Please rotate the screen to Landscape view for best viewing experience.

Close
Speak to an Expert: 01409 254 354

article

Data Security and Protection Toolkit

How to Complete the Data Protection and Security Toolkit

NHS practices must complete the online Data Protection and Security Toolkit, which is a highly complex task and involves the need for regular annual checks, audits and updates. Without a system to follow it’s a very difficult task for a dental practice to set up and maintain annually. As is often the case with new Government requirements, they are created for much larger organisations such as NHS Trusts or hospitals and there isn’t a ‘lite’ version for small businesses, which may come in the future. But the problem is that we have to complete it now.

Fortunately CODE iComply provides all of the templates, action plans, risk assessments and procedures that a practice needs to comply not only with GDPR and the new Data Protection Act, we collectively call this Information Governance (IG). You can complete the Data Protection and Security Toolkit, just by following the steps in the Data Protection and Security Toolkit Completion document we call (M 217A). In iComply each year you keep all policies and procedures up to date, CODE updates them in the background, which means that you only need to know when you review them each year.

There are 30 pages in Microsoft Word containing the following prompts, directly from the online Data Protection and Security Toolkit once CODE iComply has filled in all the evidence for you to adopt. You can see the details in the sample (M 217A) at the end of the newsletter, with the evidence completed being based on the iComply templates.

 

Assertion: There is senior ownership of data security and protection within the organisation
Prompt Prompt details Evidence Initial done
Name of Senior Information Risk Owner. This is the person who is responsible for data security and could be combined with the Caldicott Guardian.
 SIRO Responsibility for data security has been assigned. This is a formally assigned responsibility for data security to the relevant individual. It could form part of their job description or be an email from the appropriate manager in your organisation.Assertion: There is senior ownership of data security and protection within the organisation
Assertion: There is senior ownership of data security and protection within the organisation
Prompt Prompt details Evidence Initial done
Name of Caldicott Guardian. A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. This can be the same person as other roles highlighted. If not relevant for your organisation mark N/A
Who are your staff with responsibility for data protection and/or security? Record names and job titles only for staff who have a specialised role.
 Staff awareness- Leadership (Q1) I feel data security and protection are important for my organisation. The percentage of respondents in your organisation who “agree” or “strongly agree” with this statement, taken from the national Data Security Awareness training Survey Question 1. Organisations may capture this information locally where the training is delivered locally.

One of the most important documents is your Information Governance Procedures template we call (M 217C), it’s 12 pages ready to adapt and adopt. But CODE iComply also provides:G 135 – Backup Procedures and Software Log Overview

G 135A – Computer Backup Log
G 135B – Purchased Software Log
M 215 – Record Retention
M 217L – Network, Computer and Software Access Log
M 217M – Physical Security Risk Assessment
M 217N – Business Impact Analysis
M 217P – Patient Leaflet on Personal Information
Plus an additional 20 data protection policies and procedures

The first step is to set up all of the policies, procedures and necessary audits by following the GDPR and Data Protection Action Plan (M 216A). An example of this action plan is downloadable from the end of this newsletter. I’m not saying that iComply is the only way to complete the Data Protection and Security Toolkit and to keep it up to date, but I think it’s the easiest and most time saving. You can download the excerpts of the Data Protection and Security Toolkit Completion document (M 217A) and the Data Protection Action Plan (M 216A) and the Data Protection and Security Policy from the end of this newsletter.