the scores accurately reflect the assessment status of the pharmacy. Any improvements in the scores should be entered into the next version of the Toolkit.
Q. I have just discovered I have made a mistake in my submission. Can I correct the answers after clicking the submit button?
It is not possible to withdraw or edit a submission once the ‘submit’ button has been pressed. If a significant error has been made, contact the Exeter Helpdesk (Exeter.email@example.com or 0845 3713671) who will consider the request. Alternatively if it is a significant error and the Helpdesk is unable to provide support, contact your local NHS England team.
Q. Can a local NHS England team take action against a pharmacy contractor who does not achieve the required level by the deadline date?
A number of changes were made to the Terms of Service back in 2011 so that pharmacies were to comply with an approved information governance programme. In practice, this means achieving the level with the nationally specified data security requirements, and making an annual declaration via the Toolkit.
Pharmacies are also required to be compliant with data protection legislation and the NHS Code of Practice on Confidentiality.
The Information Commissioner’s Office (ICO) enforces and oversees data protection legislation. ICO has powers to fine organisations up to as a penalty for serious breaches of data protection legislation. When serving monetary penalties, the Information Commissioner will carefully consider the circumstances, including the seriousness of the data breach; the likelihood of substantial damage and distress to individuals; whether the breach was deliberate or negligent and what reasonable steps the organisation has taken to prevent breaches. The ICO has published guidance on what they consider to be ‘reasonable steps’. This includes things like putting in place appropriate policies and procedures, undertaking risk assessments and putting in place appropriate mitigation to safeguard data and having good governance/audit arrangements to prevent contraventions of data protection regulations. These are all actions that the NHS requires evidence of through the Toolkit.
The ICO may also prosecute those who commit criminal offences under data protection legislation.
A local NHS England team may investigate a pharmacy that has not completed an annual return via the Toolkit to satisfy itself that the pharmacy is meeting the Terms of Service requirements.
Q. I have both an LPS Contract and a General Pharmaceutical Services contract. Both are linked to the same premises. Do I need to complete 2 submissions?
Given that both contracts are linked to the same premises, it may be appropriate to have only one submission which provides assurances to the on the management of information obtained under both contracts at the premises. But there may be differences depending on the nature of services provided under the LPS, therefore we recommend discussing this with your local NHS England team.
Since 2013, responsibility for monitoring and supporting pharmacy information governance passed has been with local NHS England.
Q. My local NHS England team has asked me to share a copy of my action plan with them. Do they not have access to this through the Toolkit?
No – local NHS England teams cannot access your action plan through the Toolkit.
Whilst carrying out an assessment you should enter both a current score (your pharmacy’s assessment score for the current year) and a target score (the score you intend to attain on your next assessment), by doing this an action plan is created (known as an ‘implementation plan’ or ‘improvement plan’ in the Toolkit). This can be downloaded to Microsoft word and printed.
Pharmacies should ensure that their action plan is filed locally so that it is available to show to local NHS England team officials during support visits (which may be part of contractor monitoring visits) to the pharmacy. There is no mandatory requirement to post or fax action plans to local NHS England teams, however, where the local NHS England team is working to provide support to pharmacies in meeting the requirements, pharmacies may find it helpful to submit their copy.
Q. How often should the pharmacy data security policies and procedures be updated?
Once data security policies and procedures are in place, pharmacy contractors should review these annually to ensure they remain relevant and appropriate, for example to ensure they continue to be in line with law in this area.
A data breach may trigger the need to review procedures during the year, for example to ensure they take into consideration lessons learned to prevent future breaches.
Q. Do I need to register with the Information Commissioner’s Office?
Yes. Data protection legislation requires organisations to notify the Information Commissioner’s Office (ICO) if they are processing personal data – all pharmacies process personal data. Guidance on notification can be found ICO’s website. If a pharmacy has not notified the ICO, this would be a breach of data protection legislation and a criminal offence.
