Videos, tips, templates and useful information to help you complete the Data Security and Protection Toolkit questions on ‘IT systems and devices’ for adult social care providers.
We have grouped the questions into three topics. Click on these links to go directly to the relevant questions.
Passwords, back-ups and access
You can also print or save this page as a PDF using the button at the end of the page.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
The devices referred in this question include laptops, tablets, mobile phones, CDs, USB sticks etc. This applies to use of devices whether the person is on duty or not e.g. if they access your system(s) when not on shift. Please upload your Bring Your Own Device policy and any associated guidance, and evidence of how this policy is enforced.
If nobody uses their own devices, then tick and write “Not applicable” in the comments box.
A template Bring Your Own Device (BYOD) policy, and examples of how this policy might be enforced, is available.
You must answer this question to reach: Standards Met and Standards Exceeded
Smartphones are especially vulnerable to being lost or stolen. What has been put in place by your organisation to protect them to prevent unauthorised access? E.g. is there a PIN or fingerprint or facial scan? Is there an app set up to track the location of a lost/ stolen smartphone, and ‘wipe’ its contents remotely? You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any mobile phones, write “Not applicable” in the text box.
You must answer this question to reach: Standards Met and Standards Exceeded
Use of public Wi-Fi (e.g. Wi-Fi freely available at cafes and train stations etc) or unsecured Wi-Fi (Wi-Fi where no password is required to access it) could be unsafe and lead to unauthorised access of personal data. Staff, directors, trustees and volunteers if you have them, should be advised of this.
If nobody uses mobile devices for work purposes out of your building/offices, then tick and write “Not applicable” in the comments box.
You must answer this question to reach: Standards Met and Standards Exceeded
Mobile computers like laptops and tablets and removable devices like memory sticks/cards/CDs are vulnerable as they can be lost or stolen. To make these devices especially difficult to get into, they can be encrypted (this protects information by converting it into unreadable code that cannot be deciphered easily by unauthorised people). Devices can be further protected, for example, by preventing the use of removable devices like memory sticks. This is called computer port control. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any mobile devices, or equivalent security arrangements are in place, then tick and write “Not applicable” in the comments box.
Find advice on encrypting mobile devices and equivalent security arrangements, here
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
When people change roles or leave your organisation, there needs to be a reliable way to amend or remove their access to your IT system(s). This could be by periodic audit to make sure that people’s access rights are at the right level. It is important that leavers who had access to personal data have their access rights revoked in line with your policies and procedures. This includes access to shared email addresses.
If your organisation does not use any IT systems, then tick and write “Not applicable” in the comments box.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
If your organisation has any IT systems or computers, it should provide advice for setting and managing passwords. Each person should have their own password to access the computer, laptop or tablet that they are using and a separate password for other systems. These passwords should be ‘strong’ i.e. hard to guess.
This could be enforced through technical controls i.e. your system(s) require a minimum number of characters or a mixture of letters and numbers in a password.
If your organisation does not use any IT systems, computers or other devices, write “Not applicable” in the text box.
Information about good password practice is available.
You must answer this question to reach: Standards Met and Standards Exceeded
Networking components include routers, switches, hubs and firewalls at all of your organisation’s locations. Your organisation may just have a Wi-Fi router. This does not apply to Wi-Fi routers for people working from home. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not have a network or internet access, then tick and write “Not applicable” in the comments box.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
It is important to make sure that backups are being done regularly, that they are successful and that they include the right files and systems. Briefly explain how your organisation’s back up systems work and how you have tested them.
You may need to ask your IT supplier to assist with answering this question. If your organisation does not use any computers or IT systems, write “Not applicable” in the text box.
See advice about backups here
You must answer this question to reach: Standards Met and Standards Exceeded
It is important that your organisation’s backups are tested at least annually to make sure data and information can be restored (in the event of equipment breakdown for example). You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any computers or IT systems, then tick and write “Not applicable” in the comments box.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
This applies to all servers, desktop computers, laptop computers, and tablets. Note that antivirus software and antimalware software are the same thing – they both perform the same functions. You may need to ask your IT supplier to assist with answering this question.
If your organisation does not use any computers or other devices, then tick and write “Not applicable” in the comments box.
Further information on anti-virus software is available here
You must answer this question to reach: Standards Met and Standards Exceeded
Systems and software that are no longer supported by the manufacturer can be unsafe as they are no longer being updated to protect against viruses for example. You may need to ask your IT supplier to assist with answering this question.
Examples of unsupported software include: Windows XP, Windows Vista, Windows 7, Windows 8.1, Java or Windows Server 2008. Windows 11 is supported and is the most up to date version of Windows. This question also applies to software systems such as rostering, care planning or electronic medicine administration record (MAR) charts for example.
If your organisation does not use any IT systems or software, then tick and write “Not applicable” in the comments box. For guidance (including information on how to check which software versions you have), see Digital Care Hub.
Find guidance (including information on how to check which software versions you have), here
You must answer this question to reach: Standards Met and Standards Exceeded
This is a conscious decision to accept and manage the associated risks of unsupported systems. This document should indicate that your board or management team have formally considered the risks of continuing to use unsupported items and have concluded that the risks are acceptable.
If your answer to the previous question was yes, write “Not applicable” in “Enter text describing document location”.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
It is important that your organisation’s IT system(s) and devices have the latest software and application updates installed. Most software can be set to apply automatic updates when they become available from the manufacturer. You may need to ask your IT supplier to assist with answering this question. If your organisation does not use any IT systems, devices or software, write “Not applicable” in the text box.
Further information is available here