Lord Mawhinney – 2016 Parliamentary Question to the Department of Health

The below Parliamentary question was asked by Lord Mawhinney on 2016-04-11.

To ask Her Majesty’s Government what are the principal criteria which must be addressed by pharmacies in the retail sector when they provide information governance assurances” to the NHS annually.”

Lord Prior of Brampton

All National Health Service providers, including community pharmacies, are required to provide information governance assurances to the NHS on an annual basis. These assurances are provided through completion of an online assessment tool, the NHS Information Governance Toolkit.

Community pharmacies and dispensing appliance contractors currently have to assess themselves against the following requirements:

Information Governance Management

– Responsibility for Information Governance has been assigned to an appropriate member, or members, of staff;

– There is an information governance policy that addresses the overall requirements of information governance;

– All contracts (staff, contractor and third party) contain clauses that clearly identify information governance responsibilities; and

– All staff members are provided with appropriate training on information governance requirements.

Confidentiality and Data Protection Assurance

– All person identifiable data processed outside of the United Kingdom complies with the Data Protection Act 1998 and Department of Health guidelines;

– Consent is appropriately sought before personal information is used in ways that do not directly contribute to the delivery of care services and objections to the disclosure of confidential personal information are appropriately respected;

– There is a publicly available and easy to understand information leaflet that informs patients/service users how their information is used, who may have access to that information, and their own rights to see and obtain copies of their records; and

– There is a confidentiality code of conduct that provides staff with clear guidance on the disclosure of personal information.

Information Security Assurance

– Monitoring and enforcement processes are in place to ensure NHS national application Smartcard users comply with the terms and conditions of use;

– There is an information asset register that includes all key information, software, hardware and services;

– Unauthorised access to the premises, equipment, records and other assets is prevented;

– The use of mobile computing systems is controlled, monitored and audited to ensure their correct operation and to prevent unauthorised access;

– There are documented plans and procedures to support business continuity in the event of power failures, system failures, natural disasters and other disruptions;

– There are documented incident management and reporting procedures;

– There are appropriate procedures in place to manage access to computer-based information systems; and

– All transfers of hardcopy and digital personal and sensitive information have been identified, mapped and risk assessed; technical and organisational measures adequately secure these transfers.