| Assertion | Evidence text - Others (Category 3) | Tool tips - Others (Category 3) |
|---|---|---|
| The organisation has a framework in place to support Lawfulness, Fairness and Transparency | What is your organisation's Information Commissioner's Office (ICO) registration number? |
| Registration with the ICO is a legal requirement for every organisation that uses or shares personal information, unless they are exempt as a small charity. If your organisation is not already registered, you should register as a matter of urgency.
You can check whether you are registered and what your ICO registration number is on the Information Commissioner's Office website.
The organisation has a framework in place to support Lawfulness, Fairness and Transparency| Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information?| To be compliant with data protection legislation you must keep a register of all of the information your organisation stores, shares and receives. The exact information you should include is explained in detail in the guidance below.
This list is called an Information Asset Register (IAR) and it should detail where and how the information is held and how you keep it safe. You should also have a list or lists of the types of personal data that are shared with others, for example needs assessments, prescriptions, payslips, care plans. This list is called a Record of Processing Activities (ROPA) and should detail how the data is shared and how your organisation keeps it safe. You can combine these into one document, but it is fine to have two separate documents.
The register should have been reviewed and approved by the management team at least once in the last twelve months.
Example templates for the ROPA and IAR are available from
Digital Care Hub.
The organisation has a framework in place to support Lawfulness, Fairness and Transparency| Does your organisation have a privacy notice?| If you use and share personal data then you must tell people what you are doing with it. This includes why you need the data, what you'll do with it, who you're going to share it with and individual's rights under data protection legislation for example, the right to access their information.
This should be set out in writing in 'a privacy notice'. You should provide this information in a clear, open and honest way using language which is easy to read and understand.
Your privacy notice should cover all data you process for example the data relating to the people you support and their relatives, staff, volunteers, members of the public. You may have more than one privacy notice e.g. one for staff and another one for the people you support.
An example privacy notice is available from Digital Care Hub.
The organisation has a framework in place to support Lawfulness, Fairness and Transparency| Who has responsibility for data security and protection and how has this responsibility been formally assigned?| Whilst data security and data protection is everybody's business, there must be a named person within your organisation who takes overall senior responsibility for data security and protection issues. Their responsibility is to provide senior level leadership and guidance.
In the text box, name the person or people within your organisation with overall responsibility for data security and protection, along with their roles. Then, for each person, describe how this responsibility has been formally assigned to them. For instance, this responsibility could form part of their job description, or be noted in the minutes of a management meeting, or be in an email from the appropriate director in your organisation. Your organisation may also have additional specialised roles, for example a Data Protection Officer or a Caldicott Guardian.
You can read more about data security and protection responsibilities and specialised roles on the Digital Care Hub.
The organisation has a framework in place to support Lawfulness, Fairness and Transparency| Your organisation has reviewed how it asks for and records, consent to share personal data.| Generally, consent under data protection law is not appropriate in health and care settings, but there are some circumstances where it may be necessary, such as for mailing lists. Further guidance on consent under data protection legislation is available on the ICO website.
Consent under the common law duty of confidentiality, however, is more frequently applicable. For example, an individual must provide their consent to share information with their carer. Provide details on your processes for gaining this consent in the comments.
Individuals' rights are respected and supported| Is your organisation compliant with the national data opt-out policy?| The national data opt-out gives everyone the ability to stop health and social care organisations from sharing their confidential information for research and planning purposes, with some exceptions such as where there is a legal mandate/direction or an overriding public interest for example to help manage the covid-19 pandemic.
As a provider, you should help the people who use your services to understand that they can opt out of their data being used for other purposes. You should check that your policies, procedures, and privacy notice cover the opt out.
From July 2022, it is a legal requirement for all health and social care CQC registered organisations to be compliant with the national data opt out.
More detailed guidance that gives advice about compliance with the national data opt-out policy is available from NHS England and Digital Care Hub.
Accountability and Governance in place for data protection and data security| Does your organisation have up to date policies in place for data protection and for data and cyber security?| You should have policies and staff guidance in place communicating your organisation's principles and procedures for data protection.
- data protection
- data quality
- record keeping
- data security
- where relevant, network security
These should be updated every three years at the minimum, and locally maintain evidence of when each update was made.
Policy templates are available from Digital Care Hub.
Accountability and Governance in place for data protection and data security| Does your organisation monitor your own compliance with data protection policies and regularly review the effectiveness of data handling and security controls?| Your organisation should carry out spot checks that staff are doing what it says in your data protection, staff confidentiality and related policies. These should be undertaken at least every year. They could be part of other audits that you carry out.
You should keep a record that spot checks have been carried out, including details of any actions, who has approved the actions, and who is taking them forward if applicable.
