General Pharmaceutical Council (GPhC)

Information Sharing Agreement between the NHS Counter Fraud Authority and General Pharmaceutical Council

Published: 2 November 2023


The parties to this information sharing agreement are:

  1. General Pharmaceutical Council Level 14, 1 Cabot Square, London, E14 4QT
  2. NHS Counter Fraud Authority 7th Floor, HM Government Hub, 10 South Colonnade, Canary Wharf, London E14 4PU; and
  3. NHS Counter Fraud Services (NHS Wales) First Floor Block B, Mamhilad House, Mamhilad Park Estate, Pontypool, NP4 0YP


The Information Sharing Agreement (ISA) sets out the framework for information sharing between the NHS Counter Fraud Authority (NHSCFA) and the General Pharmaceutical Council (GPhC). It sets down the principles underpinning the interaction between the parties and provides guidance on the exchange of information between them.

This ISA does not override the statutory responsibilities and functions of the NHSCFA and the GPhC and is not enforceable in law. However, NHSCFA and the GPhC are committed to working in ways that are consistent with the content of this ISA.


The aims of this ISA are to ensure information is legally and appropriately shared in order to assist the parties to fulfil their statutory functions. In particular to:

  • ensure the sharing of information is carried out between the parties in an accurate, adequate, timely and lawful manner;
  • promote co-operation between the GPhC and the NHSCFA in the conduct of their respective statutory duties;
  • facilitate the effective and efficient sharing of information to assist the GPhC to protect the public and promote public confidence in the pharmaceutical professions;
  • assist the NHSCFA with information gathering to safeguard NHS resources by assisting with the prevention and detection of fraud and other unlawful activities committed by those working in the NHS.

Remit of the NHS Counter Fraud Authority

NHS Counter Fraud Authority (NHSCFA) is an independent Special Health Authority established in November 2017. NHSCFA leads on work to identify and tackle fraud across the NHS. Its purpose is to safeguard NHS resources so that the NHS is better equipped to care for the nation’s health, providing support, guidance and direction to the NHS. This work enables effective prevention, detection and enforcement action to take place against those committing fraud. NHSCFA also collects, collates and analyses information that holds intelligence value, which in turn broadens the understanding of fraud risks in the NHS.

NHSCFA has duties and enforcement powers under the NHS Act 2006, the Health and Social Care Act 2012, and the NHSCFA (Establishment, Constitution and Staff and other Transfer Provisions) Order 2017, issued by the Secretary of State for Health. NHSCFA is responsible for:

  • leading on work to protect NHS staff, patients and resources from fraud and other economic crime, educating and informing those who work for, who are contracted to, or who use the NHS about fraud in the health service and how to tackle it;
  • preventing and deterring fraud in the NHS by reducing it to a minimum and removing opportunities for it to occur or to re-occur; and
  • holding to account those who have committed fraud against the NHS by detecting and prosecuting offenders and seeking redress where viable.

Remit of the General Pharmaceutical Council

The GPhC is the independent regulator for pharmacists, pharmacy technicians and pharmacy premises in England, Scotland and Wales. Its role is to protect, promote and maintain the health, safety and wellbeing of patients and the public who use pharmacy services in England, Scotland and Wales by upholding standards and public trust in pharmacy. The functions of the GPhC are set out in the Pharmacy Order 2010 and include:

  1. setting standards for the education and training of pharmacists, pharmacy technicians and pharmacy support staff, and approving and accrediting their qualifications and training
  2. maintaining a register of pharmacists, pharmacy technicians and pharmacies
  3. setting the standards that pharmacy professionals have to meet throughout their careers
  4. investigating concerns that pharmacy professionals are not meeting our standards, and taking action to restrict their ability to practise when this is necessary to protect patients and the public or to uphold public confidence in pharmacy
  5. setting standards for registered pharmacies which require them to provide a safe and effective service to patients
  6. inspecting registered pharmacies to check if they are meeting our standards.

In addition, the GPhC has enforcement powers and duties under the Poisons Act 1972, the Medicines Act 1968, the Humans Medicines Regulations 2012 and the Veterinary Medicines Regulations. These enforcement duties/powers mainly relate to the sale and supply of medicines from registered pharmacies.

