Clinical Governance & Data Security
Overview
Virtual Pharmacist provides a fully managed remote clinical pharmacy service, with clinical responsibility and governance sitting with us as the provider. This page sets out the clinical, professional, information-governance and data-security standards that underpin our work.
Every accreditation above links to its public register so you can verify it independently.

Clinical governance framework
Our clinical governance framework is overseen by our Clinical Director and encompasses clinical audit, peer review, incident reporting and learning, and continuous quality improvement.
Every service is delivered to documented protocols, with clear escalation routes to a GP or senior pharmacist.
Professional registration and competence
Every pharmacist and pharmacy technician delivering our services is registered with the GPhC and in good standing, and is supported to maintain CPD and revalidation. Before they begin, we complete pre-engagement checks including identity, right-to-work, GPhC registration verification and references, and our clinicians hold DBS checks (enhanced where required). Independent Prescribers hold an active IP qualification and work within their scope of competence.
Clinical accountability and indemnity
Virtual Pharmacist holds clinical responsibility for the services we deliver. Final prescribing and clinical decisions remain with the patient’s responsible GP, in line with agreed protocols. Virtual Pharmacist holds medical malpractice insurance.

Clinical safety (DCB0129)
Our service is developed and operated in line with DCB0129, the NHS clinical risk management standard for health IT and digital clinical services. Clinical safety is led by a nominated Clinical Safety Officer, supported by a documented clinical risk management process.
- We maintain a hazard log that identifies, assesses and mitigates clinical risks across our workflows
- Each service has a clinical safety case setting out the controls that keep patients safe
- New services and significant changes are risk-assessed before they go live, then reviewed as part of ongoing governance
- Where we work within a practice’s systems, we support the deploying organisation’s DCB0160 responsibilities

Information governance and data security
Virtual Pharmacist has met the NHS Data Security and Protection Toolkit (DSPT) standard (“Standards Met”) every year since 2020-21 (ODS code S6I6X). We handle all patient data in line with UK GDPR, the Data Protection Act 2018 and NHS information governance standards.
- Our clinicians work entirely within your own clinical systems (EMIS Web or SystmOne) under formal data sharing agreements with each practice and PCN
- System access is provisioned through NHS smartcards
- Patient data is encrypted in transit and at rest
- We apply data minimisation and need-to-know access
For any information-governance or data-security query, contact our Information Governance lead at [email protected].
Cyber security
We hold Cyber Essentials certification, and all connectivity to NHS clinical systems is over the secure Health and Social Care Network (HSCN).
Safeguarding
All clinical personnel complete safeguarding training appropriate to their role, with clear routes to raise and escalate safeguarding concerns.
Quality and standards alignment
Our clinical work is aligned to national guidance, including NICE guidance, the BNF and MHRA drug safety alerts, and supports practices with QOF and CQC readiness.
Compliance at a glance
| Standard | What it covers | Our status |
|---|---|---|
| NHS DSPT | Annual NHS data security & information governance assurance | Standards Met every year since 2020-21 (ODS S6I6X) |
| UK GDPR & DPA 2018 | Lawful, secure handling of personal data | Compliant; ICO registered (ZB127110) |
| Cyber Essentials | Baseline cyber security controls | Certified |
| DCB0129 | Clinical risk management for health IT | Compliant; Clinical Safety Officer, hazard log & safety case |
| HSCN | Secure connectivity to NHS clinical systems | All NHS system access over HSCN |
| GPhC registration | Professional regulation of our clinicians | All clinicians registered and in good standing |
| Professional indemnity | Cover for the clinical services we deliver | Medical malpractice insurance held |
Policies and assurance
We maintain internal policies including an Information Security Policy and data-protection and information-governance policies. Assurance documentation is available to commissioning partners on request.
Accreditations and verification
Our certifications can be independently verified:
- NHS Data Security and Protection Toolkit: Standards Met. Organisation code S6I6X. Verify our DSPT record.
- Cyber Essentials: certified. Verify on the IASME certificate search.
- DCB0129 clinical safety: compliant. Read our clinical safety statement.
- GPhC: all our pharmacists and pharmacy technicians are registered with the General Pharmaceutical Council.
- ICO registration (data protection): registered with the Information Commissioner’s Office, registration reference ZB127110. Verify our ICO registration.
- Registered trade mark: “Virtual Pharmacist” is a registered UK trade mark, number UK00004104911. Verify on the IPO trade mark register.
Frequently asked questions
Do you meet the NHS Data Security and Protection Toolkit?
Yes. We have published a “Standards Met” DSPT return every year since 2020-21 under organisation code S6I6X, and our current status can be verified on the NHS DSPT register.
Where is our patient data held and how do you access it?
Our clinicians work entirely within your own clinical systems (EMIS Web or SystmOne). Access is provisioned through NHS smartcards over the secure Health and Social Care Network (HSCN), and patient data is encrypted in transit and at rest. We do not hold copies of your patient record outside your clinical systems.
Are you registered with the ICO?
Yes. Virtual Pharmacist Ltd is registered with the Information Commissioner’s Office under reference ZB127110, and handles personal data in line with UK GDPR and the Data Protection Act 2018.
Are your clinicians vetted and trained in data security?
Yes. Before anyone begins we complete identity, right-to-work, GPhC registration and reference checks, and our clinicians hold DBS checks (enhanced where required). All personnel complete information governance and safeguarding training appropriate to their role.
Do you meet clinical safety standards?
Yes. Our service is developed and operated in line with DCB0129, with a nominated Clinical Safety Officer, a hazard log and a clinical safety case for each service.
What happens if there is a data security incident?
We operate a documented incident management process to contain and investigate any incident, put things right and learn from it. Where required, we notify the affected organisation and the ICO within 72 hours.
Can we see your policies before we start?
Yes. We can share our information governance, data protection and information security policy documentation, along with our DSPT status and certificates, with commissioning partners on request.
Need our due-diligence pack?
We can share our information-governance and data-security assurance documentation – DSPT status, IG and information security policy summaries, and certificates – with commissioning partners on request.

