Home FAQs
In this section of the site you'll find a selection of frequestly asked questions. Click on the quick links below to jump to the relevant section:
2010/11 (version 8) changes (new)
General Confidentiality Queries
The Online Toolkit
For a multiple pharmacy, when registering for access to the IG Toolkit, is it possible to register using the same name and log-in email for each premises and just change the ODS code?
Yes, this is possible.
When submitting the Online Toolkit Assessment, if you get interrupted and have to exit the Toolkit, is the data saved so you can come back and finish the assessment at a later date?
If a pharmacist is interrupted part-way through recording information against an individual requirement, click the ‘save’ button and work done will be saved.
If there is a change of ownership of the pharmacy and the pharmacy ODS Code (F Code) remains the same, how should the new owner register to access the tookit?
The new owner would need to contact the Exeter helpdesk (01392 251289). The account of the previous owner can be locked and the new owner registered against that ODS Code.
To register for the IG Toolkit, I need to provide my email address. What will this be used for other than the initial registration process, for example will I receive a reminder email of the deadlines to complete the Toolkit?
The Toolkit does not currently generate any reminder emails but it is hoped that this option will be introduced at a later date.
Once I’ve registered for the IG Toolkit, how do I update my registered email address?
To update details users need to log-in and then select the ‘My Details’ tab on the left hand side, this will allow them to edit both their email address and their telephone number. Users can also change their password using the ‘My Password’ tab.
For one of the requirements I clicked the ‘Not relevant’ option but when I clicked next, the website wouldn’t let me move on to the next requirement. Why is this?
Requirements marked as not relevant require a comment. Make a relevant note in the comments box, for example if no staff in the pharmacy have EPS Release 2 smartcards (RA01 terms), make a comment to this effect when marking requirement 119 as not relevant.
I have already submitted my baseline IG Assessment. When can I next submit an assessment?
Pharmacies are required to make an annual assessment. Once an assessment has been submitted it is not possible to withdraw a submission so it is important to ensure that the scores accurately reflect the assessment status of the pharmacy. Any improvements in the scores should be entered into the next version of the Information Governance Toolkit.
The 2010/11 version of the Toolkit is expected to be launched mid-2010. The next release of the online Toolkit (version 8) will have enhanced functionality and improved layout. The DH Informatics Team will be working to ensure the IG Toolkit user’s guide on the site is kept updated as changes are made.
I have just discovered I have made a mistake in my submission. Can I correct the answers after clicking the submit button?
It is not possible to withdraw or edit a submission once the ‘submit’ button has been pressed. If a significant error has been made, contact the IGT Helpdesk (pharmacy.assurance@nhs.net or 0113 394 6540) who will consider the request. Alternatively if it is a significant error and the Helpdesk is unable to provide support, contact your PCT.
Deadlines
I have just opened a new pharmacy. Do I need to complete a baseline assessment by the 31st March 2010?
An Information Governance baseline assessment should be submitted for all pharmacy premises by the 31st March 2010. However as the assessment is being used to provide assurance to PCTs, it would be worth discussing any individual circumstances that would impact on a pharmacy’s ability to complete the baseline assessment with the relevant PCT.
I have started the process of completing my baseline assessment but because of staff shortages, I am going to be a few days late and won’t meet the 31st March 2010 deadline. What should I do?
We would recommend contacting your PCT to discuss this issue. The Toolkit isn’t ‘locked’ at midnight on the 31st March therefore it will be technically possible to still make a submission after the deadline. However, no guarantees can be given as to how long this facility will remain open, as the site is due to permanently close to enable the rebuild for version 8 of the IG Toolkit.
I have both an LPS Contract and a General Pharmaceutical Services contract. Both are linked to the same premises. Do I need to complete 2 submissions?
Given that both contracts are linked to the same premises, it may be appropriate to have only one submission which provides assurances to the PCT on the management of information obtained under both contracts at the premises. But there may be differences depending on the nature of services provided under the LPS, therefore we recommend discussing this with your PCT.
Version 8 (2010/11 changes)
Are there any changes to the requirements in 2010/11 (version 8 of the Toolkit)?
There are a number of changes in 2010/11. Click on the link below to view the guidance note:
Changes to the requirements in 2010/11
Requirement 114: Pharmacy IG Lead
Does the IG lead have to be a named individual (for example “Fred Bloggs”) or can it be a position (for example “Pharmacy Manager”)?