Q. Do the requirements apply to hardcopy data e.g. prescription forms as well as information held electronically?
Yes. Data security ensures necessary safeguards for, and appropriate use of, patient and personal information. Information held in hardcopy or in electronic format must be protected but the safeguards may differ.
Q. Are the template SOPs good enough to comply with the NHS Requirements?
Many of the template SOPs have been developed by PSNC and the RPS with support from the DHSC, NHS Digital and NHS Employers.
A contractor would have to review the template and consider whether they were sufficiently relevant to local circumstances, adapting the templates where necessary. For example the data transfer SOP includes suggested procedures linked to different data transfer methods – if a pharmacy uses a method of transferring information which isn’t covered by the template SOP; the contractor would have to add information on this particular data transfer method into the SOP.
Q. I have had a call from a local police station. They want me to disclose the details of the medication that an individual in custody is taking. Do I need to do this?
Personal data (which may be sensitive) includes patient information e.g. name, address, dob etc. should not normally be disclosed without patient consent or otherwise allowed by law. There are a number of exceptional circumstances in which personal data can be disclosed without patient consent, for example, where disclosure of personal data is necessary to prevent serious injury or damage to the health of a patient. If so, only the minimum amount of personal data necessary should be disclosed. A key consideration is whether there are any other sources of this data. If a decision is made to disclose without consent, an accurate record must be made of: who the request came from, the reasons for releasing the data without consent, whether you attempted to obtain patient consent, and if not why not, why patient consent was refused and what information was disclosed.
Q. Pharmacies have a duty to protect the confidentiality of patient’s sensitive data. How is this duty reconciled when a police officer asks to discuss the prescribing of CDs for patients. Does this mean I must comply, or should I withhold patient details?
Police officers or other persons authorised by the Secretary of State who are engaged to routinely check CD registers and officers monitoring the prescribing of CDs may demand production of and to inspect any books or documents relating to CDs – this includes the CD register and any prescriptions that have been retained on the premises. This is carried out to ensure compliance with the Misuse of Drugs legislation, but sometimes it is undertaken to detect persons who are obtaining prescriptions from more than one prescriber.
Powers are granted under the Misuse of Drugs Act 1971 to carry out these routine checks . The persons described above may take copies of documents or in some cases remove from the pharmacy premises original documents as part of their CD responsibilities under the Misuse of Drugs Act. Disclosure in these cases is specifically authorised by the law, and this overrides the duty to protect patient confidentiality. Before disclosing patient data, pharmacists would need to satisfy themselves that the person requesting the data is properly authorised under the Misuse of Drugs Act and that the request for information is consistent with the carrying out of routine checks.
Occasionally a pharmacy may be visited by a police officer who is undertaking an investigation into an alleged serious criminal offence (i.e. not routinely exercising powers under the Misuse of Drugs Act 1971). As this may not be the police officer who normally visits to inspect the registers, pharmacy contractors will wish to verify the identity of the police officer, and receive confirmation that the police officer is investigating a possible serious offence.
Further guidance on the powers of authorised persons under the Misuse of Drugs legislation may be available from the Home Office, the Association of Police Controlled Drugs Liaison Officers, the General Pharmaceutical Council, the NPA (for members) and from the RPS (for members).
The other instances that arise where police officers may visit the pharmacy is to collect CDs on behalf of patients who are held in police custody. General guidance from Public Health England’s ‘Access to supervised doses of opioid substitution for people in police custody advice’ available here may be useful.
Q. I recently ordered some ‘made to measure’ hosiery but the manufacturer has requested the patient’s details as part of the ordering process. Is this allowed?
To support the efficiency of future orders, ‘made to measure’ hosiery manufacturers may ask for a patient identifier when the order is placed, for example so that the template produced for that individual patient can be re-used in future. It is not appropriate to provide the patient’s name without prior consent. An alternative to the patient’s name could be using the patient’s PMR record number which can be traced back to the patient by the pharmacy or alternatively a unique identification number provided by the manufacturer that the pharmacy can record on the patient’s PMR record for future reference.