There is an example audit checklist that you can download from Digital Care Hub.
Accountability and Governance in place for data protection and data security| Does your organisation monitor your own compliance with data protection policies and regularly review the effectiveness of data handling and security controls?| Your organisation should carry out spot checks that staff are doing what it says in your data protection, staff confidentiality and related policies. These should be undertaken at least every year. They could be part of other audits that you carry out.
You should keep a record that spot checks have been carried out, including details of any actions, who has approved the actions, and who is taking them forward if applicable.
There is an example audit checklist that you can download from Digital Care Hub.
Accountability and Governance in place for data protection and data security| What are the top three data and cyber security risks in your organisation and how does your organisation plan to reduce those risks?| All organisations have risks and should be able to identify what they are. Thinking about your responses to all of the questions in the toolkit, consider which three areas carry the most risk for your organisation.
Provide a brief headline for each risk and say what your organisation plans to do to reduce that risk.
Accountability and Governance in place for data protection and data security| Does your organisation's data protection policy describe how you keep personal data safe and secure?| Your policy should describe how your organisation identifies and accounts for privacy and data protection issues before commencing a new project or process. This is called 'data protection by design'. This might be a new data sharing initiative, for example, becoming part of a shared care record, setting up a new care record system, or using personal data for a new purpose such as research.
Your policy should also explain how your organisation only collects, uses and shares the minimum amount of data necessary for the purpose; how you ensure that data is only available to those who need it; how you store data only for as long as is needed; and how you let people know what you are doing with their data. This is called 'data protection by default'.
There is guidance on data protection by design and by default on the ICO's website. The Data Protection Policy template that is available from Digital Care Hub covers this subject.
Accountability and Governance in place for data protection and data security| Does your organisation's data protection policy describe how you identify and minimise risks to personal data when introducing, or changing, a process or starting a new project involving personal data?| Your policy should describe the process that your organisation has in place to make sure that it systematically identifies and minimises the data protection risks of any new project or plan that involves processing personal data. For example, when you introduce a new care recording system; if you install CCTV; if you use new remote care or monitoring technology; if you share data for research or marketing purposes.
This type of risk assessment is called a Data Protection Impact Assessment (DPIA). Your organisation should consider whether it needs to carry out a DPIA at the early stages of any new project if it plans to process personal data. A DPIA should follow relevant guidance from the Information Commissioner's Office (ICO). The Data Protection Policy template that is available from [Digital Care Hub] (https://www.digitalcarehub.co.uk/resource/data-protection-policy-template/) covers this subject.
Accountability and Governance in place for data protection and data security| If staff, directors, trustees and volunteers use their own devices (e.g. phones) for work purposes, does your organisation have a bring your own device policy and is there evidence of how this policy is enforced?| The devices referred in this question include laptops, tablets, mobile phones, CDs, USB sticks etc. This applies to use of devices whether the person is on duty or not e.g. if they access your system(s) when not on shift. Please explain how this policy is enforced in the comments box.
If nobody uses their own devices, then tick and write "Not applicable" in the comments box.
A template Bring Your Own Device (BYOD) policy, and examples of how this policy might be enforced, is available from Digital Care Hub.
Accountability and Governance in place for data protection and data security| How does your organisation make sure that paper records are safe when taken out of the building?| Paper records may be taken out of your organisation's building(s), for example for hospital appointments or visits to people's homes. Leaving documents in cars, for instance, can be risky. How does your organisation make sure paper records are kept safe when 'on the move'?
If you do not have any paper records or do not take them off site, write "Not applicable" in the text box.
Accountability and Governance in place for data protection and data security| Briefly describe the physical controls your buildings have that prevent unauthorised access to personal data.| Physical controls that support data protection include lockable doors, windows and cupboards, clear desk procedure, security badges, key coded locks to access secure areas etc.
Provide details at high level and, if you use more than one building, summarise how compliance is assured across your organisation's sites.
Accountability and Governance in place for data protection and data security| What does your organisation have in place to minimise the risks if mobile phones are lost, stolen, hacked or used inappropriately?| Smartphones are especially vulnerable to being lost or stolen. What has been put in place by your organisation to protect them to prevent unauthorised access? E.g. is there a PIN or fingerprint or facial scan? Is there an app set up to track the location of a lost/ stolen smartphone, and 'wipe' its contents remotely? You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any mobile phones, write "Not applicable" in the text box. Guidance is available from Digital Care Hub.
Records are maintained appropriately| Does your organisation have a timetable which sets out how long you retain records for?| Your organisation should have a retention timetable in place for all the different types of records that it holds, including finance, staffing and care records. The timetable, or schedule as it is sometimes called, should be based on the Records Management Code of Practice 2021.
