This question is asking who normally deals with data protection in your organisation, and how was that person appointed. This could be the Data Protection Officer for example.
Put the name of the person in this box and how they were appointed. You could also just put the person’s job title. For example, if you typed in “Registered Manager” then if the Registered Manager changed – you wouldn’t need to go back in and edit your answer.
You also need to add in how the position was appointed, so you could put that they were appointed by the manager, or it could be that this person is the business owner.
You would type this in the top text box and click Save.

All staff in your organisation need to understand the importance of data security. This isn’t just the responsibility of senior management and carers but should also include catering staff, cleaners etc. Taking a chef as example; allergies and food intolerances are considered special data so the chef needs to know this information shouldn’t be shared with anyone. Similarly, cleaning staff may have access to care records and they need to know that this is confidential information and should not be shared or discussed with anyone else.
The training could be asking staff to read information in the staff handbook it could be more formal online training or a group session.
If you know this training has taken place, then you can check the box and click Save. On these checkbox answers we recommend you add some text in the comments section as it will help other people who may need to complete the toolbox in the future.

Clauses in contracts or agreements should reference data security (confidentiality, integrity and availability), however many contracts commonly focus on just confidentiality. If your existing contracts don’t have the integrity and availability clauses in them - this can be added as an addendum (you don’t need to create an entirely new contract for each member of staff). If you don’t have any contracts set up ( e.g. you may be a new business), you can download the example template as a starting point.

If you don’t already have a training needs analysis document, then you can download a template from the resource downloads below. When you’re answering this question - you should start with what you already have in place. This could be basic training for new starters, or you might have an annual refresher course. You should also think about any member of staff that may have a specialist role. For example, the Senior Information Risk Owner or the Data Protection Officer will need additional training compared to the basic level of everyone else, and this will need to be noted on your training needs analysis document.
This additional training need will also be referenced in a later question.  

The reason for the 95% figure is that some members of your organisation may be on long-term sick, be on maternity/paternity leave, or some of your new starters may not have received or had a chance to complete the mandatory training yet.
The 95% covers all staff so don’t forget to include any volunteers you have and also include chefs, cleaners, etc.
Because technology and its related threats are constantly changing and evolving this training will need to be revisited each year.
If it is only provided as part of the induction process you will also need to have refresher courses for all staff each year; to ensure they are up-to-date with the latest threats and best practices.
There’s not a specific qualification or list of topics you need to cover, however if you don’t have anything already in place, there are free eLearning modules available on the Digital Care Hub website.

You need to confirm that those people specified for additional training above the basic level have received this training.
For example, these roles could be the Senior Information Risk Owner (SIRO) or Data Protection Officer (DPO).

This should be a current list of all staff and it could be held in different places for each business. For example, it could be part of payroll, HR, or could be on a rostering system.

Registration with the ICO is a legal requirement for every organisation that uses or shares personal information unless they are exempt as a small charity. If your organisation is not already registered, you should register as a matter of urgency. If you haven’t registered already you will need to do so on the ICO’s website. This costs about £35 and the form takes about 10-15 minutes to complete. If you have registered, and don’t know what your registration number is, you can check and get your ICO registration number from HERE. Once you have your registration number (and it’s the number that starts with a Z), enter it into the text box. You can also add the renewal date to your answer or put it in the comment box below if you prefer.

This question can be the most time-consuming and difficult question to answer. It’s asking if your organization holds a record or list of all your data sources. To give you some examples this list could include items such as employee data used by HR, it could be a care records system or CCTV recordings. In this list you will need to include:

• What do you use the data for?
• How you keep the data safe.
• What the business case for using the data?
• How long you keep the data for.

To meet this requirement, it is often easiest to have it split into two separate lists:

• Information Asset Register (IAR) - this will record what information is held, where that information is stored, and how it is kept safe.
• Record of Processing Activities (ROPA) – this will detail the transfer of data into and out of your organisation. So you need to record where and who the data is received from, where and who it is sent to, and the legal basis for transferring the data.
When answering this question, you will have 4 options:
1. Upload a document
2. Reference an existing uploaded document
3. Specify an intranet or internet link to a document
4. Enter text describing the document's location
We recommend you use the fourth option to describe the location of the document. This could be a physical location such as a filing cabinet in the registered manager’s office, or it could be a link to a file in the cloud or on your network.

