Data security, IG and Toolkit FAQs

Q. What happens if I don’t complete my submission by the deadline ,and intend to submit shortly after the deadline?
The Toolkit is not locked at midnight on the deadline date, so it may still be technically possible to submit afterwards. If you miss the deadline, contact your local NHS England team to discuss next steps.

Q. On the Toolkit, there are fields asking to record the location of evidence or to upload evidence. Do I need to complete these fields?
No. You should add comments to support your score, either in the comments box or by ticking the relevant evidence boxes. It is not mandatory to record where each piece of evidence is located or to upload documents such as policies. Some evidence may be commercially sensitive and should not be uploaded.

Q. For a multiple pharmacy, when registering for access to the Toolkit, is it possible to register using the same name and log‑in email for each premises and just change the ODS code?
Yes, this is possible, but the batch submission process must be followed.

Q. Can a Head Office staff member view the submissions of individual stores?
Yes. A Head Office staff member can now centrally view submissions through a central log‑in. To access this, contact the DSPTK query contact point with the name and address of the pharmacy head office.

Q. If there is a change of ownership of the pharmacy and the pharmacy ODS Code remains the same, how should the new owner register to access the Toolkit?
The new owner should contact the DSPTK query contact point. The previous owner’s account can be locked and the new owner registered against that ODS Code.

Q. To register for the Toolkit, I need to provide my email address. What will this be used for?
You may receive reminders.

Q. Once I’ve registered for the Toolkit, how do I update my registered email address or other information?
Log in and select ‘Organisation Profile’ to update details. You can also change your password there.

Q. I have already submitted my baseline data security assessment. When can I next submit an assessment?
Pharmacies must complete an annual assessment. Once submitted, an assessment cannot be withdrawn, so ensure your scores are accurate. Any improvements should be recorded in the next version of the Toolkit.

Q. I have just discovered I have made a mistake in my submission. Can I correct the answers after clicking the submit button?
No. Once submitted, answers cannot be edited. If a significant error has been made, contact the DSPTK query contact point. If the Helpdesk cannot assist, contact your local NHS England team.

Q. Can a local NHS England team take action against a pharmacy owner who does not achieve the required level by the deadline date?
Yes. Changes to the Terms of Service a long while back (from 2011) require pharmacies to comply with an approved information governance programme. This means meeting nationally specified data security requirements and making an annual declaration via the Toolkit.

Pharmacies must also comply with data protection legislation and the NHS Code of Practice on Confidentiality.

The Information Commissioner’s Office (ICO) enforces data protection legislation. ICO can issue monetary penalties for serious breaches. When deciding on penalties, the ICO considers factors such as:

• the seriousness of the breach
• the likelihood of substantial damage or distress to individuals
• whether the breach was deliberate or negligent
• what reasonable steps the organisation took to prevent breaches

Reasonable steps include having appropriate policies, risk assessments, mitigation measures, and governance arrangements. These are all actions the NHS requires evidence of through the Toolkit.

The ICO may also prosecute criminal offences under data protection legislation.

A local NHS England team may investigate a pharmacy that has not completed an annual return via the Toolkit to check compliance with Terms of Service requirements.

Q. I have both an LPS contract and a General Pharmaceutical Services contract. Both are linked to the same premises. Do I need to complete two submissions?
If both contracts are linked to the same premises, one submission may be sufficient to provide assurances on information management. However, there may be differences depending on the services provided under the LPS contract. We recommend discussing this with your local NHS England team.

Since 2013, local NHS England teams have been responsible for monitoring and supporting pharmacy information governance.

Q. My local NHS England team has asked me to share a copy of my action plan with them. Do they not have access to this through the Toolkit?
No – local NHS England teams cannot access your action plan through the Toolkit.

When you complete an assessment, you should enter both a current score (your pharmacy’s score for the current year) and a target score (the score you aim to achieve in your next assessment). This automatically creates an action plan in the Toolkit, sometimes called an ‘implementation plan’ or ‘improvement plan’. You can download this into Microsoft Word and print it.

Pharmacies should keep a copy of their action plan filed locally so it can be shown to NHS England officials during support visits. These visits may form part of pharmacy owner monitoring. There is no requirement to post or fax action plans to NHS England teams. However, if your local NHS England team is working with you to meet the requirements, you may find it helpful to share a copy with them.

Q. How often should the pharmacy data security policies and procedures be updated?
Pharmacy owners should review their data security policies and procedures every year to make sure they remain relevant and comply with current law. If a data breach occurs, policies should be reviewed sooner to learn lessons and prevent future incidents.

Q. Do I need to register with the Information Commissioner’s Office?
Yes. All pharmacies process personal data, so they must notify the Information Commissioner’s Office (ICO). Guidance is available on the ICO website. Failure to notify is a breach of data protection law and a criminal offence.

Q. Do the requirements apply to hardcopy data such as prescription forms as well as electronic information?
Yes. Both paper and electronic records must be protected. The safeguards may differ, but the duty to protect patient and personal information applies equally.

Q. Are the template SOPs good enough to comply with NHS requirements?
Many template SOPs have been developed by Community Pharmacy England and the RPS, with support from the DHSC, and NHS England. Pharmacy owners must review and adapt these templates to suit local circumstances. For example, if your pharmacy uses a data transfer method not covered in the template, you must add details of that method to your SOP.

Q. I have had a call from a local police station. They want me to disclose the details of the medication that an individual in custody is taking. Do I need to do this?
Patient information should not normally be disclosed without consent or unless the law allows it. In exceptional cases, disclosure may be necessary to prevent serious harm. If disclosure is made without consent, only the minimum information should be shared. You must record who requested the data, why it was released, whether consent was sought, and what information was disclosed.

Q. Pharmacies have a duty to protect patient confidentiality. How is this duty reconciled when a police officer asks to check controlled drug (CD) prescribing?
Authorised officers, including police officers, may inspect CD registers and prescriptions under the Misuse of Drugs Act 1971. This legal power overrides the duty of confidentiality. Before disclosing data, pharmacy owners must confirm the officer is properly authorised and that the request relates to routine checks.

If a police officer is investigating a serious criminal offence, you should verify their identity and confirm the nature of the investigation. Guidance is available from the Home Office, the General Pharmaceutical Council, the NPA (for members) and the RPS (for members).

Police officers may also collect CDs on behalf of patients in custody. Public Health England’s guidance on supervised doses for people in police custody may be useful.

Q. I recently ordered some ‘made to measure’ hosiery but the manufacturer has requested the patient’s details. Is this allowed?
Manufacturers may ask for a patient identifier to support future orders. However, you should not provide the patient’s name without consent. Alternatives include using the patient’s PMR record number or a unique identifier provided by the manufacturer, which you can record in the PMR for future reference.

Q. I have received an FP10 prescription for an unlicensed “named patient supply” product. Does this mean I need to provide the manufacturer with the patient’s name?
No. The legislation refers to “individual patients,” not “named patient supply.” While there must be an audit trail to the patient, manufacturers do not need to know the patient’s name. Patient identifiable information should not be shared without consent.

Q. I can’t obtain a branded product from my wholesaler. The manufacturer is requesting the prescription form serial number. Does this link to the patient?
Some manufacturers ask pharmacy owners to fax anonymised prescriptions before releasing stock. Community Pharmacy England does not support this as a routine measure—it is burdensome and risks accidental disclosure of patient data.

Pharmacy owners must have an acceptable information governance programme, approved by NHS England, and comply with confidentiality and data protection law. Patient identifiable information must not be shared without consent or unless legally permitted. If a prescription is faxed, any patient identifiers must be obscured in black ink.

The serial number on a prescription form identifies the paper form, not the patient. NHS England records which forms are issued to prescribers, but this information is not normally public.

Q. Does the data security lead have to be a named individual (for example “Joe Bloggs”) or can it be a position (for example “Pharmacy manager”)?
The pharmacy must be able to show that the role has been properly assigned. In the pharmacy’s records, it is acceptable to document a position, such as ‘pharmacy manager’ or ‘clinical governance lead’, rather than a named individual. This is fine as long as the staff member(s) understand that they are responsible and it is clear to other staff who the data security lead is. Best practice, where possible, is to assign the role to a named individual.

Q. Can one person be the data security lead for more than one pharmacy?
Yes. Pharmacies have flexibility in how they organise information handling. For example, if a pharmacy owner has several pharmacies, they may appoint one central lead with local leads in each branch to reflect local circumstances and support implementation of the data security standard.

Q. Can a self‑employed locum pharmacist be the data security lead for a pharmacy?
The data security lead must have the authority to influence procedures and ensure implementation. A locum could take on this role, but the decision rests locally. The lead does not need to be a pharmacist, so if the pharmacy does not have a permanent pharmacist, a senior dispenser or non‑pharmacist manager could act as the data security lead. Locums should also consider whether this affects their self‑employed tax status.

Q. Do I need to have a confidentiality clause in the contracts of third‑party owners who don’t have access to patient identifiable information?
The Toolkit focuses only on protecting patient identifiable information, such as data held in IT systems. There may be other reasons to include confidentiality clauses in contracts, for example to protect commercially sensitive business information. This decision is for the pharmacy owner and is outside the scope of the Toolkit.

Q. I’m currently mapping and risk assessing all flows of personal information. How can I assess the risk of a particular flow?
Risk is usually assessed by considering both the impact of a potential data loss and the likelihood of it happening.

The likelihood will depend on local circumstances. For example, if a trusted team member has hand‑delivered small numbers of prescriptions to a nearby GP surgery for many years without incident, the likelihood of data loss is negligible. The impact would be moderate (a small number of patients affected), so the overall risk is low.

In contrast, if there have been problems with prescriptions not reaching the surgery, the risk is higher. In that case, the pharmacy would need to consider steps to reduce the risk.