Information Sharing

Single Point of Contact

The named contacts with responsibility for the ISA are named in Appendix 1. The points of contact will liaise as required to ensure the ISA is kept up to date; identify any emerging issues in the working relationship between the two organisations; and resolve any questions that arise as to the interpretation of this ISA. The points of contact can nominate an appropriate alternative point of contact for day-to-day communication and /or joint working but must communicate this to the other organisation.

Areas of cooperation

Both organisations acknowledge that intelligence can be received by way of whistleblowing, concerns raised by members of the public, referrals from other public bodies (including overseas regulators or investigatory bodies), or by information received from other sources (including from press monitoring or during the course of routine inspections to registered pharmacy premises).

If either organisation receives intelligence or information which:

  • Indicates a significant risk to the health and wellbeing of the public, particularly in relation to the safety of pharmacy services or the conduct of a pharmacist or pharmacy technician
  • Indicates a significant risk of fraud against the NHS
  • Requires a coordinated multi-agency response

this information will be shared in confidence with the contact specified below within the other organisation at the earliest possible opportunity. The decision to share will be based on the sharing party’s decision as to whether the sharing is lawful and appropriate.

NHSCFA has a duty, under Schedule 2 Part 4 Para 23 (1) (a) of the NHS (Pharmaceutical and Local Pharmaceutical Services) Regulations 2013, to respond to enquiries from persons, bodies or agencies considering applications from individuals or body corporates for inclusion in a pharmaceutical list, whether the individuals or directors of the body corporates have any record of, or are under investigation for, fraud.

To facilitate these checks, it is important that intelligence held by the GPhC relating to fraud offences by registrants is shared with NHSCFA on a timely basis.

NHSCFA has a responsibility to protect NHS staff, patients and resources from fraud and corruption and to take enforcement action against those committing fraud. To facilitate this work, it is important that intelligence held by the GPhC relating to registrants’ fitness to practise is shared with NHSCFA on a timely basis.

The GPhC has a duty to protect the public who use pharmacy services and the services provided by pharmacy professionals. To facilitate this work, it is important that intelligence held by NHSCFA that could indicate that a pharmacy professional’s fitness to practise is impaired or that a pharmacy’s service(s) pose a risk to the people using pharmacy services and the public, is shared with the GPhC on a timely basis.

Allegations of Criminality

Where the GPhC becomes aware of allegations against a pharmacist and/or pharmacy technician working in or for the NHS (or indeed, where there are misdirected allegations against other NHS staff) NHSCFA will be informed (if it is not clear that they are already aware) if there are clear allegations of fraud or corruption...

In cases where there are other allegations of dishonesty or criminality, the GPhC will disclose relevant information and documentation to NHSCFA where such allegations are relevant to NHSCFA’s core functions.

However, whether such disclosure takes place will depend on the circumstances of the case and the seriousness of the allegations.

Decisions to Disclose

In cases where GPhC staff are in doubt as to whether a case should be disclosed to NHSCFA, they will make contact with the point of contact specified below in order to discuss the matter. Any discussions at this stage will be anonymised. GPhC staff will be able to rely on the fact that if the specified NHSCFA contact indicates that they wish to receive full disclosure, this will be on the basis that it is essential for NHSCFA’s core purpose or is in the public interest.

Where NHSCFA is aware that during or following an investigation, evidence exists that a pharmacist or pharmacy technician has been involved in fraud or corruption or that a pharmacy professional’s fitness to practise may be impaired, the GPhC will be informed of such matters. The GPhC will consider whether any further investigation needs to be carried out and/or whether the matter should be referred to the Fitness to Practise Committee.

In cases where NHSCFA staff are in doubt as to whether a case should be disclosed to the GPhC, they will make contact with the point of contact specified below in order to discuss the matter. Any discussions at this stage will be anonymised. NHSCFA staff will be able to rely on the fact that if the specified GPhC staff indicate that they wish to receive full disclosure, this will be on the basis that that it is essential for the GPhC’s core purpose or is in the public interest.

In cases where an investigation has concluded that there was no fraudulent activity, but indicates there may be concerns about the activities of a pharmacist or a pharmacy technician, the information will be passed to the GPhC to enable staff to make an assessment of whether the concerns meet the GPhC’s threshold criteria for referral.

