Clinical Governance & Data Security

Overview

Virtual Pharmacist provides a fully managed remote clinical pharmacy service, with clinical responsibility and governance sitting with us as the provider. This page sets out the clinical, professional, information-governance and data-security standards that underpin our work.

Every accreditation above links to its public register so you can verify it independently.

Clinical governance: audit, oversight and continuous improvement

Clinical governance framework

Our clinical governance framework is overseen by our Clinical Director and encompasses clinical audit, peer review, incident reporting and learning, and continuous quality improvement.

Every service is delivered to documented protocols, with clear escalation routes to a GP or senior pharmacist.

Professional registration and competence

Every pharmacist and pharmacy technician delivering our services is registered with the GPhC and in good standing, and is supported to maintain CPD and revalidation. Before they begin, we complete pre-engagement checks including identity, right-to-work, GPhC registration verification and references, and our clinicians hold DBS checks (enhanced where required). Independent Prescribers hold an active IP qualification and work within their scope of competence.

Clinical accountability and indemnity

Virtual Pharmacist holds clinical responsibility for the services we deliver. Final prescribing and clinical decisions remain with the patient’s responsible GP, in line with agreed protocols. Virtual Pharmacist holds medical malpractice insurance.

Clinical safety: clinical risk managed by design, in line with DCB0129

Clinical safety (DCB0129)

Our service is developed and operated in line with DCB0129, the NHS clinical risk management standard for health IT and digital clinical services. Clinical safety is led by a nominated Clinical Safety Officer, supported by a documented clinical risk management process.

  • We maintain a hazard log that identifies, assesses and mitigates clinical risks across our workflows
  • Each service has a clinical safety case setting out the controls that keep patients safe
  • New services and significant changes are risk-assessed before they go live, then reviewed as part of ongoing governance
  • Where we work within a practice’s systems, we support the deploying organisation’s DCB0160 responsibilities
Information governance and data security: your patient data protected

Information governance and data security

Virtual Pharmacist has met the NHS Data Security and Protection Toolkit (DSPT) standard (“Standards Met”) every year since 2020-21 (ODS code S6I6X). We handle all patient data in line with UK GDPR, the Data Protection Act 2018 and NHS information governance standards.

  • Our clinicians work entirely within your own clinical systems (EMIS Web or SystmOne) under formal data sharing agreements with each practice and PCN
  • System access is provisioned through NHS smartcards
  • Patient data is encrypted in transit and at rest
  • We apply data minimisation and need-to-know access

For any information-governance or data-security query, contact our Information Governance lead at [email protected].

Cyber security

We hold Cyber Essentials certification, and all connectivity to NHS clinical systems is over the secure Health and Social Care Network (HSCN).

Safeguarding

All clinical personnel complete safeguarding training appropriate to their role, with clear routes to raise and escalate safeguarding concerns.

Quality and standards alignment

Our clinical work is aligned to national guidance, including NICE guidance, the BNF and MHRA drug safety alerts, and supports practices with QOF and CQC readiness.

Compliance at a glance

StandardWhat it coversOur status
NHS DSPTAnnual NHS data security & information governance assuranceStandards Met every year since 2020-21 (ODS S6I6X)
UK GDPR & DPA 2018Lawful, secure handling of personal dataCompliant; ICO registered (ZB127110)
Cyber EssentialsBaseline cyber security controlsCertified
DCB0129Clinical risk management for health ITCompliant; Clinical Safety Officer, hazard log & safety case
HSCNSecure connectivity to NHS clinical systemsAll NHS system access over HSCN
GPhC registrationProfessional regulation of our cliniciansAll clinicians registered and in good standing
Professional indemnityCover for the clinical services we deliverMedical malpractice insurance held

Policies and assurance

We maintain internal policies including an Information Security Policy and data-protection and information-governance policies. Assurance documentation is available to commissioning partners on request.

Accreditations and verification

Our certifications can be independently verified:

Frequently asked questions

Do you meet the NHS Data Security and Protection Toolkit?

Yes. We have published a “Standards Met” DSPT return every year since 2020-21 under organisation code S6I6X, and our current status can be verified on the NHS DSPT register.

Where is our patient data held and how do you access it?

Our clinicians work entirely within your own clinical systems (EMIS Web or SystmOne). Access is provisioned through NHS smartcards over the secure Health and Social Care Network (HSCN), and patient data is encrypted in transit and at rest. We do not hold copies of your patient record outside your clinical systems.

Are you registered with the ICO?

Yes. Virtual Pharmacist Ltd is registered with the Information Commissioner’s Office under reference ZB127110, and handles personal data in line with UK GDPR and the Data Protection Act 2018.

Are your clinicians vetted and trained in data security?

Yes. Before anyone begins we complete identity, right-to-work, GPhC registration and reference checks, and our clinicians hold DBS checks (enhanced where required). All personnel complete information governance and safeguarding training appropriate to their role.

Do you meet clinical safety standards?

Yes. Our service is developed and operated in line with DCB0129, with a nominated Clinical Safety Officer, a hazard log and a clinical safety case for each service.

What happens if there is a data security incident?

We operate a documented incident management process to contain and investigate any incident, put things right and learn from it. Where required, we notify the affected organisation and the ICO within 72 hours.

Can we see your policies before we start?

Yes. We can share our information governance, data protection and information security policy documentation, along with our DSPT status and certificates, with commissioning partners on request.

Need our due-diligence pack?

We can share our information-governance and data-security assurance documentation – DSPT status, IG and information security policy summaries, and certificates – with commissioning partners on request.

Request the assurance pack