The Data Security and Protection Toolkit (DSP Toolkit), previously known as the Information Governance or (IG) Toolkit, is an NHS England mandatory online assessment. All community pharmacies and providers of NHS services within England must complete the assessment by March 31st 2019. The main difference between the IG Toolkit completion and the DSP Toolkit is the addition of GDPR.
While there is limited information regarding fines for breaching GDPR, there are essentially two levels. The first level is a fine of up to €10 million or 2% of the company’s global annual turnover of the previous financial year. The second level is up to €20 million or 4% of the company’s global annual turnover of the previous financial year. In both cases, it will be either or depending on whichever is higher.
Steps To Complete The Data Security and Protection Toolkit Online Assessment
Questions in the DSP Toolkit have been updated to include GDPR (General Data Protection Regulation) and the National Data Guardian’s Ten Data Security Standards for the healthcare sector.
The first step, as indicated below, is to register on the Toolkit registration page which enables you to complete it before 31st March 2019.
- Registration to access the DSP toolkit
- Enter the relevant information on the ‘organisation profile’ webpage
- Select your PMR supplier
- Consider whether all staff members have had sufficient training
- Consider whether your pharmacy organisation will use the Toolkit ‘batch submission’ feature
- Visit the Toolkit Assessment section and use PSNC’s guidance to help complete the remaining mandatory questions
Data Security and Protection Toolkit Assessment Overview
PSNC and NHS Digital have worked together on developing the Toolkit while NHS Digital informally endorsed the information in the Toolkit completion. They have reached an agreement in key areas which means the time and effort required to complete the toolkit has been significantly reduced.
- Firstly, contractors who completed the GDPR Workbook earlier this year simply tick a box to confirm and almost half the questions will be autocompleted
- Secondly, many contractors will have access to information that can help then answer up to 12 technical questions thanks to the support from several PMR suppliers
Community pharmacies must meet all mandatory evidence requirements which means all mandatory questions must be answered.
Ahead of the DSP Toolkit assessment deadline, most contractors may already have trained their staff to the required level during GDPR implementation which commenced in May 2018. If that is not the case, contractors must ensure that 95% of all current staff members have received the relevant training.
Before we continue, please note the following about question 3.3.1 in the new Toolkit assessment. The question states: “Staff pass the data security and protection mandatory test … Level 1 Data Security Awareness training”. NHS Digital confirmed that the question can be marked completed if equivalent training has taken place. This includes the GDPR guidance for Community Pharmacy (Part 2) staff training booklet.
Basic IG Training
Basic Information Governance Training forms an essential part and comprises of several options including:
- GDPR Guidance Training Booklet
- NHS Digital Online IG Training Tool
- Paper Based Training Package
- Online Training Tools
- In-house Training
GDPR Guidance Training Booklet
GDPR and UK Data Protection Act 2018 came into effect 25 May 2018. It represents an overhaul of data protection legislation of all organisations, including community pharmacies. Everyone must take the appropriate steps to ensure that they comply with the required regulations. Along with other stakeholders, PSNC developed a range of guidance resources to help pharmacy contractors to comply.
A staff training booklet has been made available on GDPR Guidance For Community Pharmacies (Part 2). And as stipulated above, if staff received this training, it can be used to answer question 3.3.1.
NHS Digital Online IG Training Tool
The NHS Digital Online IG Training Tool, “Data Security Awareness Level 1”, is equivalent to the GDPR training booklet. This means that it can also confirm against question 3.3.1 in the new Data Security and Protection Toolkit. Pharmacists and technicians can access the online interactive version through the Centre for Pharmacy Postgraduate Education (CPPE). It provides access to e-Learning for Healthcare learning modules.
Paper Based Training Package
A collaborative effort in January 2010 between PSNC, RPSGB and DH Informatics resulted in a handy training booklet called, ‘Information Governance Training Booklet for Pharmacy Staff’. Every pharmacy and PCT (Medicines Management Lead) in England received a copy. Click here to download the training booklet.
Online Training Tools
A basic e-learning module aimed at pharmacy staff is available through the online Information Governance Training Tool (IGTT). It is titled, ‘Information governance for pharmacy staff’ and contains similar content to the IG training booklet for pharmacy staff.
While much of the focus has been on digital or paper-based courses, there are other equivalent training resources available. These include several in-house training packages that numerous pharmacies produce which also meet the requirements.
It’s important to become familiar with the Community Pharmacy GDPR Working Parties. It includes the PSNC, NPA, CCA, AIMp, RPS, CPPE and CPW. Guidance for Community Pharmacy (Part 1), associated GDPR guidance and PSNC’s IG guidance documents will help during training.
Cyber Security Training
The National Cyber Security Centre (NCSC) plays a vital role in ensuring that the UK can operate securely online. They work with industry, government and academia to support the next generation of researchers, students and innovation.
The ‘Cyber Essentials’ training scheme is a recognised cyber security assurance certification and the Department of Health and Social Care recommends. They stated that all NHS organisations should at least meet this particular cybersecurity standard.
Community pharmacies are not NHS organisations which means they don’t have to meet the cybersecurity standard. However, contractors who would like to may do so as many are already submitting IG assurances to NHS England via the Data Security and Protection Toolkit (formerly the IG Toolkit).
Missed The Toolkit Submission Deadline?
All NHS contractors and providers, including community pharmacies, must provide the NHS with information governance assurances annually. They do this by completing an online assessment tool which essentially is the ‘Data Security and Protection Toolkit’.
Missing the submission deadline is technically a breach of contract which could ultimately result in NHS England taking action. Considering the implications and possible fines, it is imperative to plan the Toolkit submission in advance.
Despite all this, PSNC encourages all pharmacy contractors in this situation to submit as soon as practicable. If they cannot for some reason, it would be best to contact their local NHS team on how to proceed.
If you need support regarding the IG requirements, please visit the IG Frequently Asked Questions page. At the same time, NHS Digital have also created a handy Frequently asked questions: Toolkit answers page.
VirtualOutcomes GDPR Training
To support pharmacies in completing the training, we would advise pharmacy owners to ensure that they have completed the PSNC Workbook 2. In addition, they must cascade the required training to ensure the entire team completes the GDPR training from VirtualOutcomes. Contact us to find out more about our courses and how you can register.