When information is disclosed to the GPhC there will be a discussion in advance about the timing of any action that the GPhC may consider appropriate, including disclosure of the case to the employer and individual involved. The GPhC will consider any request to delay action which may compromise any current NHSCFA investigation. However, NHSCFA recognises that action may need to be taken by the GPhC where it is in the public interest to do so.

In cases where NHSCFA becomes aware of allegations or evidence that an individual may be posing as a registered (or licensed) or competent pharmacist or pharmacy technician, either through a stolen identity, fraudulently acquired registration or through falsified qualifications, NHSCFA will immediately contact the GPhC via the point of contact specified below.

NHSCFA will provide all available information that might suggest that an individual is falsely posing as a qualified, competent or registered (or licensed) member of the GPhC. In these cases, the primary concern for both organisations will be patient safety. The GPhC will take whatever action is appropriate in the interests of protecting patients.

Concurrent Investigations

There may be occasions when the organisations need to undertake concurrent investigations. When this occurs both organisations will take steps to ensure that they do not undermine the progress and/or success of each other’s investigation. This may include allowing investigations to take place as a priority. There may, however, be occasions when the GPhC will need to act swiftly to take steps to protect public safety and would do so with due regard for other known ongoing investigations.

Where either organisation intends to undertake an investigation (over and above any routine inspection activity) the contact in the other organisation specified below should be alerted, in confidence, at the earliest possible opportunity.

Outcomes arising from any relevant investigations actioned by either organisation will be shared with the contact specified below at the earliest possible opportunity.

Where joint or parallel investigations are required, preliminary discussions should resolve any potential areas of conflict or overlap, arising from each organisation’s respective powers.

The GPhC and NHSCFA will work towards developing a joint investigation framework for working together to help ensure efficient and effective joint investigations.


Where either organisation has taken or intends to take enforcement action, the outcome of which is relevant to the other organisation, details will be shared at the earliest possible opportunity.

Data items

The parties agree to abide by the Data Sharing Code of Practice produced by the Information Commissioners Office, and recognise their respective responsibilities as public bodies under the UK General Data Protection Regulation (GDPR), Data Protection Act 2018 (DPA) and the Freedom of Information Act 2000 (FOIA).

The UK GDPR defines the following classes of information relevant to this ISA; ‘personal data’, ‘special categories of data’ and ‘personal data relating to criminal convictions and offences’.

Personal data

Personal data is defined as “any information relating to an identified or identifiable natural person; an identifiable natural person (data subject) is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

The obtaining, handling, use and disclosure of personal data is principally governed by the UK GDPR, DPA, Article 8 of the Human Rights Act 1998, and the common law duty of confidentiality.

The law imposes obligations and restrictions on the way personal data is processed, and the data subject has the right to know who holds their data and how such data will be processed, including how such data will be shared.

Special Category Data

Certain types of data are referred to as “special categories of personal data’ or ‘sensitive personal data”. These are data which relate to the data subject’s:

  • racial or ethnic origin;
  • political opinions;
  • religious or philosophical beliefs;
  • trade union membership;
  • genetic data;
  • biometric data;
  • health;
  • sexual life.

Additional and more stringent obligations and restrictions apply whenever sensitive personal data is processed.

Data Relating to Criminal Convictions and Offences

There are separate safeguards for personal data relating to criminal convictions and offences, set out in Article 10 of the UK GDPR. To process personal data regarding convictions or offences there must be a lawful basis under UK GDPR Article 6 and legal/official authority under Article 10.

Legal basis for sharing

The parties are to ensure that the disclosure, access, storage and processing of shared information is accurate, necessary, secure, legal and ethical, taking into account relevant legislation and approved guidance where applicable, including:

  • NHS Act 2006;
  • General Data Protection Regulation
  • Human Rights Act 1998;
  • Freedom of Information Act 2000;
  • Data Protection Act 2018;
  • Equality Act 2010;
  • Access to Health Records Act 1990;
  • Computer Misuse Act 1990;
  • Confidentiality: NHS Code of Practice;
  • Common Law Duty of Confidentiality.

Information shared between the parties will only be used for their respective statutory purposes; data exchanges will be managed by observing the methods and guidelines outlined in this ISA.

When the parties share information they do so in order to perform their respective statutory functions. Each party is solely responsible for determining their legal basis for sharing.

NHSCFA statutory function and legal basis for processing.

