Data security templates and resources

Use these templates to support your DSPTK submission and strengthen your pharmacy’s data security processes:

Access control and password management procedure (Template 15)

Administrator declaration (see ‘Privilege Access Agreement Statement of Compliance (Template 14D)‘)

Asset register with worked examples (MS Word) / Asset register with worked examples (MS Excel) (Templates 6A-B)

Assigning data security roles (Template 21)

Audit sheet (Template 13)

Bring Your Own Device (BYOD) and NHSmail guidelines / policy  (Template 8B)

Confidentiality agreement for non-contracted workers visiting pharmacy (Template 20)

Data and security and IG policy (Template 1)

Data flow map illustration (Template 19)

Data handling, record keeping and disposal procedures (Template 4)

Data protection impact assessment (DPIA) (Template M from GDPRB WB)

Data quality policy (Template 17)

Disposal of portable assets (Template 10)

Ensuring staff compliance with Smartcard Terms and Conditions (RA01) template SOP (Template 16)

Incident management procedures and reporting breaches / incidents (Template 11)

Information security incident report form (Template 12)

Mobile computing guidelines (Template 8A)

Physical security risk assessment (Template 7)

Portable equipment / Asset control form (Template 9)

Privacy / transparency notice (wording for websites or patient information leaflets for folding)  (also alternative versions: Large-print version  / A4 version (Templates 5A-C)

Privilege Access Agreement Statement of Compliance (Template 14D)

Risk register (with worked examples)  and  Risk register (blank). Note: Alternatively risk information may be stored on Asset register – see template 6 above) (Template 18)

Staff confidentiality agreement (Template 2)

Staff confidentiality code (Template 3)

Staff list of persons (and IT rights) (Template 14C)

Staff signature list [all policies] or Staff Signature List Page [for each policy separately]  (Template 14)

Suppliers list – regarding suppliers that process data for the pharmacy (Template 22)

Training (for induction or refreshment) (9 pages) (Template 3B)

Training factsheet (2 pages) (Template 3C)

Training options and analysis (Template 3D)

Templates 1–16 were developed by Community Pharmacy England with support from the Department of Health and Social Care. NHS Employers, NHS England and the Royal Pharmaceutical Society also contributed.

Note: that many of these below are referenced within the GDPR Workbook. DSPTK templates arranged by number:

Template 1: Data and security and IG policy

Template 2: Staff confidentiality agreement / Staff confidentiality agreement

Note about Template 2: Suggested Contract Clause for Individual Staff members: “You may not during or after the termination of your employment disclose to anyone other than in the proper course of your employment or where required by law, any information of a confidential nature relating to the company or its business or customers. Breach of this clause may lead to dismissal without notice and/or legal action. Guidance on standards expected can be found in the staff code of conduct.”

Template 3A: Staff confidentiality code

Template 3B: Pharmacy data security and IG training (for induction or refreshment)

Template 3C: Training factsheet

Template 3D: Training options and analysis

Template 4: Data handling, record keeping and disposal procedures

Template 5: Privacy / transparency notice (wording for websites or patient information leaflets for folding)  (also alternative versions: Large-print version  / A4 version.

Note about Template 5: that communications materials are provided in different formats or by different routes to meet the need of patients with special or different needs. NHS 111 provide an interpreter service to support communicating with patients who do not speak English.

Template 6: Asset register with worked examples (spreadsheet) / Asset register with worked examples (MS Word)

Note about Template 6: The pharmacy asset register is likely to contain commercially sensitive information so there is no requirement for the details to be shared with the NHS. Where the pharmacy maintains information on software, hardware or services in a separate asset register for accounting, insurance or business continuity purposes, an option is to do a cross reference from the relevant sections in the information asset register to the relevant register or location that this information is stored to prevent duplicating effort.

Template 7: Physical security risk assessment

Template 8A: Mobile computing guidelines

Template 8B: Bring Your Own Device (BYOD) and NHSmail guidelines / policy

Template 9: Portable equipment / Asset control form

Template 10: Disposal of portable assets

Template 11: Incident management procedures and reporting breaches / incidents

Template 12: Incident report form

Template 13: Audit sheet

Templates 14A/B: You may use Staff signature list [all policies] (for all to re-sign annually and for new joiners to sign) (one list related to staff confirming in relation to all policies) or Staff Signature List Page [for each policy separately]  (multiple lists relating to staff being able to confirm in relation to each policy separately).

Template 14C: Staff list of persons (and IT rights) 

Template 14D: Privilege Access Agreement Statement of Compliance 

Template 15: Access control and password management procedure

Template 16: Ensuring staff compliance with Smartcard Terms and Conditions (RA01) template SOP 

NB: If staff do not have cards subject to the RA01 terms and conditions (i.e. EPS Release 2 cards), this requirement can be marked not relevant (NR).

Template 17:  Data quality policy

Template 18:  Risk register (with worked examples)  and  Risk register (blank). Note: Alternatively risk information may be stored on Asset register – see template 6 above)

Template 19: Data flow map illustration 

Template 20: Confidentiality agreement for non-contracted workers visiting pharmacy.

Note about Template 20: The pharmacy may have persons working for it (otherwise than under a contract of employment) e.g. locum pharmacists, or have persons visiting the pharmacy who are likely to have access to areas of the pharmacy not generally accessible by members of the public. One way to help safeguard the confidentiality of patients’ personal and sensitive personal data is by requiring the third party to agree to a confidentiality agreement. We recommend that the pharmacy retain the original signed confidentiality agreements for at least 6 years before considering disposal.

Template 21: Assigning data security roles  

Template 22: Suppliers list – regarding suppliers that process data for the pharmacy

Template 23: Assessing IT solutions checklist

Template M of GDPR WB: Data protection impact assessment (DPIA)

NB: Community Pharmacy England originally developed these templates 1-16 with the support of the Department of Health and Social Care. NHS Employers, NHS Connecting for Health and the RPSGB also contributed to the development of many of these.

These templates are part of the GDPR Workbook for community pharmacy and are available in the GDPR hub:

• Template A: Decide who is responsible
• Template B: Action plan
• Template C: Record the personal data you process and confirm your lawful basis
• Template D: Process data according to protection principles
• Template E: Review and check with your processors
• Template F: Obtain consent if required
• Template G: Communicate your processes – the privacy notice
• Template H: Ensure data security
• Template I: Consider personal data breaches
• Template K: Understand data subject rights
• Template L: Ensure privacy by design and default
• Template M: Data protection impact assessment (DPIA)

Current resources

• Emergency planning and business continuity
• NHS Cyber resources
• Social media policy (appendix to DH social interaction guidance) (PDF)
• NHS IG guidance

Archived resources (for reference only)

• 2009/10 pharmacy owner IG workbook and related 2010/11 IG update
• Community Pharmacy England briefing: To share or not to share – government response to the Caldicott Review (2013):
  A summary of the Department of Health and Social Care’s response to Dame Fiona Caldicott’s review on information governance.
• Community Pharmacy England briefing: Summary of the Caldicott Review on information governance (2013):
  A concise overview of Dame Fiona Caldicott’s independent review, published in April 2013.

These templates are designed to help pharmacy teams tailor materials for local use.

Each pharmacy owner is responsible for ensuring their pharmacy meets all legal and professional requirements. This includes checking that any adapted materials are accurate, appropriate and up to date.

For legal advice, please contact a solicitor or legal adviser.

Need help with the DSPTK templates or want to suggest a new one?

Email us at: da@cpe.org.uk