Once a pharmacy has become ‘SCR live’, SCRs will only be accessed within that pharmacy:

• by pharmacists and pharmacy technicians;
• once the SCR requirements have been fulfilled;
• when the patient has provided their consent and permission to view (PTV) or in an emergency scenario; and
• where there is a legitimate relationship (LR) with the patient i.e. the pharmacy team are involved in the patient’s care at that point in time.

Security measures include:

• Smartcard users have agreed to use their cards in line with the user policy;
• Standard Operating Procedures (SOPs) for SCR use must be in place;
• the professional code of conduct, and employment contracts must be adhered to; and
• contractors complete the Information Governance (IG) toolkit each year.

• Every SCR-access is fully auditable and linked with the Smartcard ‘logged in’ at that time.
• Privacy alerts are generated by accessing SCR. These also indicate when the emergency access option is used.
• Reports are available to show every record accessed by every Smartcard.
• Patients can request to see who has accessed their SCR at any time.

Each pharmacy organisation that has access to SCR must have a nominated person who is responsible for monitoring the SCR usage of the pharmacy’s SCR users – the SCRGP.

This person will audit SCR accesses and manage privacy alerts.

Privacy alert notifications (if you have NHSmail) can provide prompts for the SCRGP to investigate SCR access and to check that the accesses have been appropriate. Use of the Alert Viewer tool is also an option.

The SCRGP will review the pattern of privacy alerts at regular intervals to spot anomalies.

Example scenarios in which the SCRGPs may investigate include:

• an unexpectedly high number of emergency accesses;
• recurring access to the same patient’s SCR;
• access during closing hours;
• no record of the reason for access;
• apparent access by a branch before it has gone live with SCR;
• disproportionate accesses being made by one member of staff; or
• unusual patterns are spotted.

Where the access is legitimate than the privacy alert is closed and no further action is required.

In the event that any illegitimate access is confirmed during the investigative process, local guidelines will apply. The ‘Care Record Guarantee’ document says that: “If we find that someone has deliberately accessed records about you without permission or good reason, we will tell you and take action. This can include disciplinary action, which could include ending a contract, firing an employee or bringing criminal charges.”

SCRGP = Governance Person in regards to SCR. Older documention refers to ‘Privacy Officer’, but this has been re-described to better describe the role.

Q. I have accessed the NHS Digital’s ‘SCRa’ portal demographics screen of a patient to check whether a patient has the Shielded Patient Flag, will this generate a privacy alert?

PSNC have been advised by NHS England and NHS Improvement that access to the demographics screen of the NHS Digital’s ‘SCRa’ portal will not generate a privacy alert.

Q. How many SCRGPs need to be appointed?

The number of individuals undertaking the role of the SCRGP will vary amongst different community pharmacy organisations. Organisations may take into account the frequency of usage, number of staff accessing, and the number of branches live with SCR, when assigning the SCRGP role(s). SCRGPs are responsible for checking appropriate use across the organisation.

Q. How much time is required to undertake the SCRGP role? How many alerts require checking?

There is no mandated number of privacy alerts which require investigation. Initially some pharmacies may decide to check around 10% of privacy alerts each month, although this will depend on the circumstances of the pharmacy, the total number of SCRs being accessed, and the trends being identified. One pharmacy team may decide to take a few minutes each week for checks, another pharmacy team may use more time, but check each quarter. The regularity of the checks may be reviewed and adjusted as processes become embedded into practice, or in the event of evidence of inappropriate usage.

Q. Who can be a SCRGP in community pharmacy?

Every pharmacy has a nominated SCRGP prior to accessing SCR. It is useful for at least two people to have SCRGP role – a primary SCRGP, and somebody to cover for sick/annual leave. The designated SCRGPs ideally should not have access to SCR for the pharmacy branch they work in. However, this may not be feasible in small pharmacies, and pharmacy professionals with access to SCR may also have the SCRGP role. In this setting, the support SCRGP will monitor the primary SCRGP’s access and vice versa.