Videos, tips, templates and useful information to help you complete the Data Security and Protection Toolkit questions on ‘Policies and Procedures’ for adult social care providers.
There are four groups of questions to answer. Click to scroll down to tips on answering questions about:
Data protection policies and privacy notices
Documenting personal information
Document retention and disposal
Data protection policies and privacy notices
1.1.3 Does your organisation have a privacy notice(s)?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
If you use and share personal data then you must tell people what you are doing with it. This includes why you need the data, what you’ll do with it, who you’re going to share it with and individual’s rights under data protection legislation for example, the right to access their information.
This should be set out in writing in ‘a privacy notice’. You should provide this information in a clear, open and honest way using language which is easy to read and understand. Your privacy notice should cover all data you process for example the data relating to the people you support and their relatives, staff, volunteers, members of the public. You may have more than one privacy notice e.g. one for staff and another one for the people you support.
Additional information
You can download and adapt this Template Privacy Notice.
1.2.4 Is your organisation compliant with the national data opt-out policy?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
The national data opt-out gives everyone the ability to stop health and social care organisations from sharing their confidential information for research and planning purposes, with some exceptions such as where there is a legal mandate/direction or an overriding public interest for example to help manage the covid-19 pandemic.
As a provider, you should help the people who use your services to understand that they can opt out of their data being used for other purposes. You should check that your policies, procedures, and privacy notice cover the opt out.
From July 2022, it is a legal requirement for all health and social care CQC registered organisations to be compliant with the national data opt out.
Additional information
More detailed guidance that gives advice about compliance with the national data opt-out policy is available from NHS England and Digital Care Hub.
1.3.1 Does your organisation have up to date policies in place for data protection and for data and cyber security?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
You should have policies and staff guidance in place communicating your organisation’s principles and procedures for data protection:
- data protection
- data quality
- record keeping
- data security
- where relevant, network security
These should be updated every three years at the minimum, and locally maintain evidence of when each update was made.
Additional information
Policy templates are available.
1.3.2 Does your organisation monitor your own compliance with data protection policies and regularly review the effectiveness of data handling and security controls?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
Your organisation should carry out spot checks that staff are doing what it says in your data protection, staff confidentiality and related policies. These should be undertaken at least every year. They could be part of other audits that you carry out.
You should keep a record that spot checks have been carried out, including details of any actions, who has approved the actions, and who is taking them forward if applicable.
Additional information
There is an example audit checklist that you can download.
1.3.7 Does your organisation’s data protection policy describe how you keep personal data safe and secure?
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Tool Tip
Your policy should describe how your organisation identifies and accounts for privacy and data protection issues before commencing a new project or process. This is called ’data protection by design’. This might be a new data sharing initiative, for example, becoming part of a shared care record, setting up a new care record system, or using personal data for a new purpose such as research.
Your policy should also explain how your organisation only collects, uses and shares the minimum amount of data necessary for the purpose; how you ensure that data is only available to those who need it; how you store data only for as long as is needed; and how you let people know what you are doing with their data. This is called ‘data protection by default’.
Additional information
There is guidance on data protection by design and by default on the ICO’s website. Our Data Protection Policy template covers this subject.
1.3.8 Does your organisation’s data protection policy describe how you identify and minimise risks to personal data when introducing, or changing, a process or starting a new project involving personal data?
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Tool Tip
Your policy should describe the process that your organisation has in place to make sure that it systematically identifies and minimises the data protection risks of any new project or plan that involves processing personal data. For example, when you introduce a new care recording system; if you install CCTV; if you use new remote care or monitoring technology; if you share data for research or marketing purposes.
This type of risk assessment is called a Data Protection Impact Assessment (DPIA). Your organisation should consider whether it needs to carry out a DPIA at the early stages of any new project if it plans to process personal data. A DPIA should follow relevant guidance from the Information Commissioner’s Office (ICO).