Q. My IT supplier doesn’t store data outside the UK but provides remote support from overseas. How do I make sure I comply with data protection legislation and DHSC guidelines?
If data flows outside the UK, you must carry out a risk assessment and put in place controls, such as contractual requirements for the supplier. Access should be strictly limited to those who need it and only used when no suitable UK alternative exists. Further guidance is available on the Information Commissioner’s website.

Q. What does “data processed outside of the UK” mean?
As part of the Toolkit, you need to check whether patient information is transferred outside the UK. For example, confirm with your IT supplier that any personal data sent electronically remains in the UK. As of 2025, there was no requirement for a specific template. It is sufficient to document that checks have been made, such as recording that the pharmacy contacted suppliers and they confirmed no transfers outside the UK.

Q. I run a wholly mail order business (Distance Selling Premises (DSP)). Do I need to have a patient leaflet on the use of patient information?

All pharmacies, including DSP pharmacies, must clearly explain how patient information is used. Before 1st October 2025, pharmacy owners were required to produce a pharmacy practice leaflet, and pharmacies could include this information as part of the leaflet. This requirement has now been removed from the Terms of Service. Therefore, pharmacies can provide this information in the format of a standalone leaflet, to be provided to existing and new patients, or publishing it on the pharmacy’s website with a clear pointer to it.

Privacy notice templates are available at: cpe.org.uk/dstemplates.

Q. I currently maintain a comprehensive list of the hardware and software I own for insurance purposes. Do I need to also maintain this information in a separate information asset register?
There are no detailed rules on how the register should be structured, but it should cover information stored (such as patient databases), hardware, software, and services (such as broadband). If you already keep records for insurance, accounting, or business continuity, you can cross‑reference those documents in your information asset register to avoid duplication. Templates are available at: cpe.org.uk/dstemplates.

Q. I use a laptop in the pharmacy for connecting to the internet for drug information but it does not hold any patient‑sensitive information. Do I need to declare this in my information asset register?
The purpose of the register is to identify all relevant hardware, software, and information so risks can be managed. Even if the laptop does not store patient information, it may still pose risks to the local network. For example, if its anti‑virus software is not updated, it could introduce viruses that compromise other systems. Pharmacy owners should use their judgement to decide which devices to record.

Q. On the template ‘Portable Equipment: Asset Control Form’, there is a section for “Asset number” and “Mobile number”. What do these refer to?
The ‘asset number’ is a tracking reference that links the register entry to the physical asset. For example, you may choose to label the device with a sticker showing its asset number.
The ‘mobile number’ field is intended for recording mobile phone numbers, but only for phones that store personal information.
Templates are a guide and should be adapted to suit local circumstances.

Q. I am about to undertake my premises risk assessment. I have developed a risk assessment form based on the template on the Community Pharmacy England website. For many of the questions, I don’t have the specific physical security controls in place, but I am in an area of low crime. Do I need to invest in security cameras?
Risk is assessed by considering both the impact of a data loss and the likelihood of it happening. One method is explained in Appendix 7 of the workbook.
Pharmacy owners should assess risk based on local circumstances. Two pharmacies with the same stock and systems may need different security measures if one is in a high‑crime area and the other in a low‑crime area. The risk level should be reviewed regularly as circumstances change.

Q. I currently don’t use any mobile computing systems in my pharmacy. How should I record this?
If no mobile computing devices are used (such as laptops, PDAs, USB sticks, or CDs/DVDs), you can note in the register that the topic is not applicable and state your policy. For example: “This pharmacy does not use removable or portable computing equipment including discs and USB sticks.” Staff should be reminded not to use mobile computing devices in their role.

Q. I have heard that I need to encrypt my computers. Is this correct?
Yes. The Information Commissioner’s Office (ICO) recommends encryption for portable and mobile devices that store or transmit personal information. Losses of unencrypted devices may lead to regulatory action.
Pharmacy owners should consider encryption for all computers containing patient information. NHS guidance also requires encryption of patient‑identifiable information stored on portable devices. If unencrypted data must be used temporarily, this should be documented in a risk assessment and reported to the most senior person in the organisation.
Expert advice should be sought from your IT supplier, as some solutions may affect system performance.

Q. I would like to arrange encryption of my laptop. How can this be achieved?
Seek expert advice from your IT supplier to ensure the solution is appropriate and tested.

Q. I have a laptop in my consultation area that I use to store patient information, but it is used like a desktop and never removed from the pharmacy. Is it still regarded as ‘mobile computing’?
Yes. Laptops are considered portable devices even if they remain on site. If they store patient information, they must be protected.

Q. I use a mobile device for connecting to the internet for drug information but it does not hold any patient‑sensitive information. Do I need to take the actions?
This guidance applies to devices storing personal information. If the device does not hold such data, actions under data security are not required. However, recording staff use and guidance may still be useful to reduce risks such as theft.

Q. Are pharmacies required to have a business continuity plan?
Yes. Since 2015, pharmacies have been required to have a business continuity plan in place. Guidance on developing a plan is available in the clinical governance section of the website.