The pharmacy must be able to show that the role has been appropriately assigned. In the pharmacy’s records, it would be acceptable to document a position, for example, ‘the pharmacy manager’ or ‘Clinical Governance Lead’ rather than a named individual, as long as the staff member(s) concerned are clear from this that they are responsible and it is clear to other staff who the IG Lead is.
Although it is accepted that for practical reasons the role may need to be assigned to a position in some scenarios, where possible, best practice is that the lead is a named individual.
Can one person be the IG lead for more than one pharmacy?
Yes. There is flexibility in how the pharmacy structures co-ordination of information handling within the pharmacy. For example if a contractor owns multiple pharmacies, he may feel it appropriate to appoint one central lead with local leads in each store to provide information on local circumstances and support pharmacy implementation of the requirements.
Can a self-employed locum pharmacist be the IG lead for a pharmacy?
The IG lead needs to have the appropriate responsibilities to be able influence procedures and deliver implementation. A locum may be able to fulfil this role, but this will be for local decision. Remember, the IG Lead doesn’t need to be a pharmacist so if the pharmacy does not have a permanent pharmacist, one option would be for a senior dispenser or non-pharmacist manager to act as IG lead.
The locum will have to give consideration to whether this impacts on their self-employed status for tax purposes.
Requirement 116: Contractual Confidentiality Clauses
Do I need to have a confidentiality clause in the contracts of third party contractors who don't have access to patient identifiable information?
The NHS requirements relate only to protecting patient identifiable information therefore Requirement 116 relates only to the contracts of contractors who have access to patient identifiable information, for example PMR suppliers.
There may be other reasons to include confidentiality clauses in contracts for example protecting information relating to the business that is commercially sensitive. This would be for the contractor to decide and is outwith the scope of the NHS requirements.
Requirement 118: IGSoC
This has been removed as a requirement for 2010/11 (version 8 of the Toolkit).
Requirement 119: Compliance with RA01 Terms
Where can the RA01 form be found?
This is available from PCT Registration Authorities. All pharmacists and relevant staff will be required to sign up to the conditions set out in the RA01 form to gain access to EPS Release 2. Pharmacy contractors were not required to sign up to these terms for Release 1.
Requirement 208: Mapping and Risk Assessing Information Flows
I’m currently in the process of data mapping and risk assessing all flows of personal information (as set out in Requirement 208). How can I assess the risk of a particular flow?
The level of risk is normally established by considering the impact of a potential data loss occurring and the likelihood of a loss taking place. One method of risk assessment is detailed in Appendix 7 of the workbook.
The likelihood of an incident occurring will differ depending on local circumstances, for example if a trusted member of the pharmacy team has been hand-delivering small numbers of prescriptions to a local GP surgery 100m away for many years and there has never been an incident, this would suggest that the likelihood of a data loss occurring in transit is negligible. The impact of that loss is likely to be moderate (small number of patients affected) therefore the risk is low.
In another area, if there have been problems with hand-delivering prescriptions to the surgery, for example problems with the GP surgery reporting they didn’t receive the forms, this would be a higher risk and the pharmacy would have to consider options to mitigate the risk.
Note this requirement has been merged with requirement 308 in version 8 of the Toolkit (2010/11). The evidence requirements remain the same.
Requirement 209: Overseas Transfer
My system supplier doesn’t store data outside of the UK but provides remote assistance from outside of the UK, how do I make sure I comply with the Data Protection Act 1998 and Department of Health guidelines?
If there are flows outside of the UK, it is important to undertake an appropriate risk assessment and put in place mitigating controls, for example contractual requirements on the supplier. Access should be on a strict need to know basis and only where there are no appropriate alternatives.
In Requirement 209 what does “data processed outside of the UK” relate to?
As part of Requirement 209, you need to consider if information about patients is being transferred outside of the UK (e.g. checking with your PMR supplier that any personal information transmitted electronically remains in the UK). There are no templates for this requirement – it is sufficient to document that the checks have been undertaken e.g. that someone in the pharmacy contacted suppliers and they have confirmed no transfers outside of the UK.
