Deadline upcoming

Community Pharmacy England previously published updated guidance and support to help community pharmacy owners complete the Data Security and Protection Toolkit (DSPTK) 2026.

Completing the Toolkit is how pharmacies make their annual information governance (IG) declaration. It is a mandatory requirement under the NHS Terms of Service and must be completed by 30th June 2026.

Community Pharmacy England has worked closely with the NHS DSPTK team to ensure the Toolkit remains proportionate and practical, while continuing to support strong data security and patient confidentiality.

What’s changed in the 2026 Toolkit

This year’s Toolkit includes a small number of targeted updates designed to make completion clearer and quicker:

• A new question on multi‑factor authentication (MFA) for clinical IT systems
• Improved layout and navigation
• Clearer wording, with pharmacy‑specific tips
• For some questions, the Toolkit shows last year’s answers, allowing teams to confirm or update information rather than start again

The NHS Parent Organisation Code (POC) batch submission feature also continues to operate. This allows pharmacy owners with three or more pharmacies under the same POC to complete one submission covering all premises.

Reducing the workload

Most pharmacy teams should already have access to the information needed to answer the more technical questions.

Pharmacies that have refreshed and updated their templates in Community Pharmacy England’s GDPR Workbook can meet the criteria for around half of the Toolkit questions.

For these questions, if the GDPR Workbook has been fully updated, pharmacy teams can enter “see GDPR WB”.

We strongly encourage pharmacy teams to factor the Toolkit annual requirement into workload planning, rather than leaving completion until the final weeks.

Check your Parent Organisation Code (POC) details

Pharmacy owners with three or more pharmacies are advised to check that the list of pharmacies linked to their NHS Parent Organisation Code (POC) is accurate.

Doing this early helps avoid delays and allows any issues to be resolved well ahead of the submission deadline.

Also, be aware of GDPR-themed scam emails

We are aware of recent reports from across the country of scam emails being sent to community pharmacies. These messages often claim that a pharmacy is under investigation for a GDPR or data protection breach.

These emails can appear convincing, but should be deleted without responding. They are not linked to the Data Security and Protection Toolkit and do not indicate that a pharmacy has failed to meet its IG obligations. Common warning signs include urgent deadlines, threats of enforcement action, and messages sent from non‑official email addresses.

In some cases, these messages purport to come from investigative bodies or from patients or members of the public who allege that personal data was submitted online or mishandled. However, there have been examples where the individual has had no genuine prior interaction with the pharmacy. This should be distinguished from genuine information-governance enquiries from real patients. Read more about GDPR queries and scam emails.

Guidance and support from Community Pharmacy England

The following resources are available to support completion of the Toolkit:

Toolkit completion: Overview – five steps for completing the DSP Toolkit 2026
A clear, step by step guide with links to all supporting materials:
Five steps for completing

On‑demand webinar
Community Pharmacy England and the NHS DSPTK team explain the new MFA question, outline other changes, and answer common questions.
On-demand webinar

Question‑by‑question guidance (mandatory questions)
Designed to help pharmacy teams complete all mandatory sections.
Question-by-question guidance

Using the NHS Parent Organisation Code (HQ) batch submission
Guidance for pharmacy owners with three or more pharmacies.
Batch POC guidelines

Important reminders

Data Protection Officer (DPO)

• The DPO should ideally be independent from decisions about how data is used
• Where the owner or a senior staff member acts as DPO, any potential conflicts of interest should be documented, along with mitigating actions
• Some pharmacies choose to use an external DPO service where this is practical and affordable

Community Pharmacy England does not recommend or endorse individual purchasable Data Protection Officer (DPO) services or training providers. This is to ensure we remain impartial and do not interfere with the marketplace of available options.

Privacy notices
An updated privacy notice template is available on our data security templates webpage.

Next steps

• Log in to the Data Security and Protection Toolkit as soon as possible
• Start with the “Five steps” overview guide
• Begin completing the Toolkit where time allows

All mandatory questions must be answered to meet the minimum NHS information governance requirements.

Related resources

Our website section: Data Security and Protection Toolkit – A one-stop shop for all the information, guidance and resources needed to complete the Toolkit.

The new application route

The new application route – which is available in addition to the pre-existing route – has a single regulatory test. When deciding an application for rearranging core opening hours, the ICB must:

‘… seek to ensure that the people who are accustomed to accessing pharmaceutical services at the pharmacy premises are likely to benefit from the changes because, overall, they would be more likely to access those services at those premises during the proposed core opening hours than during the existing core opening hours.’ (26(2ZB))

The new application route considers the needs of people who are accustomed to accessing pharmacy services at the applicant’s pharmacy, rather than, as in the existing application route, the needs of people (and the opening of other pharmacies) in the wider area around the pharmacy.

Applicants seeking to rearrange their core opening hours must state which application route they are relying on, the new one (para 26(2ZB)) or the existing one (para 24(1)).

More information about the new and existing application routes can be found in our Briefing 013/25: Regulatory Changes in June 2025 – DSPs, Opening Hours, etc.

Business needs

As part of the national negotiations, it was also agreed that for both new and existing applications, ICBs would be required:

• to take into consideration the business needs of the pharmacy, as part of the decision-making process on opening hours applications, where these have been cited by the applicant pharmacy owner.

The Pharmacy Manual (Chapter 36) will be amended to reflect these changes, and in the meantime, NHS England has confirmed, from today (23 June), ICBs should apply this.

Applications forms

The new application for rearranging core opening hours is available here, it will be available on the NHS website in due course.

Pharmacy opening hours are part of pharmacies’ Terms of Service for providing NHS pharmaceutical services.

Most pharmacies must open for 40 core contractual hours (this includes Distance Selling Premises (DSP) pharmacies).

Some pharmacies must open between 72-100 core contractual hours (called 100-hour pharmacies for those that have opened under the former exemption from the control of entry test).

All pharmacies may open for additional supplementary hours.

Pharmacies are not required to open (to provide core contractual hours) on, for example, Bank holidays but some may be directed by the NHS to provide Bank holiday opening hours.

On occasion, pharmacies may have to close. This may be a planned temporary closure, for example, for the refurbishment of the premises, or an unplanned temporary closure, if, for example, that morning the pharmacist reports they are ill and unable to work.

https://cpe.org.uk/quality-and-regulations/terms-of-service/opening-hours/