This article is provided free of charge thanks to sponsorship by PharmCD
PharmCD is an electronic controlled drug register designed in accordance with the requirements of the Misuse of Drugs Regulations 2001.
Overview
Where an organisation is required to keep a controlled drug register under the Misuse of Drugs Regulations 2001 (“MDR 2001”), the register may be kept either as:
- a bound book, or
- a computerised system meeting the conditions set out in the MDR 2001.
The key legal question is not whether the register is electronic, but whether it meets the statutory definition and statutory requirements for a “register”.
Primary sources
- Misuse of Drugs Regulations 2001 (MDR 2001)
https://www.legislation.gov.uk/uksi/2001/3998/contents/data.html - Definition of “register” (includes computerised systems subject to endorsed best practice)
https://www.legislation.gov.uk/uksi/2001/3998/2008-02-01/data.html - Requirement for accessibility on the premises (computerised registers must be accessible from the premises)
https://www.legislation.gov.uk/uksi/2001/3998/regulation/20/2006-07-07/data.html - Retention period (preserve for 2 years from the last entry in the register)
https://www.legislation.gov.uk/uksi/2001/3998/regulation/23/data.html - Meaning of “preserved” (may be copied and kept in computerised form if in accordance with endorsed best practice)
https://www.legislation.gov.uk/uksi/2001/3998/2023-11-08/data.html - Amendment text (introduces the “attributable and auditable” requirement for computerised registers, and ties them to endorsed best practice)
https://www.legislation.gov.uk/uksi/2005/2864/pdfs/uksi_20052864_en.pdf
What makes a computerised system a lawful “CD register”
1) It must meet the statutory definition of “register”
MDR 2001 defines “register” as either a bound book or a computerised system that is in accordance with best practice guidance endorsed by the Secretary of State.
So, an “electronic CD register” is legally acceptable only if it meets that definition.
2) Entries must be attributable and auditable
The MDR 2001 amendments provide that a computerised register must be a system in which every entry is attributable and capable of being audited, and which is in accordance with endorsed best practice guidance.
This is the closest the legislation comes to “named accounts”.
What the law requires: attribution + auditability.
What the law does not explicitly prescribe: how you achieve that (e.g., it does not literally say “named user accounts”).
3) The register must be accessible from the premises
Where the register is computerised, it must be accessible from the premises to which it relates.
Practically, this means you should avoid a setup where CD register access depends on a system that is not available on-site when needed (for example, a register that can only be accessed from an off-site location).
4) Retention: preserve for at least 2 years from the last entry
All registers kept under the relevant MDR 2001 provisions must be preserved for two years from the date the last entry is made.
The MDR 2001 also explains that “preserved” can include being copied and kept in a computerised form provided that computerised form meets the same endorsed best practice standard.
Are “named user accounts” legally required?
The MDR 2001 does not use the words “named user accounts”.
However, the law does require that a computerised register ensures each entry is:
- attributable, and
- capable of being audited,
and that the system is in line with endorsed best practice guidance.
In practice, the simplest and most robust way to ensure attributability is to use unique logins per user (rather than shared accounts). But it is best described as:
a common (and often expected) method of meeting the legal requirement for attribution and auditability,
not as a separately stated statutory requirement.
What is legally required vs not required
Legally required (from primary legislation)
- Use either a bound book or a computerised system meeting the MDR 2001 definition of “register”.
- If computerised, ensure every entry is attributable and auditable, and in line with endorsed best practice.
- Ensure the computerised register is accessible from the premises.
- Preserve the register for at least two years from the last entry.
- Ensure preservation (including copies) meets the endorsed best practice standard where kept in computerised form.