Q. I have received an FP10 prescription for an unlicensed “named patient supply” product. Does this mean that I need to provide the manufacturer with the name of the patient?
The commonly used term “named patient supply” is incorrect in that the term used in the legislation is “individual patients” and although there must be an audit trail which ultimately leads to an individual patient, there is no need for those involved in the supply chain to know the name of that patient. Patient identifiable information should not be shared without patient consent.
Q. I can’t obtain a common branded product from my wholesaler. The manufacturer is requesting that I share the prescription form serial number. Does the prescription form identifier link to the patient?
A number of manufacturers are requesting that contractors fax anonymised copies of prescriptions before stock is released. PSNC does not believe that this is appropriate as an ongoing measure in managing supply. It is exceptionally burdensome for pharmacies and there is a risk that patient identifiable information will be inadvertently disclosed.
Contractors should have an “acceptable” information governance programme – if it is considered acceptable by NHS England and includes an information governance programme which provides for compliance with approved procedures for information management and security. Compliance with ‘Confidentiality: the NHS Code of Practice’ and data protection legislation are key elements (this means all community pharmacies need to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the Toolkit. Requirements for data security change annually. This requires that personal data (which may be sensitive) such as patient identifiable information is not shared without patient consent or is otherwise allowed by law. Similar requirements on the disclosure of personal data exist under the common law duty of confidentiality. Therefore, before faxing a prescription to a manufacturer, any information that could be used to identify the patient must be obscured / redacted in black ink unless the patient has consented to their personal data being disclosed. A detailed briefing on the legal and ethical provisions that limit or prohibit the use of personal information can be found in the NHS Information Governance: Pharmacy Contractor workbook.
Although the pre-printed serial number on prescription forms is a unique identifier, this identifies the paper form, not an individual patient. For security reasons, local NHS England team’s record details of which forms were issued to which prescribers. This information should not normally be in the public domain.
Q. Does the data security lead have to be a named individual (for example “Fred Bloggs”) or can it be a position (for example “Pharmacy Manager”)?
The pharmacy must be able to show that the role has been appropriately assigned. In the pharmacy’s records, it would be acceptable to document a position, for example, ‘the pharmacy manager’ or ‘Clinical Governance Lead’ rather than a named individual, as long as the staff member(s) concerned are clear from this that they are responsible and it is clear to other staff who the data security Lead is.
Although it is accepted that for practical reasons the role may need to be assigned to a position in some scenarios, where possible, best practice is that the lead is a named individual.
Q. Can one person be the data security lead for more than one pharmacy?
Yes. There is flexibility in how the pharmacy structures co-ordination of information handling within the pharmacy. For example if a contractor owns multiple pharmacies, he may feel it appropriate to appoint one central lead with local leads in each store to provide information on local circumstances and support pharmacy implementation of the data security standard.
Q. Can a self-employed locum pharmacist be the data security lead for a pharmacy?
The data security lead needs to have the appropriate responsibilities to be able influence procedures and deliver implementation. A locum may be able to fulfil this role, but this will be for local decision. Remember, the data security Lead doesn’t need to be a pharmacist so if the pharmacy does not have a permanent pharmacist, one option would be for a senior dispenser or non-pharmacist manager to act as data security lead.
The locum will have to give consideration to whether this impacts on their self-employed status for tax purposes.
Q. Do I need to have a confidentiality clause in the contracts of third party contractors who don’t have access to patient identifiable information?
The Toolkit relate only to protecting patient identifiable information, for example PMR data.
There may be other reasons to include confidentiality clauses in contracts for example protecting information relating to the business that is commercially sensitive. This would be for the contractor to decide and is out of the scope of the Toolkit.
Q. I’m currently in the process of data mapping and risk assessing all flows of personal information. How can I assess the risk of a particular flow?
The level of risk is normally established by considering the impact of a potential data loss occurring and the likelihood of a loss taking place.
