Access training for SGPs
The SGP makes sure that Summary Care Records are only used in line with strict information governance rules for looking at patient records. Each pharmacy must have at least one SGP who is responsible for checking that Summary Care Records are being used properly. Each time an SCR is accessed, an alert is generated. SGPs audit these alerts.
We recommend that each pharmacy has at least two SGPs. They don't have to be clinical staff and can be anyone employed by the pharmacy, or an external provider. If using an external provider, there must be a formal agreement in place. See sample privacy officer provision agreement.
SGP (Privacy officer) smartcard codes
The SGP has codes added to their smartcard which give them access to the audit and reporting tools of the Summary Care Record system. The RBAC code is R0001 and contains activity B0016 - Receive Self Claimed LR Alerts and activity B0015 - Receive Emergency View Alerts.
Business processes and tools for SGPs
Each pharmacy organisation should put in place its own business processes to check that SCR is being used correctly. Examples of these processes can be found in the full Privacy Officer Guidance for Community Pharmacy. These processes should be documented in a Standard Operating Procedure document. Download a template Standard Operating Procedure document to help define your processes.
There are three main tools for SGPs to use to make sure the rules are being followed.
The SCR Alert Viewer
SGPs need to audit alerts using the alert viewer, by:
- checking to see when SCRs have been accessed. See guidance on using the alert viewer
- establishing if a legitimate relationship was in place, and that any emergency accesses made were explained, and then either:
- flagging any accesses which need further investigation
- addressing any incorrect use such as reasons for access not being entered, or
- closing the alert. See our tutorial on closing alerts in the alert viewer.
- escalating any access that seems to be inappropriate to the relevant escalation point for further investigation. This could be the Operations Manager, Pharmacy Superintendent, Pharmacy Owner or Information Governance lead.
Spine Reporting Service
SGPs can also access the Spine Reporting Service from the SCR alert viewer portal to run reports on specific users, patients or suspicious use.
Alert Reconciliation spreadsheet
We provide an alert reconciliation spreadsheet tool to help SGPs cross check SCR access with the Patient Medication Record (PMR). Your PMR system must be able to provide a report listing patient NHS numbers to use it.
Download the alert reconciliation spreadsheet
Any inappropriate access is dealt with in line with the pharmacy organisation's existing information governance policies. If it is found that there has been a confidentiality breach, the patient may need to be informed, in line with the care record guarantee.
Subject Access Requests
The SGP can also run a Subject Access Request, if a patient asks for information on who has looked at their SCR. As these are rare, it's best to get advice from NHS Digital.