The statutory duties and powers of the NHSCFA are set out in Part 4 of the NHS Counter Fraud Authority (Establishment, Constitution and Staff and Other Transfer Provisions) Order 2017 . NHSCFA has further duties under Part 10 of the NHS Act 2006 and the Health and Social Care Act 2012.

Operational work undertaken by NHSCFA is carried out under Article 6, para (e) and Article 9(2) paras (f) and/or (g) UK GDPR, in respect of special category data.

The processing of special category personal data and criminal convictions is carried out under Schedule 1 Paragraph 6 (statutory etc and government purposes) and Paragraph 10 (preventing or detecting unlawful acts) of the DPA, providing processing of personal data for substantial public interest.

Additional conditions apply under Schedule 8 where NHSCFA is undertaking sensitive processing for lawful enforcement purposes under Part 3 of the DPA.

GPhC statutory function and legal basis for processing.

The statutory duties and powers of the GPhC are set out in Article 49 of the Pharmacy Order 2010.

The GPhC will share personal data with NHSCFA under this ISA when the conditions set out in Article 6(1)(e) of the GDPR are met.

The GPhC will share special category data when one of the additional conditions under Article 9(2)(g) of the UK GDPR is met in addition to Schedule 1, Paragraph 6 (statutory etc and government purposes) and Paragraph 11 (protecting the public against dishonesty etc..) of the DPA (2018).

Data Security

The GPhC and NHSCFA are registered with the Information Commissioner’s Office on the Data Protection Register :

As data controllers the parties are expected to treat all information in accordance with the UK GDPR and the DPA and ensure that security is in place sufficient to protect the information from unauthorised access. This includes physical security, such as adhering to organisational clear desk policies and adequate protection for premises when unattended, to IT related security such as passwords, secure IDs and secure servers.

It is understood that the parties may have differing security needs, however it is important that all reasonable steps are made to ensure information is kept secure at all times. Each party is expected to comply with their own Information Security Policy and operating procedures and to make staff aware of their obligations in this respect.

Each party’s point of contact will ensure that their staff know, understand and will maintain the confidentiality, where appropriate, and security of the information and will ensure that anyone involved with the processing of the information is aware of the penalties of wrongful disclosure.

Due to the sensitive nature of operational work carried out by the parties, much of the information held by the parties is of a sensitive nature and is classified by central government as “Official’ or ‘Official Sensitive’. NHSCFA therefore uses the Public Services Network (PSN) in its operations and in so doing complies with the standard requirements in the code of conduct for Government Connect.

The parties must take appropriate technical and organisational measures against unauthorised or unlawful accessing or processing of information. The parties agree to take steps to prevent accidental loss, destruction or damage of information. This will include:

  • appropriate technological security measures, having regard to the state of technology available and the cost of implementing such technology, and the nature of the information being protected;
  • secure physical storage and management of non-electronic information;
  • password protected computer systems;
  • ensuring information is only held for as long as is necessary, in line with data protection obligations; and
  • appropriate security on external routes into the organisation, for example internet firewalls and secure dial-in facilities.

Access to the information will be restricted to those staff with a warranted business case. Access to information will be via restricted-access password protection and be capable of audit. The means of access to the information (such as passwords) will be kept secure.

When the parties share information electronically, it will be in a mutually compatible IT format and shared in a secure method.

Where the data to be transferred includes special category data or personal data relating to criminal convictions and offences, one of the following secure methods of transmission will be used:

  • encrypted email or file transfer;
  • a secure electronic portal;
  • encrypted portable media;
  • royal mail special delivery service or by courier.

Access and Individuals rights

Freedom of Information requests

The parties are subject to the Freedom of Information Act 2000 (FOIA). Information relating to NHS business processed by the parties is essentially public sector information; therefore this information may be subject to Freedom of Information enquiries but only by going through the parties own Freedom of Information process.

The FOIA provides individuals with a statutory right to access information held by public authorities. Members of the public have a right to be told whether information is held by a public body, and a right to have that information communicated to them, although these rights are subject to certain exemptions. This is called a Freedom of Information Request.

Requests must be put in writing. Under the Act each party is independently responsible for complying with requests in respect of the information it holds, irrespective of where the information originated from. Each party is responsible for its own compliance but there should be mutual co-operation where data has been shared between the parties.