If overseas processing is found to be happening, you need to follow the detailed guidance on overseas transfers and the Data Protection Act on pages 22-23 and 48 of the workbook.
Requirement 212: Patient Consent
Does requirement 212 relate only to the use of personal information for purposes not directly related to the service for which the information was collected?
No. As part of requirement 212, pharmacies must have guidelines in place on seeking consent to use personal information. Depending on the scenario, the consent required may be implied or may need to be explicit. The guidelines should cover how the pharmacy ensures that patients’ decisions to restrict the disclose of their personal information are appropriately respected as well as procedures to ensure that patients are generally asked before information is used for purposes that are not directly related to the service. It is for the pharmacy to decide how the guidelines are presented. One option would be to include this information in the Staff Confidentiality Code of Conduct.
Requirements 201 and 212 are very similar. What is the difference between these requirements?
Requirement 201 requires pharmacy’s to have a confidentiality code of conduct. This includes guidance for staff on things like a staff member’s individual responsibility for compliance with the law and how a staff member can ensure information stays confidential. Requirement 212 requires pharmacies to put in place guidelines on seeking consent to use personal information including for purposes that are not directly related to the service for which the information was collected, and on respecting patient decisions relating to the disclosure of their personal information. The Workbook suggests that the guidelines for collecting consent could be included in the staff confidentiality code of conduct.
Requirement 213: Patient Awareness
I run a wholly mail order business. Do I need to have a patient leaflet on the use of patient information?
Yes. By 31st March 2011, all pharmacies are required to make a leaflet available with comprehensive information on how patient information is used by the pharmacy. The pharmacy will need to give consideration to how pharmacies can access the leaflet, for example sent regularly to all patients, sent once to all patients and then to new patients who use the service or made available on the website with a pointer to it.
It could be a stand-alone leaflet or relevant content in existing practice leaflets could be adapted and expanded.
Note, it is a legal requirement through the Data Protection Act to make "fair processing information" available. More information about ‘privacy notices’ can be found on the Information Commissioner’s website.
Requirement 316: Information Asset Register
I use a laptop in the pharmacy for connecting to the internet for drug information but it does not hold any patient sensitive information. Do I need to declare this in my Information Asset Register?
The concept behind having an information asset register is identifying all relevant hardware, software and information to ensure it can be appropriately protected. Although the laptop does not contain patient information, it still may pose risks to information held on the local network and therefore actions may still need to be taken to manage any risks. For example, if the laptop connects to the pharmacy network and is used to access the internet, one risk is that if the anti-virus on the laptop isn’t updated regularly, the laptop could introduce viruses to the local network that could compromise the security of information held on other computers connected to the network. Pharmacies should use their judgement based on local circumstances on which pieces of hardware should be recorded on the asset register.
On the template ‘Portable Equipment: Asset Control Form’, there is a section for “Asset number” and “Mobile number”. What do these refer to?
The intention of including ‘asset number’ in the template register was to provide a reference to link between the register and the asset itself for tracking purposes. For example, a pharmacy may find it helpful to include a sticker on the asset with an assigned asset reference number.
The intention of the ‘mobile number’ field was to record mobile phone numbers however note that under this requirement, it is only necessary to track mobile phones that are being used to store personal information.
The templates are a guide but should be customised, where necessary, to suit local circumstances.
Requirement 317: Physical Security of Premises
I am about to undertake my premises risk assessment. I have developed a risk assessment form based on the template on the PSNC Website. For many of the questions, I don’t have the specific physical security controls in place however I am in an area of low crime. Do I need to invest in e.g. security cameras?
The level of risk is normally established by considering the impact of a data loss and the likelihood of that loss taking place. One method of risk assessment is detailed in Appendix 7 of the workbook.
It is for a contractor to assess the risk they face based on local circumstances. Two identical pharmacies holding the same information, computers and stock may have quite different physical security needs if one is located in an area of high crime and the other in a low crime area. While the impact of a burglary of either pharmacy will be the same – the actual probability of the burglary taking place will be quite different – and therefore the security measures at each will differ. The risk level needs to be kept under review as circumstances change.
Requirement 318: Mobile Computing Systems
I currently don’t use any mobile computing systems in my pharmacy. There is no ‘Not Applicable’ option on the Toolkit, how should I record this requirement?
