Staffing and Roles
Number | Question | Mandatory? |
---|---|---|
1.1.5 | Who has responsibility for data security and protection and how has this responsibility been formally assigned? | Yes |
2.1.1 | Does your organisation have an induction process that covers data security and protection, and cyber security? | Yes |
2.2.1 | Do all employment contracts, and volunteer agreements, contain data security requirements? | Yes |
3.1.1 | Has a training needs analysis covering data security and protection, and cyber security, been completed in the last twelve months? | |
3.2.1 | Have at least 95% of staff, directors, trustees and volunteers in your organisation completed training on data security and protection, and cyber security, in the last twelve months? | |
3.4.1 | Have the people with responsibility for data security and protection received training suitable for their role? | |
4.1.1 | Does your organisation have an up to date record of staff, and volunteers if you have them, and their roles? | Yes |
Policies and Procedures
Number | Question | Mandatory? |
---|---|---|
1.1.1 | What is your organisations Information Commissioners Office (ICO) registration number? | Yes |
1.1.2 | Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information? | Yes |
1.1.3 | Does your organisation have a privacy notice? | Yes |
1.2.4 | Is your organisation compliant with the national data opt-out policy? | |
1.3.1 | Does your organisation have up to date policies in place for data protection and for data and cyber security? | Yes |
1.3.2 | Does your organisation monitor your own compliance with data protection policies and regularly review the effectiveness of data handling and security controls? | |
1.3.7 | Does your organisations data protection policy describe how you keep personal data safe and secure? | Yes |
1.3.8 | Does your organisations data protection policy describe how you identify and minimise risks to personal data when introducing, or changing, a process or starting a new project involving personal data? | Yes |
1.4.1 | Does your organisation have a timetable which sets out how long you retain records for? | Yes |
1.4.2 | If your organisation uses third parties to destroy records or equipment that hold personal data, is there a written contract in place that has been reviewed in the last twelve months? This contract should meet the requirements set out in data protection regulations. | Yes |
1.4.3 | If your organisation destroys any records or equipment that hold personal data, how does it make sure that this is done securely? | Yes |
10.1.2 | Does your organisation have a list of its suppliers that handle personal information, the products and services they deliver, and their contact details? | Yes |
Data Security
Number | Question | Mandatory? |
---|---|---|
1.3.12 | How does your organisation make sure that paper records are safe when taken out of the building? | Yes |
1.3.13 | Briefly describe the physical controls your buildings have that prevent unauthorised access to personal data. | Yes |
5.1.1 | If your organisation has had a data breach or a near miss in the last year, has the organisation reviewed the process that may have allowed the breach to occur? | |
6.1.1 | Does your organisation have a system in place to report data breaches? | Yes |
6.1.2 | If your organisation has had a data breach, were the management team notified, and did they approve the actions planned to minimise the risk of a recurrence? | Yes |
6.1.3 | If your organisation has had a data breach, were all individuals who were affected informed? | Yes |
7.1.2 | Does your organisation have a business continuity plan that covers data and cyber security? | |
7.2.1 | How does your organisation test the data and cyber security aspects of its business continuity plan? |
IT Systems and Devices
Number | Question | Mandatory? |
---|---|---|
1.3.11 | If staff, directors, trustees and volunteers use their own devices (e.g. phones) for work purposes, does your organisation have a bring your own device policy and is there evidence of how this policy is enforced? | Yes |
1.3.14 | What does your organisation have in place to minimise the risks if mobile phones are lost, stolen, hacked or used inappropriately? | |
4.2.4 | Does your organisation have a reliable way of removing or amending peoples access to IT systems when they leave or change roles? | Yes |
4.5.4 | How does your organisation make sure that staff, directors, trustees and volunteers use good password practice? | Yes |
6.2.1 | Do all the computers and other devices used across your organisation have antivirus/antimalware software which is kept up to date? | Yes |
6.3.2 | Have staff, directors, trustees and volunteers been advised that use of public Wi-Fi for work purposes is unsafe? | |
7.3.1 | How does your organisation make sure that there are working backups of all important data and information? | Yes |
7.3.2 | All emergency contacts are kept securely, in hardcopy and are up-to-date. | Yes |
7.3.4 | Are backups routinely tested to make sure that data and information can be restored? | |
8.1.4 | Are all the IT systems and the software used in your organisation still supported by the manufacturer or the risks are understood and managed? | |
8.2.1 | If your answer to 8.1.4 (on IT systems and software being supported by the manufacturer) was that software risks are being managed, please provide a document that summarises the risk of continuing to use each unsupported item, the reasons for doing so and a summary of the action your organisation is taking to minimise the risk. New Layer | |
8.3.5 | How does your organisation make sure that the latest software updates are downloaded and installed? | Yes |
9.1.1 | Does your organisation make sure that the passwords of all networking components, such as a Wi-Fi router, have been changed from their original passwords? | |
9.5.2 | Are all laptops and tablets or removable devices that hold or allow access to personal data, encrypted? | |
10.2.1 | Do your organisations IT system suppliers have cyber security certification? |
Our Partners:
West Midlands Care Association, Globe House, Park Lane, Halesowen, B63 2RA
Registered in England and Wales No 04972911
© 2022 West Midlands Care Association, all rights reserved