Records are maintained appropriately| If your organisation uses third parties to destroy records or equipment that hold personal data, is there a written contract in place that has been reviewed in the last twelve months? This contract should meet the requirements set out in data protection regulations.| It is important that when there is no longer a valid reason to keep personal data that it is disposed of securely. This applies to paper documents, electronic records and equipment, such as old computers and laptops, mobile phones, CDs and memory sticks.
If your organisation uses a contractor to destroy any records or equipment, such as a document shredding company or IT recycling organisation, then the contract(s) or other written confirmation with third parties must include the requirement to have appropriate security measures and the facility to allow audit by your organisation. Further information about the destruction of records is in chapter 5 of the Records Management Code of Practice.
If you do not use third parties to destroy records or equipment, then write "Not applicable" in the text box. Advice on contracts for secure disposal of personal data is available from Digital Care Hub.
Records are maintained appropriately| If your organisation destroys any records or equipment that hold personal data, how does it make sure that this is done securely?| It is important that when there is no longer a valid reason to keep personal data that it is disposed of securely. This applies to paper documents, electronic records and equipment, such as old computers and laptops, mobile phones, CDs and memory sticks. If anyone in your organisation destroys any records or equipment themselves, such as shredding documents, briefly describe how the organisation makes sure that this is done securely.
If you do not destroy records or equipment yourselves, or only use a third party to do so, write "Not applicable" in the text box.
Digital Care Hub has a Record Keeping policy that has details on the safe destruction of personal data.
Staff are supported in understanding their obligations under the National Data Guardian's Data Security Standards| Does your organisation have an induction process that covers data security and protection, and cyber security?| All new staff, directors, trustees and volunteers who have access to personal data, should have an induction that covers data security and protection as well as cyber security. It is good practice to keep records of who has been inducted and to review the induction process on a regular basis to ensure it is effective and up to date.
Digital Care Hub provides a free Data Security and Protection elearning training course that organisations can use as part of their staff induction.
Staff contracts set out responsibilities for data security| Do all employment contracts, and volunteer agreements, contain data security requirements?| Clauses in contracts or agreements should reference data security (confidentiality, integrity and availability). Many contracts commonly focus on just confidentiality.
Your organisation's staff employment contracts, and volunteer and trustee agreements if you have them, should be reviewed to see if they need to be updated to include a clause on data security.
There is an example staff contract clause available from Digital Care Hub.
Staff have appropriate understanding of information governance and cyber security, with an effective range of| Has a training needs analysis covering data security and protection, and cyber security, been completed in the last twelve months?| A training needs analysis is a process which helps identify the data security and protection, and cyber security, training and development needs across your organisation. Your organisation's training needs analysis should identify the level of training or awareness raising required by your staff, directors, trustees and volunteers if you have them.
It should be reviewed and/or approved annually by the person(s) with overall responsibility for data security and protection within your organisation and a copy should be uploaded or the location of the plan recorded.
An example training needs analysis is available to download from Digital Care Hub.
Your organisation engages proactively and widely to improve information governance and cyber security, and has an open and just culture for information incidents.| Have at least 95% of staff, directors, trustees and volunteers in your organisation completed training on data security and protection, and cyber security, in the last twelve months?| All people in your organisation with access to personal data must complete appropriate data security and protection, and cyber security, training every year. Your organisation's training needs analysis should identify the level of training or awareness raising that people need.
There is an understanding that due to illness, maternity/paternity leave, attrition or other reasons it might not be possible for 100% of people to receive training every year. Therefore, the target is 95% of people with access to personal data. For clarity, it is the last twelve months prior to the date of publication.
Digital Care Hub provides a free Data Security and Protection elearning training course that meets this requirement for staff working in adult social care.
Staff with specialist roles receive data security and protection training suitable to their role| Provide details of any specialist data security and protection training undertaken.| Details of any additional training as identified by your Data Security Training Needs analysis. Such as staff with roles as Caldicott Guardian, in Informatics (IT and Information areas), Medical Records, Clinical Coding & Information Governance (including privacy / confidentiality & data protection).
Leaders and board members receive suitable data protection and security training| Have the people with responsibility for data security and protection received training suitable for their role?| It is likely that the person or people within your organisation who are responsible for data security and protection will need additional and more in depth training than the majority of your staff. Your organisation's training needs analysis should identify any additional training required by people with increased data security and protection responsibilities or specialist roles, for example a Data Protection Officer (DPO).
The organisation maintains a current record of staff and their roles| Does your organisation have an up to date record of staff, and volunteers if you have them, and their roles?| Your organisation must have a list of all staff, and volunteers if you have them, and their current role. This list should be kept up to date, including any change of role, new starters and removal of leavers. This might be linked to your existing payroll or rostering system.