The likelihood of an incident occurring will differ depending on local circumstances, for example if a trusted member of the pharmacy team has been hand-delivering small numbers of prescriptions to a local GP surgery 100m away for many years and there has never been an incident, this would suggest that the likelihood of a data loss occurring in transit is negligible. The impact of that loss is likely to be moderate (small number of patients affected) therefore the risk is low.
In another area, if there have been problems with hand-delivering prescriptions to the surgery, for example problems with the GP surgery reporting they didn’t receive the forms, this would be a higher risk and the pharmacy would have to consider options to mitigate the risk.
Q. My system supplier doesn’t store data outside of the UK but provides remote assistance from outside of the UK, how do I make sure I comply with data protection legislation and DHSC guidelines?
If there are flows outside of the UK, it is important to undertake an appropriate risk assessment and put in place mitigating controls, for example contractual requirements on the supplier. Access should be on a strict need to know basis and only where there are no appropriate alternatives.
Further information available on the Information Commissioner’s website here.
Q. What does “data processed outside of the UK” relate to?
As part of Toolkit, you need to consider if information about patients is being transferred outside of the UK (e.g. checking with your PMR supplier that any personal data transmitted electronically remains in the UK). As of 2021, there were not currently requests for a specific template for this – it is sufficient to document that the checks have been undertaken e.g. that someone in the pharmacy contacted suppliers and they have confirmed no transfers outside of the UK.
Q. I run a wholly mail order business. Do I need to have a patient leaflet on the use of patient information?
Yes. By all pharmacies are required to make a leaflet available with comprehensive information on how patient information is used by the pharmacy. The pharmacy will need to give consideration to how pharmacies can access the leaflet, for example sent regularly to all patients, sent once to all patients and then to new patients who use the service or made available on the website with a pointer to it.
It could be a stand-alone leaflet or relevant content in existing practice leaflets could be adapted and expanded.
Privacy notices templates are found at: psnc.org.uk/dstemplates.
Q. I currently maintain a comprehensive list of the hardware and software I own for insurance purposes. Do I need to also maintain this information in a separate Information Asset Register?
There are not detailed specifics for how the information asset register should be structured but it should include information on information stored (e.g. patient databases), hardware, software and services (e.g. broadband connectivity). Where the pharmacy maintains information on software, hardware or services in a separate asset register for accounting, insurance or business continuity purposes, an option is to do a cross reference from the relevant sections in the information asset register to the relevant register or location that this information is stored to prevent duplicating effort. Templates are found at: psnc.org.uk/dstemplates.
Q. I use a laptop in the pharmacy for connecting to the internet for drug information but it does not hold any patient sensitive information. Do I need to declare this in my Information Asset Register?
The concept behind having an information asset register is identifying all relevant hardware, software and information to ensure it can be appropriately protected. Although the laptop does not contain patient information, it still may pose risks to information held on the local network and therefore actions may still need to be taken to manage any risks. For example, if the laptop connects to the pharmacy network and is used to access the internet, one risk is that if the anti-virus on the laptop isn’t updated regularly, the laptop could introduce viruses to the local network that could compromise the security of information held on other computers connected to the network. Pharmacies should use their judgement based on local circumstances on which pieces of hardware should be recorded on the asset register.
Q. On the template ‘Portable Equipment: Asset Control Form’, there is a section for “Asset number” and “Mobile number”. What do these refer to?
The intention of including ‘asset number’ in the template register was to provide a reference to link between the register and the asset itself for tracking purposes. For example, a pharmacy may find it helpful to include a sticker on the asset with an assigned asset reference number.
The intention of the ‘mobile number’ field was to record mobile phone numbers however note it is only necessary to track mobile phones that are being used to store personal information.
The templates are a guide but should be customised, where necessary, to suit local circumstances.
Q. I am about to undertake my premises risk assessment. I have developed a risk assessment form based on the template on the PSNC Website. For many of the questions, I don’t have the specific physical security controls in place however I am in an area of low crime. Do I need to invest in e.g. security cameras?
The level of risk is normally established by considering the impact of a data loss and the likelihood of that loss taking place. One method of risk assessment is detailed in Appendix 7 of the workbook.
