CPE Comms: Are you getting what you need from us?

Learn more about community pharmacy
Contact Us

Search Suggestions

Childhood Flu Vaccination ServiceAdult Flu Vaccination ServicePharmacy Quality SchemePharmacy First servicePrice ConcessionsSerious Shortage Protocols (SSPs)
Print Page

Data Security and Protection Toolkit 2026: Are you working through it?

||
Wednesday 22nd April 2026

Deadline upcoming

Community Pharmacy England previously published updated guidance and support to help community pharmacy owners complete the Data Security and Protection Toolkit (DSPTK) 2026.

Completing the Toolkit is how pharmacies make their annual information governance (IG) declaration. It is a mandatory requirement under the NHS Terms of Service and must be completed by 30th June 2026.

Community Pharmacy England has worked closely with the NHS DSPTK team to ensure the Toolkit remains proportionate and practical, while continuing to support strong data security and patient confidentiality.

What’s changed in the 2026 Toolkit

This year’s Toolkit includes a small number of targeted updates designed to make completion clearer and quicker:

  • A new question on multi‑factor authentication (MFA) for clinical IT systems
  • Improved layout and navigation
  • Clearer wording, with pharmacy‑specific tips
  • For some questions, the Toolkit shows last year’s answers, allowing teams to confirm or update information rather than start again

The NHS Parent Organisation Code (POC) batch submission feature also continues to operate. This allows pharmacy owners with three or more pharmacies under the same POC to complete one submission covering all premises.

Reducing the workload

Most pharmacy teams should already have access to the information needed to answer the more technical questions.

Pharmacies that have refreshed and updated their templates in Community Pharmacy England’s GDPR Workbook can meet the criteria for around half of the Toolkit questions.

For these questions, if the GDPR Workbook has been fully updated, pharmacy teams can enter “see GDPR WB”.

We strongly encourage pharmacy teams to factor the Toolkit annual requirement into workload planning, rather than leaving completion until the final weeks.

Check your Parent Organisation Code (POC) details

Pharmacy owners with three or more pharmacies are advised to check that the list of pharmacies linked to their NHS Parent Organisation Code (POC) is accurate.

Doing this early helps avoid delays and allows any issues to be resolved well ahead of the submission deadline.

Also, be aware of GDPR-themed scam emails

We are aware of recent reports from across the country of scam emails being sent to community pharmacies. These messages often claim that a pharmacy is under investigation for a GDPR or data protection breach.

These emails can appear convincing, but should be deleted without responding. They are not linked to the Data Security and Protection Toolkit and do not indicate that a pharmacy has failed to meet its IG obligations. Common warning signs include urgent deadlines, threats of enforcement action, and messages sent from non‑official email addresses.

In some cases, these messages purport to come from investigative bodies or from patients or members of the public who allege that personal data was submitted online or mishandled. However, there have been examples where the individual has had no genuine prior interaction with the pharmacy. This should be distinguished from genuine information-governance enquiries from real patients. Read more about GDPR queries and scam emails.

Guidance and support from Community Pharmacy England

The following resources are available to support completion of the Toolkit:

Toolkit completion: Overview – five steps for completing the DSP Toolkit 2026
A clear, step by step guide with links to all supporting materials:
Five steps for completing

On‑demand webinar
Community Pharmacy England and the NHS DSPTK team explain the new MFA question, outline other changes, and answer common questions.
On-demand webinar

Question‑by‑question guidance (mandatory questions)
Designed to help pharmacy teams complete all mandatory sections.
Question-by-question guidance

Using the NHS Parent Organisation Code (HQ) batch submission
Guidance for pharmacy owners with three or more pharmacies.
Batch POC guidelines

Important reminders

Data Protection Officer (DPO)

  • The DPO should ideally be independent from decisions about how data is used
  • Where the owner or a senior staff member acts as DPO, any potential conflicts of interest should be documented, along with mitigating actions
  • Some pharmacies choose to use an external DPO service where this is practical and affordable

Privacy notices
An updated privacy notice template is available on our data security templates webpage.

Next steps

  • Log in to the Data Security and Protection Toolkit as soon as possible
  • Start with the “Five steps” overview guide
  • Begin completing the Toolkit where time allows

All mandatory questions must be answered to meet the minimum NHS information governance requirements.

Tell us how best to engage with you and help improve the way we keep you informed.

Click Here
||
Wednesday 22nd April 2026

Latest News

New NHS.net Connect Launchpad homepage – rolling out

SSP for Ramipril 1.25mg capsules issued

MHRA Class 4 Medicines Defect Notification: Hiprex 1g tablets (Doncaster Pharma Ltd)

Top Stories

NHS prescription charges remain at £9.90

Negotiations on 2026/27 Contractual Framework commence