Documenting personal information
1.1.1 What is your organisation’s Information Commissioner’s Office (ICO) registration number?
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Tool Tip
Registration with the ICO is a legal requirement for every organisation that uses or shares personal information, unless they are exempt as a small charity. If your organisation is not already registered, you should register as a matter of urgency.
Additional information
You can check whether you are registered and what your ICO registration number is on the Information Commissioner’s Office website.
1.1.2 Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information?
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Tool Tip
To be compliant with data protection legislation you must keep a register of all of the information your organisation stores, shares and receives. The exact information you should include is explained in detail in the guidance below.
This list is called an Information Asset Register (IAR) and it should detail where and how the information is held and how you keep it safe. You should also have a list or lists of the types of personal data that are shared with others, for example needs assessments, prescriptions, payslips, care plans. This list is called a Record of Processing Activities (ROPA) and should detail how the data is shared and how your organisation keeps it safe. You can combine these into one document, but it is fine to have two separate documents.
The register should have been reviewed and approved by the management team at least once in the last twelve months.
Additional information
Access guidance and templates for the ROPA and IAR.
Suppliers
10.1.2 Does your organisation have a list of suppliers that handle personal information, the products and services they delivery, and their contact details?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
Your organisation should have a list or lists of the external suppliers
that handle personal information such as IT or care planning systems suppliers, IT support, accountancy, DBS checks, HR and payroll services, showing the system or services provided.
If you have no such suppliers, then tick and write “Not applicable” in the comments box.
Additional information
Find guidance and a template for listing your external suppliers here.
10.2.1 Do your organisation’s IT system suppliers have cyber security certification?
You must answer this question to reach: Standards Met and Standards Exceeded
Tool Tip
Your organisation should ensure that any supplier of IT systems has cyber security certification. For example, external certification such as Cyber Essentials, or ISO27001, or by being listed on the Digital Marketplace, or by completing this Toolkit. An IT systems supplier would include suppliers of systems such as rostering, care planning or electronic medicine administration record (MAR) charts for example.
If your organisation does not use any IT systems, then tick and write “Not applicable” in the comments box.
Additional information
Guidance on managing your suppliers is available here
Document retention and disposal
1.4.1 Does your organisation have a timetable which sets out how long you retain records for?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
Your organisation should have in place and follow a retention timetable for all the different types of records that it holds, including finance, staffing and care records. The timetable, or schedule as it is sometimes called, should be based on the Records Management Code of Practice 2021.
1.4.2 If your organisation uses third parties to destroy records or equipment that hold personal data, is there a written contract in place that has been reviewed in the last twelve months? This contract should meet the requirements set out in data protection regulations.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
It is important that when there is no longer a valid reason to keep personal data that it is disposed of securely. This applies to paper documents, electronic records and equipment, such as old computers and laptops, mobile phones, CDs and memory sticks.
If your organisation uses a contractor to destroy any records or equipment, such as a document shredding company or IT recycling organisation, then the contract(s) or other written confirmation with third parties must include the requirement to have appropriate security measures and the facility to allow audit by your organisation. Further information about the destruction of records is in chapter 5 of the Records Management Code of Practice.
If you do not use third parties to destroy records or equipment, then tick and write “Not applicable” in the comments box.
Additional information
Advice on contracts for secure disposal of personal data.
1.4.3 If your organisation destroys any records or equipment that hold personal data, how does it make sure that this is done securely?
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Tool Tip
It is important that when there is no longer a valid reason to keep personal data that it is disposed of securely. This applies to paper documents, electronic records and equipment, such as old compute and laptops, mobile phones, CDs and memory sticks. If anyone in your organisation destroys any records or equipment themselves, such as shredding documents, briefly describe how the organisation makes sure that this is done securely. If you do not destroy records or equipment yourselves, or only use a third party to do so, write “Not applicable” in the text box.
Additional information
We have a Record Keeping policy that has details on the safe destruction of personal data.