List of Toolkit Questions (24/25)
Staffing and Roles
| Number | Question | Mandatory? |
|---|---|---|
| 1.1.5 | Who has responsibility for data security and protection and how has this responsibility been formally assigned? | Yes |
| 2.1.1 | Does your organisation have an induction process that covers data security and protection, and cyber security? | Yes |
| 2.2.1 | Do all employment contracts, and volunteer agreements, contain data security requirements? | Yes |
| 3.1.1 | Has a training needs analysis covering data security and protection, and cyber security, been completed in the last twelve months? | Yes |
| 3.2.1 | Have at least 95% of staff, directors, trustees and volunteers in your organisation completed training on data security and protection, and cyber security, in the last twelve months? | |
| 3.3.1 | Provide details of any specialist data security and protection training undertaken. | Yes |
| 3.4.1 | Have the people with responsibility for data security and protection received training suitable for their role? | Yes |
| 4.1.1 | Does your organisation have an up to date record of staff, and volunteers if you have them, and their roles? | Yes |
Policies and Procedures
| Number | Question | Mandatory? |
|---|---|---|
| 1.1.1 | What is your organisations Information Commissioners Office (ICO) registration number? | Yes |
| 1.1.2 | Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information? | Yes |
| 1.1.3 | Does your organisation have a privacy notice? | Yes |
| 1.1.6 | Your organisation has reviewed how it asks for and records, consent to share personal data. | |
| 1.2.4 | Is your organisation compliant with the national data opt-out policy? | Yes |
| 1.3.1 | Does your organisation have up to date policies in place for data protection and for data and cyber security? | Yes |
| 1.3.2 | Does your organisation monitor your own compliance with data protection policies and regularly review the effectiveness of data handling and security controls? | Yes |
| 1.3.7 | Does your organisations data protection policy describe how you keep personal data safe and secure? | Yes |
| 1.3.8 | Does your organisations data protection policy describe how you identify and minimise risks to personal data when introducing, or changing, a process or starting a new project involving personal data? | Yes |
| 1.4.1 | Does your organisation have a timetable which sets out how long you retain records for? | Yes |
| 1.4.2 | If your organisation uses third parties to destroy records or equipment that hold personal data, is there a written contract in place that has been reviewed in the last twelve months? This contract should meet the requirements set out in data protection regulations. | Yes |
| 1.4.3 | If your organisation destroys any records or equipment that hold personal data, how does it make sure that this is done securely? | Yes |
| 10.1.2 | Does your organisation have a list of its suppliers that handle personal information, the products and services they deliver, and their contact details? | Yes |
| 10.2.2 | Contracts with all third parties that handle personal information are compliant with ICO guidance. | |
| 10.2.5 | All Suppliers that process or have access to health or care personal confidential information have completed a Data Security and Protection Toolkit, or equivalent. |
Data Security
| Number | Question | Mandatory? |
|---|---|---|
| 1.3.6 | What are the top three data and cyber security risks in your organisation and how does your organisation plan to reduce those risks? | |
| 1.3.12 | How does your organisation make sure that paper records are safe when taken out of the building? | Yes |
| 1.3.13 | Briefly describe the physical controls your buildings have that prevent unauthorised access to personal data. | Yes |
| 5.1.1 | If your organisation has had a data breach or a near miss in the last year, has the organisation reviewed the process that may have allowed the breach to occur? | Yes |
| 5.2.1 | Are the actions to address problem processes, being monitored and assurance given to the senior team? | |
| 6.1.1 | Does your organisation have a system in place to report data breaches? | Yes |
| 6.1.2 | If your organisation has had a data breach, were the management team notified, and did they approve the actions planned to minimise the risk of a recurrence? | Yes |
| 6.1.3 | If your organisation has had a data breach, were all individuals who were affected informed? | Yes |
| 6.3.1 | If you have had a data security incident, was it caused by a known vulnerability? | |
| 6.3.5 | Have you had any repeat data security incidents within the organisation during the past twelve months? | |
| 7.1.1 | Organisations understand the health and care services they provide. | |
| 7.1.2 | Does your organisation have a business continuity plan that covers data and cyber security? | Yes |
| 7.1.3 | You understand the resources and information that will be needed if there is a data security incident and arrangements are in place to make these resources available. | |
