Information Governance and Data Security and Protection
Community pharmacy contractors are required to give information governance assurances to the NHS each year via an online self-assessment.
The Information Governance Toolkit was updated in 2019 to include the General Data Protection Regulations (GDPR) and the National Data Guardian’s ten data security standards and is now called the Data Security and Protection (DSP) toolkit.
Pharmacies are contractually required to complete the DSP toolkit each year. Non-compliance is considered a breach of the NHS contract and could result in loss or request for return of funding for NHS Advanced Services. It is also a pre-requisite for provision of an NHSmail account so non-completion could impact on eligibility to be involved in the Community Pharmacist Consultation Service and fulfilment of the Pharmacy Quality Scheme criteria.
The DSP Toolkit for 2022/23 has be updated and consists of 42 mandatory and 35 optional DSP questions.
Completing the Toolkit
- Log-in to the NHS Digital DSP toolkit using your NHSmail email address
- Revisit the completed PSNC GDPR workbook (part 3) that was used for last year's submission and update any information as necessary. A total of around 19 of the 42 mandatory DSP questions can be completed using this as evidence.
- Confirm that NHSmail is the only email system used by the pharmacy to transfer patient information, where applicable, this will result in two toolkit questions being automatically completed.
- PMR providers can help complete 18 PMR mandatory technical questions with standard responses that have been developed.
- Complete the remaining 23 mandatory questions
If you need technical support on using the Toolkit including obtaining access rights and password resets contact the Exeter Helpdesk:
Telephone: 0300 3034 034
The Information Services team is on hand to help with completion of the toolkit:
Telephone: 0800 7835 709 option 2
What resources are available?
A range of resource documents and templates that can be used by Numark members to evidence compliance with the ten data security standards are available to download:
|Numark Resource||Description||Relevance in DSP Toolkit|
|Business Continuity Plan||A plan designed to assist in dealing with issues experienced in the pharmacy to maintain the continuity of service provision||Required for standards within 7.1 and 7.2|
|Data Security and Protection Policy||A policy to safeguard the movement of personal data within the pharmacy||Required for standards within 1.2, 1.3 and 1.4|
|Data Quality Policy||A policy for maintaining data quality within the pharmacy||Required for standards within 1.7|
|Template for Information Assets Register||A recording template for detailing use and sharing of personal information||Required for standards within 1.4, 1.6,4.1 and 8.2|
|Information Assets Register Guidance||Guidance for completing the Information Assets register||Can be used when completing an Information Assets Register|
|Data Protection Impact Assessment||A template to assess the impact of the use of any personal data when considering any major projects||Required for standards within 1.6 and 7.1|
|Pharmacy Information Flow Map||A map of personal information sent to or received by the pharmacy||Can be used as part of a Data Protection Impact Assessment and within 1.4|
|New Starter Induction Workbook||An induction workbook incorporating data security and protection||Required for standard 2.2.1|
|Responsibilities and Roles of Pharmacy Staff SOP||A SOP detailing roles and responsibilities of pharmacy staff including a table of current staff roles||Required for standards within 4.1|
|Subject Access and Erasure Rectification SOP||A SOP to ensure compliance with data protection legislation and procedures to follow to ensure compliance||Required for standards within 1.1 and 1.4|
|Record of Subject Access Requests||A table for recording any Subject Access Requests||To be used in conjunction with SOP|
|Information Security Incident Management Procedure||A procedure for dealing with personal data breaches||Required for standards within 4.2 and 6.1|
|Information Security Incident Report Form||A reporting form to use alongside the management procedure||To be used in conjunction with the management procedure|
|Privacy Notice||A notice detailing how personal data is processed||Required for standards within 1.1|