List of Toolkit Questions (23/24)

Staffing and Roles

Number Question Mandatory?
1.1.5 Who has responsibility for data security and protection and how has this responsibility been formally assigned? Yes
2.1.1 Does your organisation have an induction process that covers data security and protection, and cyber security? Yes
2.2.1 Do all employment contracts, and volunteer agreements, contain data security requirements? Yes
3.1.1 Has a training needs analysis covering data security and protection, and cyber security, been completed in the last twelve months?
3.2.1 Have at least 95% of staff, directors, trustees and volunteers in your organisation completed training on data security and protection, and cyber security, in the last twelve months?
3.4.1 Have the people with responsibility for data security and protection received training suitable for their role?
4.1.1 Does your organisation have an up to date record of staff, and volunteers if you have them, and their roles? Yes

Policies and Procedures

Number Question Mandatory?
1.1.1 What is your organisations Information Commissioners Office (ICO) registration number? Yes
1.1.2 Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information? Yes
1.1.3 Does your organisation have a privacy notice? Yes
1.2.4 Is your organisation compliant with the national data opt-out policy?
1.3.1 Does your organisation have up to date policies in place for data protection and for data and cyber security? Yes
1.3.2 Does your organisation monitor your own compliance with data protection policies and regularly review the effectiveness of data handling and security controls?
1.3.7 Does your organisations data protection policy describe how you keep personal data safe and secure? Yes
1.3.8 Does your organisations data protection policy describe how you identify and minimise risks to personal data when introducing, or changing, a process or starting a new project involving personal data? Yes
1.4.1 Does your organisation have a timetable which sets out how long you retain records for? Yes
1.4.2 If your organisation uses third parties to destroy records or equipment that hold personal data, is there a written contract in place that has been reviewed in the last twelve months? This contract should meet the requirements set out in data protection regulations. Yes
1.4.3 If your organisation destroys any records or equipment that hold personal data, how does it make sure that this is done securely? Yes
10.1.2 Does your organisation have a list of its suppliers that handle personal information, the products and services they deliver, and their contact details? Yes

Data Security

Number Question Mandatory?
1.3.12 How does your organisation make sure that paper records are safe when taken out of the building? Yes
1.3.13 Briefly describe the physical controls your buildings have that prevent unauthorised access to personal data. Yes
5.1.1 If your organisation has had a data breach or a near miss in the last year, has the organisation reviewed the process that may have allowed the breach to occur?
6.1.1 Does your organisation have a system in place to report data breaches? Yes
6.1.2 If your organisation has had a data breach, were the management team notified, and did they approve the actions planned to minimise the risk of a recurrence? Yes
6.1.3 If your organisation has had a data breach, were all individuals who were affected informed? Yes
7.1.2 Does your organisation have a business continuity plan that covers data and cyber security?
7.2.1 How does your organisation test the data and cyber security aspects of its business continuity plan?

IT Systems and Devices

Number Question Mandatory?
1.3.11 If staff, directors, trustees and volunteers use their own devices (e.g. phones) for work purposes, does your organisation have a bring your own device policy and is there evidence of how this policy is enforced? Yes
1.3.14 What does your organisation have in place to minimise the risks if mobile phones are lost, stolen, hacked or used inappropriately?
4.2.4 Does your organisation have a reliable way of removing or amending peoples access to IT systems when they leave or change roles? Yes
4.5.4 How does your organisation make sure that staff, directors, trustees and volunteers use good password practice? Yes
6.2.1 Do all the computers and other devices used across your organisation have antivirus/antimalware software which is kept up to date? Yes
6.3.2 Have staff, directors, trustees and volunteers been advised that use of public Wi-Fi for work purposes is unsafe?
7.3.1 How does your organisation make sure that there are working backups of all important data and information? Yes
7.3.2 All emergency contacts are kept securely, in hardcopy and are up-to-date. Yes
7.3.4 Are backups routinely tested to make sure that data and information can be restored?
8.1.4 Are all the IT systems and the software used in your organisation still supported by the manufacturer or the risks are understood and managed?
8.2.1 If your answer to 8.1.4 (on IT systems and software being supported by the manufacturer) was that software risks are being managed, please provide a document that summarises the risk of continuing to use each unsupported item, the reasons for doing so and a summary of the action your organisation is taking to minimise the risk. New Layer
8.3.5 How does your organisation make sure that the latest software updates are downloaded and installed? Yes
9.1.1 Does your organisation make sure that the passwords of all networking components, such as a Wi-Fi router, have been changed from their original passwords?
9.5.2 Are all laptops and tablets or removable devices that hold or allow access to personal data, encrypted?
10.2.1 Do your organisations IT system suppliers have cyber security certification?
Share by: