As the Sunday 31 March deadline approaches, the Pharmaceutical Services Negotiating Committee shares its top tips on how to complete the Data Security and Protection Toolkit.

Each year, community pharmacy contractors complete an online self-assessment about their information governance (IG) policies and procedures. This is required under a pharmacy’s Terms of Service.

For 2018/19, the IG Toolkit has been replaced by the ‘Data Security and Protection Toolkit’ after undergoing a comprehensive review to incorporate the General Data Protection Regulation (GDPR), which came into effect in May 2018, and make completion as straightforward as possible.

To meet the standards, or pass/comply, you need to satisfactorily complete the 70 mandatory questions in the Toolkit.

While 75% of pharmacy contractors have already registered to use the Toolkit, only half of these had published the assessment as of 20th March 2019.

Below we give you our guidance on working your way through the Toolkit.

1. Register now

As this is a new version of the Toolkit, you will need to register to use it. The process will just take a few minutes and uses your pharmacy’s ODS (F) code and an email address to create an account.

2. Make use of PSNC’s GDPR Workbook

The GDPR represented an overhaul of data protection legislation and community pharmacies should already be complying with it.

This legislation is integral to the Toolkit, so if you completed our GDPR Workbook last year, the good news is that you can simply tick a box and then around half of the Toolkit questions will be completed automatically for you. There is no requirement to upload any documents, such as the completed workbook, but you may wish to state the name of the document and where it is kept within the pharmacy in the ‘document location’ text field for future reference.

If you didn’t complete the GDPR Workbook, then it’s not too late to do so. Visit and fill in the editable templates in Workbook for Community Pharmacy (Part 3) of our GDPR guidance documents.

Also note that NHS Digital has confirmed to PSNC that the Guidance for Community Pharmacy (short version) (Part 2) staff training booklet is acceptable equivalent training material for use to meet Toolkit question 3.1.1.

3. Read our question-by-question guidance

To help you, we have drawn up guidance that describes the actions required to complete the mandatory questions, in order. This is available in either a PDF or an Excel spreadsheet format.

The PDF version lists actions and explanatory notes for all the mandatory Toolkit questions that are not covered by the GDPR Workbook. The Excel spreadsheet examines all the mandatory and optional questions, and has separate tabs for different types of question.

Visit and download your preferred version of the Toolkit completion: Question-by-question guidance. You can then use this to work your way through the questions that have not already been marked as completed due to the GDPR Workbook.

4. Answer the technical questions

The Toolkit includes 12 technical questions that need to be completed. We had hoped that contractors would have access to information provided by patient medication record (PMR) suppliers to help answer these. However, this is not yet available and therefore we recommend using the PSNC guidance to complete the technical questions, which is based on information provided by PMR suppliers. If you get stuck, you may wish to contact your PMR supplier directly for support.


Cyber Essentials PLUS: There is a reference to ‘Cyber Essential PLUS’ in the Organisation Profile section. This scheme is a recognised cyber security assurance certification that the Department of Health and Social Care (DHSC) recommends all NHS organisations meet. However, as community pharmacies are not formally categorised as ‘NHS organisations’, there is no requirement for you to meet this cyber security standard.

Submitting the Toolkit: A ‘Progress’ section on the right-hand side of the screen allows you to see what you have done so far and lets you know whether you have met the required standards yet. This section also tells you how many assertions have been confirmed (ie entered) but as long as it confirms you have met standards by completing the mandatory questions, then you can publish (ie submit) your assessment knowing all the required mandatory evidence is present.

Making changes: One advantage of having to register to complete the Toolkit is that you are free to stop working on it and go back later at any stage. If you submit your completed Toolkit but then realise that you need to add some extra information, you can be assured that you can re-publish your assessment as many times as you like. Just remember that you must have completed it by 11.59pm on Sunday 31st March 2019.

Further information

We have developed an overview briefing which describes the steps to follow to complete the Toolkit: PSNC Briefing 064/18: Completing the Data and Security (IG) Protection Toolkit. It incorporates all of PSNC’s guidance as well as providing links to related resources.

The newly published PSNC Briefing 014/19: DSP Toolkit FAQs may also assist in answering common queries you may have.

Both of these briefings can be found on our IG webpage:

Please contact PSNC on 0203 1220 810 or email [email protected] if you have any further queries.