If the pharmacy does not use any mobile computing devices i.e. there are no laptops and PDAs, nor any portable device used to hold or transfer personal information (e.g. USB sticks and CDs/DVDs), 'Level 3' can be recorded but the pharmacy should insert a comment in the text field that states the requirement is not applicable, and that their policy is that they have no mobile computing devices. For example: "Requirement not applicable, this pharmacy does not use removable or portable computing equipment including CDs/DVDs and USB sticks." The pharmacy should ensure that staff do not use mobile computing devices in their role.
NB: This guidance has recently been updated. Some contractors have been informed that Level '2' should be declared in this situation. If 'Level 2' has been declared and the 2010 baseline declaration already submitted, there is no need to contact the PCT to update to Level 3.
I would like to arrange encryption of my laptop. How can this be achieved?
We would recommend taking expert advice from your system supplier.
I have a laptop in my consultation area that I use to store patient information but it is used like a desktop and never removed from the pharmacy. Is it still regarded as ‘mobile computing’?
Yes. The requirement is aiming to ensure that all portable devices are secure. If the device has patient information on it, it must be protected. There is a greater risk of laptops etc being stolen even if they are not removed from the pharmacy, therefore the appropriate measures as outlined in requirement 318 must be taken.
I use a mobile device for connecting to the internet for drug information but it does not hold any patient sensitive information. Do I need to take the actions outlined in Requirement 318?
Requirement 318 relates to safeguarding mobile devices that are used to store personal information. Therefore if the device contains no personal information, it would not be necessary under the NHS Information Governance requirements to record staff use and provide guidance on use of the device. However the pharmacy may still find benefits in doing this for other reasons, for example to minimise the risk of theft.
Requirement 319: Business Continuity
When will the business continuity requirements (Requirement 319) be defined?
It is hoped that guidance on this requirement will be available in early summer 2010.
PCT Support
Please note, Appendix 3 of the workbook includes an overview of the role of PCTs in supporting implementation of the Information Governance Requirements.
My PCT has written to me an indicated that they have a local deadline of December 2010 for meeting Level 2 of the Requirements, not March 31st 2011 as indicated in the workbook. Is this enforceable?
No. The requirement is to meet Level 2 of the requirements by the 31st March 2011. There is a risk that if PCTs do suggest earlier deadlines, this will cause confusion and unnecessary conflict.
My PCT has asked me to share a copy of my action plan with them. Do they not have access to this through the Toolkit?
No – PCTs cannot access your action plan through the Information Governance Toolkit. PCT users have access to a report within the IG Toolkit which only shows the status of IGT submissions for all Pharmacies within their area. This report shows which Pharmacies have started / submitted their assessments and also whether or not they have achieved attainment level 2 against the “key” requirements.
Whilst carrying out an assessment you should enter both a current score (your pharmacy’s assessment score for the current year) and a target score (the score you intend to attain on your next assessment), by doing this an action plan is created (known as an ‘implementation plan’ or ‘improvement plan’ in the Toolkit). This can be downloaded to Microsoft word and printed.
Pharmacies should ensure that their action plan is filed locally so that it is available to show to PCT officials during support visits (which may be part of contractor monitoring visits) to the pharmacy. There is no mandatory requirement to post or fax action plans to PCTs, however, where the PCT is working to provide support to pharmacies in meeting the requirements, pharmacies may find it helpful to submit their copy.
Funding
Where is the funding for pharmacies initially implementing the IG requirements coming from?
It is recognised that work relating to the Information Governance Toolkit will represent a cost to community pharmacies. Contractors will be aware of the position for this year's community pharmacy contractual framework funding. It has been identified through the margin survey for 2008/09 that during 2009/10 contractors are likely to be earning in excess of the £500 million margin that is needed to contribute to the Community Pharmacy Contractual Framework funding. Limited reduction in Category M prices were made in the course of 09/10 which means that more than £500m of margin will be delivered. It has been agreed that a proportion of this excess margin will be used to fund some one-off investments that will be required by pharmacies, including implementing the Information Governance requirements. Ongoing discussions indicate that the provisions will cover the costs associated with all individual community pharmacy premises reaching level 2 of all the requirements in the Toolkit.
Will funding be available in future years to reflect the ongoing costs in continuing to comply with the requirements?
