Videos, tips, templates and useful information to help you complete the Data Security and Protection Toolkit questions on ‘IT systems and devices’ for adult social care providers.
We have grouped the questions into three topics. Click on these links to go directly to the relevant questions.
Passwords, back-ups and access
You can also print or save this page as a PDF using the button at the end of the page.
Managing mobile devices
1.3.11 If staff, directors, trustees and volunteers use their own devices (e.g. phones) for work purposes, does your organisation have a bring your own device policy and is there evidence of how this policy is enforced?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
The devices referred in this question include laptops, tablets, mobile phones, CDs, USB sticks etc. This applies to use of devices whether the person is on duty or not e.g. if they access your system(s) when not on shift. Please upload your Bring Your Own Device policy and any associated guidance, and evidence of how this policy is enforced.
If nobody uses their own devices, then tick and write “Not applicable” in the comments box.
Additional information
A template Bring Your Own Device (BYOD) policy, and examples of how this policy might be enforced, is available.
1.3.14 What does your organisation have in place to minimise the risks if mobile phones are lost, stolen, hacked or used inappropriately?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
Smartphones are especially vulnerable to being lost or stolen. What has been put in place by your organisation to protect them to prevent unauthorised access? E.g. is there a PIN or fingerprint or facial scan? Is there an app set up to track the location of a lost/ stolen smartphone, and ‘wipe’ its contents remotely? You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any mobile phones, write “Not applicable” in the text box.
Additional information
6.3.2 Have staff, directors, trustees and volunteers been advised that use of public Wi-Fi for work purposes is unsafe?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
Use of public Wi-Fi (e.g. Wi-Fi freely available at cafes and train stations etc) or unsecured Wi-Fi (Wi-Fi where no password is required to access it) could be unsafe and lead to unauthorised access of personal data. Staff, directors, trustees and volunteers if you have them, should be advised of this.
If nobody uses mobile devices for work purposes out of your building/offices, then tick and write “Not applicable” in the comments box.
9.5.2 Are all laptops and tablets or removable devices that hold or allow access to personal data, encrypted?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
Mobile computers like laptops and tablets and removable devices like memory sticks/cards/CDs are vulnerable as they can be lost or stolen. To make these devices especially difficult to get into, they can be encrypted (this protects information by converting it into unreadable code that cannot be deciphered easily by unauthorised people). Devices can be further protected, for example, by preventing the use of removable devices like memory sticks. This is called computer port control. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any mobile devices, or equivalent security arrangements are in place, then tick and write “Not applicable” in the comments box.
Additional information
Find advice on encrypting mobile devices and equivalent security arrangements, here
Passwords, back-ups and access
4.2.4 Does your organisation have a reliable way of removing or amending people’s access to IT systems when they leave or change roles?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
When people change roles or leave your organisation, there needs to be a reliable way to amend or remove their access to your IT system(s). This could be by periodic audit to make sure that people’s access rights are at the right level. It is important that leavers who had access to personal data have their access rights revoked in line with your policies and procedures. This includes access to shared email addresses.
If your organisation does not use any IT systems, then tick and write “Not applicable” in the comments box.
4.5.3 Multi-factor authentication is enforced on all remotely accessible user accounts on all systems, with exceptions only as approved by your board or equivalent senior management. (NEW FOR DSPT 2024-25)
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
Multi-factor authentication (MFA) is widely recognised as one of the most effective ways to protect data and accounts from unauthorised access.
If you require any exceptions you must include in the comments, a summary of your internal approvals.
Additional information
Information about how to implement MFA is available.
4.5.4 How does your organisation make sure that staff, directors, trustees and volunteers use good password practice?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
If your organisation has any IT systems or computers, it should provide advice for setting and managing passwords. Each person should have their own password to access the computer, laptop or tablet that they are using and a separate password for other systems. These passwords should be ‘strong’ i.e. hard to guess.
This could be enforced through technical controls i.e. your system(s) require a minimum number of characters or a mixture of letters and numbers in a password.
If your organisation does not use any IT systems, computers or other devices, write “Not applicable” in the text box.
Additional information
Information about good password practice is available.
9.1.1 Does your organisation make sure that the passwords of all networking components, such as a Wi-Fi router, have been changed from their original passwords?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
Networking components include routers, switches, hubs and firewalls at all of your organisation’s locations. Your organisation may just have a Wi-Fi router. This does not apply to Wi-Fi routers for people working from home. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not have a network or internet access, then tick and write “Not applicable” in the comments box.
7.3.1 How does your organisation make sure that there are working backups of all important data and information?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
It is important to make sure that backups are being done regularly, that they are successful and that they include the right files and systems. Briefly explain how your organisation’s back up systems work and how you have tested them.
You may need to ask your IT supplier to assist with answering this question. If your organisation does not use any computers or IT systems, write “Not applicable” in the text box.
Additional information
See advice about backups here
7.3.4 Are backups routinely tested to make sure that data and information can be restored?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
It is important that your organisation’s backups are tested at least annually to make sure data and information can be restored (in the event of equipment breakdown for example). You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any computers or IT systems, then tick and write “Not applicable” in the comments box.
Systems and software
6.2.1 Do all the computers and other devices used across your organisation have antivirus/antimalware software which is kept up to date?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
This applies to all servers, desktop computers, laptop computers, and tablets. Note that antivirus software and antimalware software are the same thing – they both perform the same functions. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any computers or other devices, then tick and write “Not applicable” in the comments box.
Additional information
Further information on anti-virus software is available here
8.1.4 Are all the IT systems and the software used in your organisation still supported by the manufacturer or the risks are understood and managed?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
Systems and software that are no longer supported by the manufacturer can be unsafe as they are no longer being updated to protect against viruses for example. You may need to ask your IT supplier to assist with answering this question.
Examples of unsupported software include: Windows XP, Windows Vista, Windows 7, Windows 8.1, Java or Windows Server 2008. Windows 11 is supported and is the most up to date version of Windows. This question also applies to software systems such as rostering, care planning or electronic medicine administration record (MAR) charts for example.
If your organisation does not use any IT systems or software, then tick and write “Not applicable” in the comments box. For guidance (including information on how to check which software versions you have), see Digital Care Hub.
Additional information
Find guidance (including information on how to check which software versions you have), here
8.2.1 If your answer to 8.1.4 (on IT systems and software being supported by the manufacturer) was that software risks are being managed, please provide a document that summarises the risk of continuing to use each unsupported item, the reasons for doing so and a summary of the action your organisation is taking to minimise the risk.
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
This is a conscious decision to accept and manage the associated risks of unsupported systems. This document should indicate that your board or management team have formally considered the risks of continuing to use unsupported items and have concluded that the risks are acceptable.
If your answer to the previous question was yes, write “Not applicable” in “Enter text describing document location”.
8.3.5 How does your organisation make sure that the latest software updates are downloaded and installed?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
It is important that your organisation’s IT system(s) and devices have the latest software and application updates installed. Most software can be set to apply automatic updates when they become available from the manufacturer. You may need to ask your IT supplier to assist with answering this question. If your organisation does not use any IT systems, devices or software, write “Not applicable” in the text box.
Additional information
Further information is available here