You must document what you do with the personal data you process. This document needs to be written so that it is easily understood, and should be readily accessible or available on demand. It should cover all personal data used in your business, so it may be that you have more than one privacy document. To give an example; on the KirCCA website, there is a privacy policy which covers website and membership data, as well as another privacy policy that covers the patient data in the Trusted Assessor program that we run.
We’d recommend using the Enter text option here, to stop you having to update your toolkit each time there is a revision.
This will also make sure you don’t have any out-of-date files uploaded into the toolkit,

The national data opt-out gives everyone the ability to stop health and social care organisations from sharing their confidential information for research and planning purposes, with some exceptions such as where there is a legal mandate/direction or an overriding public interest - for example to help manage the covid-19 pandemic. As a provider, you should help the people who use your services to understand that they can opt out of their data being used for other purposes. You should check that your policies, procedures, and privacy notice cover the opt-out. So make sure you have a reference in your data protection documents and privacy policies to show that you are compliant. If you are involved in a research project – this could be for new medication or a new physiotherapy technique, then there is sample text on the digital care hub website which you can use if it needs to be added to your privacy policies. This will include what information is being shared, who it is being shared with. How long it’s stored when it’s stored.

This could be one document or several documents covering data protection and cyber security. This document or documents would need to cover:

• Data protection
• Data quality
• Record keeping data security
• Network security (if relevant)

This question is asking how well your policies and procedures have been put into practice and if they are working effectively for your organisation. You will need to have all your policies and procedures in place before answering this question. You should be doing regular checks on the policies and procedures - at least once a year but ideally more than that. This can be done so it integrates with your existing periodic reviews; say for staff performance you could be checking they can hoist someone correctly or can administer medication correctly, but you also need to check that they are complying with your data policies and procedures. For example, you should be checking the recording of data is done accurately and promptly so for care records this could be selecting a random sample to look at, and this would allow you to see if the records are up-to-date and checking that staff are not waiting until the end of the week to make updates. You would also be able to see if those updates have been recorded in the correct manner. You can also question staff on certain subjects to check they understand what they are expected to do. This could be for a situation that is not easy to observe. In this case if a member of staff didn’t know the answer to a question this could highlight a gap in general knowledge and could be used to make other members of staff aware of certain subjects.

You need to specify that you only keep the minimum amount of data required for the activity and that only the relevant people will have access to this data. You should also specify

• Data is kept for the shortest time
• Why the data is kept
• What the data is used for.

Having safeguards for privacy and data protection principles right from the start is known as data protection by default.

This is risk assessing new systems and relates to your Data Protection Impact Assessment (or DPIA). If you were moving from paper to digital records or if you decided to introduce a new CCTV system then you would need to carry out a risk assessment on how these systems would be managed and what risks are associated with them. Any existing high-risk activities should already be listed in your ROPA (Record Of Processing Activity.) document. If you have this in place, tick the box and reference your DPIA document in the Comments box.

You should have a retention policy or a timetable document that describes how long each type of data is retained for. There’s a common misunderstanding that documents need to be retained for 7 years. This isn’t correct - different types of records will be retained for different amounts of time, for example you retention periods could be:

• Finance for 5 years
• Staffing for 10 years
• Care Records for 15 years

You may also have retention policies specified in your insurance policies that differ from those in your timetable. If this is the case, then you should use whichever of the timeframes is longest.
It’s worth remembering that the retention policy relates to digital records as well. Some people forget and think it only relates to paper records, but digital records also need to be removed when they have passed the retention period.
For example, if you’ve got old laptops, mobile phones, or USB sticks locked in a store cupboard. If these devices still contain data that is outside of the retention period, then that data will also need to be wiped.

This question only applies if you have contracted another company to destroy data on your behalf. This could be for paper documents and/or digital files.
They should be destroyed by a legitimate company that can provide you with an official waste certificates of destruction. It should not be someone you may know who has an bigger shredder at home, or someone you know with IT knowledge and software to shred files on their computer

This is documenting how staff in your organisation need to destroy data internally. This could be using the office shredder or designated file shredding software for destroying your digital files. This document should be used to train staff on how to safely destroy data, so for example, if the shredder is inaccessible or being used by someone else, that document needs to be returned to the original storage location or be put in a lockable drawer until it can be shredded. Staff also need to be trained which types of paperwork can be safely thrown in a waste bin in the office and which need to be shredded or destroyed. Someone may write down some personal details on a piece of paper while talking on the phone. This could be so they can be typed up later, or to update a care record. Those notes would need to be kept safe until they have been typed up, and then safely disposed of. They should not be thrown in the nearest bin or left lying on a desk.

This is only needs to be a list of suppliers that handle personal information.

With more records being kept digitally, this should be an infrequent occurrence, however, if you do need to take paper records outside of the building try to keep records with you at all times. You might need to sign documents in and out of the building so there is a paper trail.
When the documents are out of the building you need to keep them out of sight and should transport them in a locked briefcase or similar. If possible, you could summarise or anonymise the data, so if it does fall into the wrong hands you will limit the potential damage.

This will include lockable doors, windows, and cupboards, security badges, key coded locks to access secure areas such as the registered manager's office or a medical cabinet. Staff should be following clear desk procedures.

Although data breaches aren’t that common there’s a broad definition of what constitutes a breach. For example, if you sent an email to the wrong person, that would be considered a breach, similarly accidentally deleting some data could also be considered a breach as well.
(The contents of either the email or the deleted data would determine how severe this breach was.)
If you do have a breach, it is important to review the circumstances in which the breach occurred and take steps to ensure that it won’t happen again. This also relates to the previous question in that you should be continually reviewing your processes anyway to ensure that the risk of any breach is minimised. It is also important to share learning whenever there has been a breach so that all staff are aware of what has happened. If you have had any breaches in the last 12 months then you can mention where any breaches are documented in the comments box and then tick the box. If you have not had a breach then you can just put not applicable in the comments section but don’t forget that you must also tick the box.

All Staff and volunteers are responsible for noticing and reporting data breaches so it’s vital to have a reporting system in place. If you have something in place already and you’re happy with it then that’s fine, however, you can also report data breaches through the toolkit. Don’t automatically assume that reporting the incident will result in a fine - it’s very rare for social care organisations to receive a fine. Don’t think that your organisation won’t be attacked you need to be vigilant and think it’s a case of when not if. You should still keep a record of any breaches that occur. A benefit of using the toolkit as this will keep and audit of all breaches that are recorded.

Any breach should be reported through the correct channels and steps outlined to prevent or minimise a recurrence. The reporting should follow a process laid out in your reporting policies. . If you haven’t had a breach put “not applicable”

Make sure you are recording who has been informed after a data breach.

A digital asset register is a list of any hardware and software that is used to store or process the data you use. Used in conjunction with your Information Asset Register and Record Of Processing Activity documents it allows you to prirotise and secure data you process by giving you greater visibility, control, and accountability of that data.

The purpose of your business continuity plan is to ensure that in the event of an emergency, you can continue to operate effectively.
All organisations should have a Business Continuity Plan already, however cyber security is often overlooked.
Your business continuity plan needs to cover all relevant potential cyber incidents. It needs to be both auditable and testable and cover a range of incident scenarios. You should include realistic descriptions of what might constitute an incident and you should also rate the severity of each incident.
For example, if you had a power cut or your internet connection went down and you were using a digital care record system - how would your staff continue access a services user’s care record? Another scenario might be that your online finance package goes down. How can you continue to process payments and pay your staff. In this case, your business continuity plan might include having a designated PC and printer connected to an un - interruptible power supply and this would allow you to print off copies of care records. Or if your internet connection went down, you might have the ability to tether to a mobile phone to allow you to access your systems.

Following on from the last question, this question is asking how you would test the effectiveness of your business continuity plan. This could be done in theory where you talk about different scenarios, or it could be done in a practical way for example - by turning off the power or the internet service and testing different situations. Any testing should be done in a safe way to ensure staff and service users are not put at risk and this should be done at least once a year. By testing your business continuity plan, you also get the benefit of increasing staff confidence. If a scenario did play out in reality, then staff already know that they can continue to operate effectively.
If you have a testing system in place, tick the box and put a reference to the testing schedule in the comment section.

If you allow staff to use their own phones for work purposes, say for installing care planning software or accessing work email, Teams, etc, then you should have a clear policy on how these devices are used. This may include prohibiting certain apps or functionality at the workplace and requiring them to add additional software so that the device can be tracked and remotely managed.
If staff have concerns about this there is software available which can separate out your work and personal apps and data.