The PSNC recognises that there will be ongoing costs to contractors in complying with the NHS Information Governance requirements, for example internal audits on compliance with SOPs and ensuring policies and procedures remain relevant. This will form part of PSNC discussions with the Department of Health on the funding arrangements for future years.
General Confidentiality Queries
How often should the pharmacy IG policies and procedures be updated?
Once IG policies and procedures are in place, pharmacy contractors should review these annually to ensure they remain relevant and appropriate, for example to ensure they continue to be in line with law in this area.
A data breach may trigger the need to review procedures during the year, for example to ensure they take into consideration lessons learned to prevent future breaches.
Do I need to register with the Information Commissioner’s Office?
Yes. The Data Protection Act requires organisations to notify the Information Commissioner if they are processing personal information. All pharmacies process personal information. Guidance on notification can be found on page 47 of the Pharmacy Contractor Workbook. If a pharmacy has not notified the ICO, this would be a breach of the Data Protection Act.
Do the requirements apply to hardcopy data e.g. prescription forms as well as information held electronically?
Yes. Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. Information held in hardcopy or in electronic format must be protected but the safeguards may differ. Some of the NHS IG requirements therefore have a specific focus on either digital or hardcopy information.
Are the template SOPs good enough to comply with the NHS Requirements?
The template SOPs have been developed by PSNC and the RPSGB with support from the Department of Health, NHS Connecting for Health and NHS Employers. They have undergone two phases of consultation led by the PSNC.
A contractor would have to review the template and consider whether they were sufficiently relevant to local circumstances, adapting the templates where necessary. For example the data transfer SOP includes suggested procedures linked to different data transfer methods – if a pharmacy uses a method of transferring information which isn’t covered by the template SOP; the contractor would have to add information on this particular data transfer method into the SOP.
When patients return waste medicines, I currently put these in my controlled waste (DOOP) bin, complete with labels. Is this acceptable?
Within the Terms of Service, there is no requirement to process waste other than place it in a bin. It is the responsibility of the PCT to organise the disposal of waste. In the terms of the contract which the PCT has negotiated with the waste contractor, provision should have been made to safeguard confidential information.
I have had a call from a local police station. They want me to disclose the details of the medication that an individual in custody is taking. Do I need to do this?
Patient sensitive information should not normally be disclosed without patient consent. There are a number of exceptional circumstances where information can be disclosed without consent, for example where this is necessary to prevent serious injury or damage to the health of a patient. Only the minimum information necessary should be provided. A key consideration is whether there are any other sources of this information. If a decision is made to disclose without consent, an accurate record must be made of: who the request came from, the reasons for releasing the information without consent, whether you attempted to obtain patient consent, and if not why not, why patient consent was refused and what information was disclosed.
Despite the statements about not disclosing patient details, the local police officer responsible for checking CD registers has informed me that there is a legal duty to disclose matters relating to CDs to any police constable exercising powers under the Misuse of Drugs Act 1971. Does this mean I must comply, or should I withhold patient details?
Police officers who are engaged to check CD registers and officers monitoring the prescribing of CDs may demand production of the CD register and any prescriptions that have been retained on the premises. This is usually undertaken to detect persons who are obtaining prescriptions from more than one prescriber. The powers they have are granted under the Misuse of Drugs Act 1971 and do allow them full access. They may take copies of documents and might in some cases require original documents.
Disclosure in these cases is specifically authorised by the law, and this over-rides the duty to protect confidentiality. Before disclosing patient information pharmacists should satisfy themselves that the person requesting the information is a police constable authorised in writing, and ask the officer to confirm that the information is being requested in the exercise of his powers under the Misuse of Drugs Act. If in any doubt, further checks should be made with the police service, the Home Office and/or the RPSGB.
I recently ordered some ‘made to measure’ hosiery but the manufacturer has requested the patient’s details as part of the ordering process. Is this allowed?
To support the efficiency of future orders, 'made to measure' hosiery manufacturers may ask for a patient identifier when the order is placed, for example so that the template produced for that individual patient can be re-used in future. It is not appropriate to provide the patient’s name without prior consent. An alternative to the patient's name could be using the patient's PMR record number which can be traced back to the patient by the pharmacy or alternatively a unique identification number provided by the manufacturer that the pharmacy can record on the patient's PMR record for future reference.