| 7.2.1 | How does your organisation test the data and cyber security aspects of its business continuity plan? | Yes |
| 7.2.2 | From the business continuity exercise, explain what issues and actions were documented, with names of actionees listed against each item. | |
| 10.3.1 | List of data security incidents - past or present - with current suppliers who handle personal information. |
IT Systems and Devices
| Number | Question | Mandatory? |
|---|---|---|
| 1.3.11 | If staff, directors, trustees and volunteers use their own devices (e.g. phones) for work purposes, does your organisation have a bring your own device policy and is there evidence of how this policy is enforced? New Layer | Yes |
| 1.3.14 | What does your organisation have in place to minimise the risks if mobile phones are lost, stolen, hacked or used inappropriately? New Layer | Yes |
| 10.2.1 | Do your organisation's IT system suppliers have cyber security certification? New Layer | Yes |
| 4.2.2 | Provide a summary of data security incidents in the last 12 months caused by a mismatch between user role and system accesses granted. New Layer | |
| 4.2.4 | Does your organisation have a reliable way of removing or amending people's access to IT systems when they leave or change roles? New Layer | Yes |
| 4.3.1 | Have all the administrators of your organisation's IT system(s) signed an agreement to hold them accountable to higher standards? New Layer | |
| 4.3.3 | Have all staff been notified that their system use could be monitored? New Layer | |
| 4.4.1 | The person with responsibility for IT confirms that IT administrator activities are logged and those logs are only accessible to appropriate personnel. New Layer | |
| 4.5.3 | Multi-factor authentication is enforced on all remotely accessible user accounts on all systems, with exceptions only as approved by your board or equivalent senior management. New Layer | Yes |
| 4.5.4 | How does your organisation make sure that staff, directors, trustees and volunteers use good password practice? New Layer | Yes |
| 6.2.1 | Do all the computers and other devices used across your organisation have antivirus/antimalware software which is kept up to date? New Layer | Yes |
| 6.2.6 | Number of phishing emails reported by staff per month. New Layer | |
| 6.3.2 | Have staff, directors, trustees and volunteers been advised that use of public Wi-Fi for work purposes is unsafe? New Layer | Yes |
| 7.3.1 | How does your organisation make sure that there are working backups of all important data and information? New Layer | Yes |
| 7.3.2 | All emergency contacts are kept securely, in hardcopy and are up-to-date. New Layer | Yes |
| 7.3.4 | Are backups routinely tested to make sure that data and information can be restored? New Layer | Yes |
| 7.3.6 | Are your backups kept separate from your network ('offline'), or in a cloud service designed for this purpose? New Layer | |
| 8.1.2 | Does the organisation track and record all end user devices and removable media assets? New Layer | |
| 8.1.4 | Are all the IT systems and the software used in your organisation still supported by the manufacturer or the risks are understood and managed? New Layer | Yes |
| 8.2.1 | If your answer to 8.1.4 (on IT systems and software being supported by the manufacturer) was that software risks are being managed, please provide a document that summarises the risk of continuing to use each unsupported item, the reasons for doing so and a summary of the action your organisation is taking to minimise the risk. New Layer | Yes |
| 8.3.2 | How often, in days, is automatic patching typically being pushed out to remote endpoints? New Layer | |
| 8.3.5 | How does your organisation make sure that the latest software updates are downloaded and installed? New Layer | Yes |
| 8.4.1 | Is all your infrastructure protected from common cyber-attacks through secure configuration and patching? New Layer | |
| 8.4.2 | All infrastructure is running operating systems and software packages that are patched regularly, and as a minimum in vendor support. New Layer | |
| 8.4.3 | You maintain a current understanding of the exposure of your hardware and software to publicly-known vulnerabilities. New Layer | |
| 9.1.1 | Does your organisation make sure that the passwords of all networking components, such as a Wi-Fi router, have been changed from their original passwords? New Layer | Yes |
| 9.2.1 | The annual IT penetration testing is scoped in negotiation between the Board/person with delegated responsibility for data security, business and testing team including a vulnerability scan and checking that all networking components have had their default passwords changed to a high strength password. New Layer | |
| 9.2.3 | The person responsible for IT has reviewed the results of latest penetration testing, with an action plan for its findings. New Layer | |
| 9.3.1 | All web applications are protected and not susceptible to common security vulnerabilities, such as described in the top ten Open Web Application Security Project (OWASP) vulnerabilities. New Layer |