This also applies to laptops and tablets. Fingerprint/facial recognition, pin or password protection should be enabled on all devices to prevent unauthorised access if the device is lost.
Devices should also have encryption enabled (more on this later...)
There is software available called Mobile Device Management (or MDM) and this is recommended to centrally manage multiple devices. If a device is lost or stolen the data can be located, monitored, remotely wiped and the device disabled.

You should have a process to remove someone’s access when they leave the organisation. This could be triggered by payroll, the issuing a P45 or it could be an exit interview.

The people within your organisation who are IT system administrators may have access to more information than other staff. These team members need to clearly understand their responsibilities and be formally accountable to higher standards of confidentiality than others. For these team members, this might be included in a job description. If this doesn't already exist, it could be added as an addendum, but this would need to be signed. It could also be system administrators working for your IT support provider. In this case the formal agreement might be a contract with your IT support company.

Because passwords are often guessed or stolen, Multi-Factor Authentication (MFA) adds an additional layer of security. MFA requires users to provide two or more different types of verification to access an account or system. MFA usually combines two or more of the following:

• Something you know – like a password or PIN.
• Something you have – like a smartphone, security token, or smart card.
• Something you are – like a fingerprint, face scan, or voice recognition.

. In most cases this will be a password in combination with a text message or authentication app on a moble device. Sometimes it is impractical to have MFA (when staff are sharing devices) if this is the case then you will need a document signed by someone at director level to say that it is not practical to enable MFA. This will also need to be stated in the Comments. If there is no barrier to having MFA then this should be enable for all online systems that support it.

Good password practice should mean that members of staff all have their own passwords and there are no shared passwords. They should have a different password for each application and passwords should have a minimum password length. They might also need to have minimum complexity (meaning the password includes uppercase and lowercase letters, numbers, and or special characters). This policy could either be introduced as part of the induction process, through specific IT training or be implemented with a software solution. For additional security, your organisation may also ask staff to change their passwords periodically. The National Cyber Security Centre recommends using a 3 random words approach. For example you could choose pen, mug, and keyboard, join those words together to make a random password that’s both easier to remember and harder to hack. This is preferable to using family names, a special date, a favourite musician, or a sports team that could be easily guessed by colleagues or someone flicking through your social media.

If you’ve bought some IT software you may already have this included for free. Modern Windows operating systems have Microsoft Defender installed.
If yo don't already have any anitvirus software, there are plenty of affordable options:

• ESET
• Norton
• McAfee
• Sophos
• BitDefender

are just a few examples. Most antivirus software can be configured to updated automatically and you should ensure that all devices used by staff in your organisation have the antivirus software installed.

If members of your organization are using mobile devices away from your business premises, then they need to be made aware that connecting to a public WiFi is unsafe. These networks are insecure and connecting to them could allow unauthorised to access your data and potentially expose your device to an unscrupulous hacker.

You could be connecting to a public WiFi in a café or restaurant or on public transport for example and if this is the case then staff should use a data connection from their phone (e.g. a 4g connection) or if this is not possible then they would need to have additional VPN software installed and configured on their phone. VPN stands for virtual private network and is a service that secures an internet connection and protects privacy online. if staff are using a VPN they also need to be trained in how to check that this software is enabled before connecting to a public WiFi. By always using a phone’s data connection or VPN when away from the organisation’s premises, will ensure that your data is encrypted and secure.

Most businesses will now be automatically backing up data to the cloud. If you are using the cloud then we encourage you to use UK-based servers. Some services will default to other countries so check this with whoever is responsible for your IT. More traditional backup methods are hard copies, external hard drives, CD Roms, USB sticks, etc. If you are using these backup methods then it is best practise to keep them in a different physical location to your primary data. That way in the event of a fire, a flood, or a theft then the chances of both primary and backup data being lost at the same time are greatly reduced. Best practise is to to have a combination of botha and follow the 3-2-1 principle:

• 3 copies of you data across
• 2 different mediums
• 1 medium is stored off-site

Providers also assume that 3rd party systems look after themselves. You should check with your providers what is backed up, how oftern and what the recovery time is for restoring data.

Phone numbers and email contacts all need to be kept up to date and should be available in a paper copy as well as digital format. This will apply to service users and their family and friends, and also for members of staff and volunteers.