It is for a contractor to assess the risk they face based on local circumstances. Two identical pharmacies holding the same information, computers and stock may have quite different physical security needs if one is located in an area of high crime and the other in a low crime area. While the impact of a burglary of either pharmacy will be the same – the actual probability of the burglary taking place will be quite different – and therefore the security measures at each will differ. The risk level needs to be kept under review as circumstances change.
Q. I currently don’t use any mobile computing systems in my pharmacy. How should I record this?
If the pharmacy does not use any mobile computing devices i.e. there are no laptops and PDAs, nor any portable device used to hold or transfer personal information (e.g. USB sticks and CDs/DVDs), the pharmacy can insert a comment in the text field that states the topic is not applicable, and that their policy is that they have no mobile computing devices. For example: “This pharmacy does not use removable or portable computing equipment including CDs/DVDs and USB sticks.” The pharmacy should ensure that staff do not use mobile computing devices in their role.
Q. I have heard that I need to encrypt my computers. Is this correct?
The Information Commissioner’s Office has issued guidance on their approach to encryption. The guidance states that, “There have been a number of reports recently of laptop computers, containing personal information which have been stolen from vehicles, dwellings or left in inappropriate places without being protected adequately. The Information Commissioner has formed the view that in future, where such losses occur and where encryption software has not been used to protect the data, regulatory action may be pursued.
The ICO recommends that portable and mobile devices including magnetic media, used to store and transmit personal information, the loss of which could cause damage or distress to individuals, should be protected using approved encryption software which is designed to guard against the compromise of information. Personal information, which is stored, transmitted or processed in information, communication and technical infrastructures, should also be managed and protected in accordance with the organisation’s security policy and using best practice methodologies such as using the International Standard 27001.
There are a number of different commercial options available to protect stored information on mobile and static devices and in transmission, such as across the internet.”
All contractors should therefore be giving consideration to the encryption of computers containing personal information.
Encryption is referred to in relation to the NHS data security on mobile computing. The guidance for this states, “Patient identifiable information stored on a PC hard drive or other removable device in a non-secure area or on a portable device such as a laptop, PDA or mobile phone should be encrypted. It is recognised however that this may take some time to achieve. Therefore, as an interim measure, if following a risk assessment it is felt that continued reliance upon unencrypted data is necessary for the benefit of patients, the outcome of the risk assessment must be reported to the most senior person in the organisation, so that he/she is appropriately accountable for the decision to accept data vulnerability or to curtail working practices in the interests of data security.”
Expert guidance on encryption of computers should be sought from system suppliers. There is a risk of some solutions slowing down or interrupting the operation of the PMR system if the solution isn’t tested or if implementation isn’t properly managed. System suppliers are giving consideration to the most appropriate solutions for their customers.
Q. I would like to arrange encryption of my laptop. How can this be achieved?
We would recommend taking expert advice from your system supplier.
Q. I have a laptop in my consultation area that I use to store patient information but it is used like a desktop and never removed from the pharmacy. Is it still regarded as ‘mobile computing’?
Yes. The Toolkit is aiming to ensure that all portable devices are secure. If the device has patient information on it, it must be protected. There is a greater risk of laptops etc being stolen even if they are not removed from the pharmacy, therefore the appropriate measures as must be taken.
Q. I use a mobile device for connecting to the internet for drug information but it does not hold any patient sensitive information. Do I need to take the actions?
This topic relates to safeguarding mobile devices that are used to store personal information. Therefore if the device contains no personal information, it would not be necessary under the data security to record staff use and provide guidance on use of the device. However the pharmacy may still find benefits in doing this for other reasons, for example to minimise the risk of theft.
Q. Are pharmacies required to have a business continuity plan?
Yes, since 2015 pharmacies are no longer exempt from having a business continuity plan in place. Guidance on developing a plan can be found in the clinical governance section of the website.
If you have queries on this webpage or you require more information please contact firstname.lastname@example.org.
For more information on this topic please email email@example.com