Data security: DSPT questions

Videos, tips, templates and useful information to help you complete the Data Security and Protection Toolkit questions on Data Security’ for adult social care providers.

There are three groups of questions to answer. Click on these links to go directly to those groups.

Physical security controls

Data breaches

Business planning

You can also print or save this page as a PDF using the button at the end of the page.

---

Physical security controls

1.3.12 How does your organisation make sure that paper records are safe when taken out of the building?

You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded

Tool Tip

Paper records may be taken out of your organisation’s building(s), for example for hospital appointments or visits to people’s homes. Leaving documents in cars, for instance, can be risky. How does your organisation make sure paper records are kept safe when ‘on the move’?

If you do not have any paper records or do not take them off site, write “Not applicable” in the text box.

 

1.3.13  Briefly describe the physical controls your buildings have that prevent unauthorised access to personal data.

You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded

Tool Tip

Physical controls that support data protection include lockable doors, windows and cupboards, clear desk procedure, security badges, key coded locks to access secure areas etc.

Provide details at high level and, if you have more than one building, summarise how compliance is assured across your organisation’s sites.

---

Data breaches

6.1.1 Does your organisation have a system in place to report data breaches?

You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded

Tool Tip

All staff, and volunteers if you have them, are responsible for noticing and reporting data breaches and it is vital that you have a robust reporting system in your organisation. There is an incident reporting tool within this toolkit which should be used to report health and care incidents to Information Commissioner’s Office ICO.

If you are not sure whether or not to inform the Information Commissioner’s Office of a breach, the toolkit’s incident reporting tool and guide can help you to decide.

 

5.1.1 If your organisation has had a data breach or a near miss in the last year, has the organisation reviewed the process that may have allowed the breach to occur?

You must answer this question to reach: Standards Met and Standards Exceeded 

Tool Tip

Confirm that your organisation has reviewed any processes that have caused a breach or a near miss, or which force people to use unauthorised workarounds that could compromise your organisation’s data and cyber security.

Workarounds could be things such as using unauthorised devices such as home computers or personal memory sticks or forwarding emails to personal email addresses. It is good practice to review processes annually even if a breach or near miss has not taken place.

If no breaches or near misses in the last 12 months then please tick and write “Not applicable” in the comments box.

 

6.1.2 If your organisation has had a data breach, were the management team notified, and did they approve the actions planned to minimise the risk of a recurrance?

Tool Tip

In the event of a data breach the management team of your organisation, or nominated person, should be notified of the breach and any associated action plans or lessons learnt.

If no breaches in the last 12 months then please tick and write “Not applicable” in the comments box.

 

6.1.3 If your organisation has had a data breach, were all individuals who were affected  informed?

You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded

Tool Tip

If your organisation has had a data breach that is likely to result in a high risk of adversely affecting individuals’ rights and freedoms – e.g. damage to reputation, financial loss, unfair discrimination, or other significant loss – you must inform the individual(s) affected as soon as possible.

If your organisation has had no such breaches in the last 12 months then please tick and write “Not applicable” in the comments box.

Additional information

More information is available from the Information Commissioner’s Office

---

Business planning

7.1.2 Does your organisation have a business continuity plan that covers data and cyber security?

You must answer this question to reach: Standards Met and Standards Exceeded

Tool Tip

Your organisation’s business continuity plan should cover data and cyber security – for example what would you do to ensure continuity of service if: you had a power cut; the phone line/internet went down; you were hacked; a computer broke down; the office became unavailable (e.g. through fire).

Additional information

An example business continuity plan is available here

 

7.2.1 How does your organisation test the data and cyber security aspects of its business continuity plan?

You must answer this question to reach: Standards Met and Standards Exceeded

Tool Tip

Describe how your organisation tests these aspects of its plan and what the outcome of the exercise was the last time you did this. This should be in the last 12 months.

Additional information

Guidance for testing your business continuity plan for the data and cyber security aspects is available here.

 

7.3.2 All emergency contacts are kept securely, in hardcopy and are up-to-date

You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded

Tool Tip

Contacts are those needed to enact the business continuity plan that covers data and cyber security. The contacts include phone number as well as email

Additional information

Find guidance on managing your suppliers