Community pharmacy contractors are required to give information governance assurances to the NHS each year via an online self-assessment.
The Information Governance Toolkit has been updated to include the General Data Protection Regulations (GDPR) and the National Data Guardian’s ten data security standards and is now called the Data Security and Protection (DSP) toolkit.
Pharmacies are contractually required to complete the DSP toolkit by March 31st each year. Non-compliance is considered a breach of the NHS contract and could result in loss or request for return of funding for NHS Advanced Services. It is also a pre-requisite for provision of an NHSmail account so non-completion could impact on eligibility to provide NUMSAS and fulfilment of Quality Payment criteria.
The DSP Toolkit consists of 70 mandatory and 61 optional DSP questions. Of the 70 mandatory questions between 32 and 49 can be automatically marked as completed by updating information in the Organisation Profile webpage and confirming the pharmacy PMR provider within the toolkit.
Completing the Toolkit
- Register to access the new toolkit via the NHS Digital DSP toolkit website, you will need the pharmacy ODS code and an NHSmail address to do this.
- Complete the PSNC GDPR workbook (part 3), if not already completed, as part of compliance with the GDPR legislation introduced on May 25th 2018. By confirming the workbook has been completed and uploading it into the Organisation Profile, a total of between 32 and 37 (i.e. approximately 50%) of the 70 mandatory DSP questions will be auto-completed.
- Confirm that NHSmail is the only email system used by the pharmacy to transfer patient information, where applicable, this will result in two toolkit questions being automatically completed.
- Set your PMR provider with a ‘member’ account within the user list, they can then manually complete 12 PMR mandatory technical questions with standard responses that have been developed. Alternatively PMR providers will supply the responses required for contractors to complete the assertions themselves.
- Complete the remaining 21 to 26 questions mandatory questions that have not already been auto-completed
If you need technical support on using the Toolkit including obtaining access rights and password resets contact the Exeter Helpdesk:
Telephone: 0300 3034 034
The Information Services team is on hand to help with completion of the toolkit:
Telephone: 0800 7835 709 option 2*
What resources are available?
A range of resource documents and templates that can be used by Numark members to evidence compliance with the ten data security standards are available to download:
|Numark Resource||Description||Relevance in DSP Toolkit|
|Business Continuity Plan||A plan designed to assist in dealing with issues experienced in the pharmacy to maintain the continuity of service provision||Required for standards within 7.1 and 7.2|
|Data Security and Protection Policy||A policy to safeguard the movement of personal data within the pharmacy||Required for standards within 1.2|
|Data Quality Policy||A policy for maintaining data quality within the pharmacy||Required for standards within 1.7|
|Template for Information Assets Register||A recording template for detailing use and sharing of personal information||Required for standards within 2.1, 4.1 and 10.1|
|Information Assets Register Guidance||Guidance for completing the Information Assets register||Can be used when completing an Information Assets Register|
|Data Protection Impact Assessment||A template to assess the impact of the use of any personal data when considering any major projects||Required for standards within 1.6|
|Pharmacy Information Flow Map||A map of personal information sent to or received by the pharmacy||Can be used as part of a Data Protection Impact Assessment|
|New Starter Induction Workbook||An induction workbook incorporating data security and protection||Required for standard 2.3.1|
|Responsibilities and Roles of Pharmacy Staff SOP||A SOP detailing roles and responsibilities of pharmacy staff including a table of current staff roles||Required for standards within 4.1|
|Subject Access and Erasure Rectification SOP||A SOP to ensure compliance with data protection legislation and procedures to follow to ensure compliance||Required for standard 1.3.5|
|Record of Subject Access Requests||A table for recording any Subject Access Requests||To be used in conjunction with SOP|
|Information Security Incident Management Procedure||A procedure for dealing with personal data breaches||Required for standards within 6.1|
|Information Security Incident Report Form||A reporting form to use alongside the management procedure||To be used in conjunction with the management procedure|
|Privacy Notice||A notice detailing how personal data is processed||Required for standards within 1.3|