Videos, tips, templates and useful information to help you complete the Data Security and Protection Toolkit questions on ‘Policies and Procedures’ for adult social care providers.
There are four groups of questions to answer. Click to scroll down to tips on answering questions about:
Data protection policies and privacy notices
Documenting personal information
Document retention and disposal
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
If you use and share personal data then you must tell people what you are doing with it. This includes why you need the data, what you’ll do with it, who you’re going to share it with and individual’s rights under data protection legislation for example, the right to access their information.
This should be set out in writing in ‘a privacy notice’. You should provide this information in a clear, open and honest way using language which is easy to read and understand. Your privacy notice should cover all data you process for example the data relating to the people you support and their relatives, staff, volunteers, members of the public. You may have more than one privacy notice e.g. one for staff and another one for the people you support.
You can download and adapt this Template Privacy Notice.
You must answer this question to reach: Standards Met and Standards Exceeded
The national data opt-out gives everyone the ability to stop health and social care organisations from sharing their confidential information for research and planning purposes, with some exceptions such as where there is a legal mandate/direction or an overriding public interest for example to help manage the covid-19 pandemic.
As a provider, you should help the people who use your services to understand that they can opt out of their data being used for other purposes. You should check that your policies, procedures, and privacy notice cover the opt out.
From July 2022, it is a legal requirement for all health and social care CQC registered organisations to be compliant with the national data opt out.
More detailed guidance that gives advice about compliance with the national data opt-out policy is available from NHS England and Digital Care Hub.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
You should have policies and staff guidance in place communicating your organisation’s principles and procedures for data protection:
These should be updated every three years at the minimum, and locally maintain evidence of when each update was made.
Policy templates are available.
You must answer this question to reach: Standards Met and Standards Exceeded
Your organisation should carry out spot checks that staff are doing what it says in your data protection, staff confidentiality and related policies. These should be undertaken at least every year. They could be part of other audits that you carry out.
You should keep a record that spot checks have been carried out, including details of any actions, who has approved the actions, and who is taking them forward if applicable.
There is an example audit checklist that you can download.
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Your policy should describe how your organisation identifies and accounts for privacy and data protection issues before commencing a new project or process. This is called ’data protection by design’. This might be a new data sharing initiative, for example, becoming part of a shared care record, setting up a new care record system, or using personal data for a new purpose such as research.
Your policy should also explain how your organisation only collects, uses and shares the minimum amount of data necessary for the purpose; how you ensure that data is only available to those who need it; how you store data only for as long as is needed; and how you let people know what you are doing with their data. This is called ‘data protection by default’.
There is guidance on data protection by design and by default on the ICO’s website. Our Data Protection Policy template covers this subject.
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Your policy should describe the process that your organisation has in place to make sure that it systematically identifies and minimises the data protection risks of any new project or plan that involves processing personal data. For example, when you introduce a new care recording system; if you install CCTV; if you use new remote care or monitoring technology; if you share data for research or marketing purposes.
This type of risk assessment is called a Data Protection Impact Assessment (DPIA). Your organisation should consider whether it needs to carry out a DPIA at the early stages of any new project if it plans to process personal data. A DPIA should follow relevant guidance from the Information Commissioner’s Office (ICO).
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
Registration with the ICO is a legal requirement for every organisation that uses or shares personal information, unless they are exempt as a small charity. If your organisation is not already registered, you should register as a matter of urgency.
You can check whether you are registered and what your ICO registration number is on the Information Commissioner’s Office website.
You must answer this question to reach: Approaching Standards, Standards Met or Standards Exceeded
To be compliant with data protection legislation you must keep a register of all of the information your organisation stores, shares and receives. The exact information you should include is explained in detail in the guidance below.
This list is called an Information Asset Register (IAR) and it should detail where and how the information is held and how you keep it safe. You should also have a list or lists of the types of personal data that are shared with others, for example needs assessments, prescriptions, payslips, care plans. This list is called a Record of Processing Activities (ROPA) and should detail how the data is shared and how your organisation keeps it safe. You can combine these into one document, but it is fine to have two separate documents.
The register should have been reviewed and approved by the management team at least once in the last twelve months.
Access guidance and templates for the ROPA and IAR.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Your organisation should have a list or lists of the external suppliers
that handle personal information such as IT or care planning systems suppliers, IT support, accountancy, DBS checks, HR and payroll services, showing the system or services provided.
If you have no such suppliers, then tick and write “Not applicable” in the comments box.
Find guidance and a template for listing your external suppliers here.
You must answer this question to reach: Standards Met and Standards Exceeded
Your organisation should ensure that any supplier of IT systems has cyber security certification. For example, external certification such as Cyber Essentials, or ISO27001, or by being listed on the Digital Marketplace, or by completing this Toolkit. An IT systems supplier would include suppliers of systems such as rostering, care planning or electronic medicine administration record (MAR) charts for example.
If your organisation does not use any IT systems, then tick and write “Not applicable” in the comments box.
Guidance on managing your suppliers is available here
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
Your organisation should have in place and follow a retention timetable for all the different types of records that it holds, including finance, staffing and care records. The timetable, or schedule as it is sometimes called, should be based on the Records Management Code of Practice 2021.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
It is important that when there is no longer a valid reason to keep personal data that it is disposed of securely. This applies to paper documents, electronic records and equipment, such as old computers and laptops, mobile phones, CDs and memory sticks.
If your organisation uses a contractor to destroy any records or equipment, such as a document shredding company or IT recycling organisation, then the contract(s) or other written confirmation with third parties must include the requirement to have appropriate security measures and the facility to allow audit by your organisation. Further information about the destruction of records is in chapter 5 of the Records Management Code of Practice.
If you do not use third parties to destroy records or equipment, then tick and write “Not applicable” in the comments box.
Advice on contracts for secure disposal of personal data.
You must answer this question to reach: Approaching Standards, Standards Met and Standards Exceeded
It is important that when there is no longer a valid reason to keep personal data that it is disposed of securely. This applies to paper documents, electronic records and equipment, such as old compute and laptops, mobile phones, CDs and memory sticks. If anyone in your organisation destroys any records or equipment themselves, such as shredding documents, briefly describe how the organisation makes sure that this is done securely. If you do not destroy records or equipment yourselves, or only use a third party to do so, write “Not applicable” in the text box.
We have a Record Keeping policy that has details on the safe destruction of personal data.