You need to ensure your backup routine actually works, so that in the event of accidental data loss, the data and information can be restored as quickly and easily as possible. All your essential services like email and digital care records and other cloud services need to be covered and each backup should be done on a daily basis so you should check with whoever is responsible for IT that this is happening.
You also need to have a schedule to test that the data is being correctly backed up. If you haven’t tested and someone accidentally deleted some files - that would not be the time you want to find out that the backup routine doesn’t work! This schedule might also be part of your business continuity plan.

Systems and software that are no longer supported by the manufacturer can be unsafe as they are no longer being updated to protect against viruses and other vulnerabilities, They’ve listed some examples here so if your organisation was using Windows XP, Windows 8, or Vista then you’ll need to document this any other unsupported software. We will come onto on this in more detail in the next question. Many organisations opt for cloud based services nowadays, as these applications typically update automatically - without user interaction. Office 365 is an example of this, where you no longer have to purchase and install a physical copy of the software each time there is a new release. If you don’t have any unsupported software then you can put Not applicable in the comments section and tick the box.

When products are no longer supported or become obsolete, you'll need to trade off the risks from continuing to use them against the cost of replacing or upgrading them. If you don’t have the option to upgrade this software then it needs to be documented along with the reasons for continuing to use the software, the associated risks and any additional steps you can take to minimise those risks. You should also review this document periodically so that the unsupported software can be dispensed with as soon as it is practical to do so. For example. you may have a legacy system that relies on an out-of-date database. There might be information on that system which still needs to be retained, however you may no longer have the expertise in the organisation to export that data to your current system or maybe you don’t have the budget to hire a contractor to do it for you. In this example, you could have the system installed on a standalone pc which doesn’t hacve access to the network or internet. This would lower the risk compared to the pc being connected to your network and /or having internet access. This is another upload-type question, so we recommend you choose option 4 and put a reference to where the document is stored. If you aren’t using unsupported software then you would write Not applicable in this box instead.

All staff need to be made aware that all software updates need to be downloaded and installed as soon as possible. Ideally, this should be done automatically but may need to be scheduled so it always happens at a set time of day to minimise any disruption to the business. If staff are using their own devices, then these also need to be kept up-to-date with the latest patches.

This covers items like routers, switches, firewalls and other network devices. Some suppliers will send out thousands of these with the same generic password which makes it trivial for a hacker to get a list of these generic passwords. You should ensure that the default password is changed any network device before it is connected to your network. If you didn’t change the password of the new office WiFi router then someone stood outside the building and using the generic password would immediately have access to your network and could then potentially access sensitive information. Installation of these devices should be a documented process and all the relevant staff need to be aware of how these devices should be setup before connecting to your networks.

Any small moveable device that contains data could be easily lost or stolen - they fall out of bags, pockets and get left on tables, it’s easily done. Because of this, some businesses think it is too risky to have small portable storage devices and they will prevent access to removable storage which can be set to individual devices or a blanket block across all devices in the organisation. If you are using removeable devices (like USB sticks), these need to have encryption enabled, so that if they ended up in the wrong hands then the data would remain safe. Many USB sticks you buy will come with encryption technology included for free and Windows also has encryption included with software called BitLocker. You can check with whoever looks after your IT as to how this is implemented.

When sharing information with other agencies (and this could be external IT supplier, a finance portal or a digital care records system ) you need to make sure that they are capable of protecting and storing your data to the same standards that you would expect as your own data to be protected. You wouldn’t normally be able to monitor the staff and procedures of these suppliers, so to check they have the expected standards, you will need to confirm they have some sort of recognised certification. This could be one of the following:

• Cyber Essentials training
• ISO 27,001 which is an international standard for data protection
• Completed a Data Security and Protection Toolkit for their sector
• They are listed on the digital market place

You should be able to see this certification on their website, but if you can’t then you’ll need to contact them and ask them to provide evidence that they have met one of these standards.
If you do have a supplier who doesn’t meet one of these standards, and they’re reluctant to achieve those standards in the future, then we would recommend that you move away to another supplier. There will be situations where it is not practical to move away from your supplier – you may be locked into a contract that still has years to run and it could be too expensive to pay for a duplicate service. If that was the case, then you would add a comment to say that you do have a contract with a supplier without certification, but that as soon as the contract term is up, you will be moving to a new supplier for that service.