Requests will be considered by the organisation and a decision will be made as to the legality and appropriateness of information disclosure. Any release of information will be in accordance with the law.

Data Subject Access Requests

The UK GDPR and the DPA provide individuals with a statutory right of access (subject to certain exemptions) whereby data subjects can ask to see the information that is held about them (personal data). This is called a Data Subject Access Request.

Where both parties to this ISA hold the personal data requested, there should be mutual co-operation between the parties to establish individual responsibilities.

Requests will be considered by the organisation and a decision will be made as to the legality and appropriateness of information disclosure. Any release of information will be in accordance with the law.

Information Rectification or Deletion

Under the UK GDPR a data subject has the right to request rectification or deletion of their personal data.

Where both parties to this ISA hold the personal data requested, there should be mutual co-operation between the parties to establish their responsibilities and course of action under the Act.

Complaints regarding data

Complaints from data subjects about personal or sensitive information held by the parties must be made in writing to the person or organisation originally holding the information, detailing the reasons for the complaint. Complaints will then be responded to by the organisation following their official complaints process.

Information Governance

Audit arrangements

Each party will maintain an information sharing log in respect of the ISA. The log will contain:

  • a record of information disclosed to the other party;
  • the justification of decisions to disclose or not to disclose;
  • a record of the outcome of any referral made and the outcome of the referral;
  • an access list recording the authorising officer;
  • notes of meetings between the parties;
  • a record of any review of the ISA.

The parties may be required to provide copies of any audits conducted during the period of the ISA, including any audit arrangements or implementation plans.

Ensuring data quality

The party disclosing data shall ensure that shared data is accurate. Where either party becomes aware of inaccuracies in shared data, they will inform the other party immediately.

Retention of shared data

Each party shall continue to retain information in accordance with their individual retention and disposal schedules.

In the absence of a records retention and disposal schedule, or a statutory retention period, the information shall not be retained for longer than is necessary to fulfil the agreed purposes in this ISA.

The GPhC’s corporate retention schedule is available on request

The NHSCFA’S corporate retention schedule is available on their website at:

Data Handling, Storage, Retention and Records Management Policy

Data Controller

Under the GDPR, controller means any ‘natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.’ All data controllers are required to comply with the GDPR when they process personal data.

Under the framework of this ISA, the parties are each data controllers in their own right. The GPhC is a data controller in respect of the organisation’s information, and accordingly the NHSCFA is data controller in respect of the information it holds. It is not the intention of either organisation that they will act as joint data controllers at any time of any shared data. When sharing information each organisation will retain distinct legal responsibility for the handling of information that it acquires for the purpose of its statutory functions.

Privacy Notices

Each party is responsible for providing privacy information to data subjects describing the information that may be used for the purposes outlined in this ISA and their information rights.


The parties agree to report promptly breaches of any of the terms of this ISA to the point of contact in Appendix 1 especially breaches of the security of personal data.

Dispute resolution

Any dispute between the parties will normally be resolved at an operational level. If this is not possible, it may be referred to a Senior Manager who will try to resolve the issues within 14 days of the matter being referred to them.

Unresolved disputes may be referred upwards through those responsible for operating this ISA up to and including the Chief Executive Officer or Managing Director (or equivalent), who will be jointly responsible for ensuring a mutually satisfactory resolution.


This ISA shall commence on the date of its signature by the parties and will remain in effect unless it is terminated, re-negotiated or superseded by a revised document.


At the end of one year following the commencement of this ISA, it will be formally reviewed by the parties, and will be reviewed again every 12 months. Each annual review will:

  • report on actions arising from the operation of this ISA within the preceding 12 months;
  • consider whether this ISA is still useful and fit for purpose, and make amendments where necessary;
  • refresh operational protocols where necessary;
  • identify areas for future development of the working arrangements; and
  • ensure the contact information for each organisation is accurate and up to date.


Either party may terminate or re-negotiate this ISA at any time upon giving the other party one month’s notice in writing of its intention to do so.

Upon termination of this ISA each party shall ensure that any data received under this ISA is returned to the original party that held the information or destroyed in the following circumstances:

  • on termination of this ISA for whatever reason;
  • on expiry of the term (unless extended further to the terms of this ISA);
  • once processing of the shared Personal Data is no longer necessary for the purposes it was originally shared for.

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!