Data security templates and resources
Published on: 23rd July 2013 | Updated on: 20th November 2025
To help pharmacy owners meet data protection requirements, Community Pharmacy England has developed a range of practical templates and tools. These support you in completing the Data Security and Protection Toolkit (DSPTK) and managing information governance (IG) in your pharmacy.
We regularly review and update these resources to reflect current NHS and legal requirements. Many of the templates are also included in the GDPR Workbook.
Use these templates to support your DSPTK submission and strengthen your pharmacy’s data security processes:
Access control and password management procedure (Template 15)
Asset register with worked examples (MS Word) / Asset register with worked examples (MS Excel) (Templates 6A-B)
Assigning data security roles (Template 21)
Audit sheet (Template 13)
Bring Your Own Device (BYOD) and NHSmail guidelines / policy (Template 8B)
Confidentiality agreement for non-contracted workers visiting pharmacy (Template 20)
Data and security and IG policy (Template 1)
Data flow map illustration (Template 19)
Data handling, record keeping and disposal procedures (Template 4)
Data protection impact assessment (DPIA) (Template M from GDPRB WB)
Data quality policy (Template 17)
Disposal of portable assets (Template 10)
Ensuring staff compliance with Smartcard Terms and Conditions (RA01) template SOP (Template 16)
Incident management procedures and reporting breaches / incidents (Template 11)
Information security incident report form (Template 12)
Mobile computing guidelines (Template 8A)
Physical security risk assessment (Template 7)
Portable equipment / Asset control form (Template 9)
Privacy / transparency notice (wording for websites or patient information leaflets for folding) (also alternative versions: Large-print version / A4 version (Templates 5A-C)
Risk register (with worked examples) and Risk register (blank). Note: Alternatively risk information may be stored on Asset register – see template 6 above) (Template 18)
Staff confidentiality agreement (Template 2)
Staff confidentiality code (Template 3)
Staff list of persons (and IT rights) (Template 14C)
Staff signature list [all policies] or Staff Signature List Page [for each policy separately] (Template 14)
Suppliers list – regarding suppliers that process data for the pharmacy (Template 22)
Training (for induction or refreshment) (9 pages) (Template 3B)
Training factsheet (2 pages) (Template 3C)
Training options and analysis (Template 3D)
Templates 1–16 were developed by Community Pharmacy England with support from the Department of Health and Social Care. NHS Employers, NHS England and the Royal Pharmaceutical Society also contributed.
These templates are part of the GDPR Workbook for community pharmacy and are available in the GDPR hub:
- Template A: Decide who is responsible
- Template B: Action plan
- Template C: Record the personal data you process and confirm your lawful basis
- Template D: Process data according to protection principles
- Template E: Review and check with your processors
- Template F: Obtain consent if required
- Template G: Communicate your processes – the privacy notice
- Template H: Ensure data security
- Template I: Consider personal data breaches
- Template K: Understand data subject rights
- Template L: Ensure privacy by design and default
- Template M: Data protection impact assessment (DPIA)
Current resources
- Emergency planning and business continuity
- NHS Digital IG resources webpage
- Social media policy (appendix to DH social interaction guidance) (PDF)
- NHS England’s TD IG guidance
Archived resources (for reference only)
- 2009/10 pharmacy owner IG workbook and related 2010/11 IG update
- Community Pharmacy England briefing: To share or not to share – government response to the Caldicott Review (2013):
A summary of the Department of Health and Social Care’s response to Dame Fiona Caldicott’s review on information governance. - Community Pharmacy England briefing: Summary of the Caldicott Review on information governance (2013):
A concise overview of Dame Fiona Caldicott’s independent review, published in April 2013.
These templates are designed to help pharmacy teams tailor materials for local use.
Each pharmacy owner is responsible for ensuring their pharmacy meets all legal and professional requirements. This includes checking that any adapted materials are accurate, appropriate and up to date.
For legal advice, please contact a solicitor or legal adviser.
Need help with the DSPTK templates or want to suggest a new one?
Email us at: da@cpe.org.uk
For more information on this topic please email it@cpe.org.uk
