Appendix 1: 'Critical friend' questions for providers
What personal or sensitive data do you collect about the people who use your services? How and where is that data collected and stored? What is the lawful basis for collecting the personal and sensitive data?
What personal or sensitive data do you collect about your staff? How and where is that data collected and stored?
How does the organisation know about and control this data? For example, is there an Information Asset Register or Register of Data Processing Activities? If so, what are the arrangements for updating these registers?
How is ‘old’ information disposed of?
How do you inform the people you support, their families and your staff about their information rights and what data of theirs you process? For example, do you have a transparency notice for the people who use your service, staff and/or visitors?
Do you have policies for data security, data protection and data quality? If so, are these policies reviewed at regular intervals?
How widely are these policies understood and followed?
What information systems do you use?
Do you have any plans to change these systems e.g. from paper to electronic, or from one system to another?
Which systems (paper or non-paper based) are you most dependent on?
What would you do if any of these critical systems went down and you couldn’t use them?
What things do you do to mitigate your key data security risks?
Do you record any of these risks and mitigations? Is this in a contingency plan?
Do you have any outsourced IT function in respect of personal and sensitive data e.g. external IT support company or cloud-hosted specialist proprietary software system?
If so, what do you do to check your IT supply chain to ensure due diligence checks of outsourced IT functions?
Would you know what to do if a data breach occurred?
Do you have a ‘breach response plan’ or policy?
Do you provide guidance to staff on what data ‘breaches’ are and what to do if they suspect one?
Have you ever experienced a data breach or been impacted by either a data breach or data related incident in other organisations? If so, what was your learning from the incident(s)?
What training do staff have in: data protection; data quality; data security; and safe use of IT systems?
How do you ensure ongoing awareness raising of these issues amongst staff?
How confident do you think staff are in:
Handling client records and information?
Sharing information with external organisations?
Using IT systems within the organisation?
Using IT devices away from the office
What would increase staff confidence?
What sorts of IT devices are used by staff in the course of their work? For example, server(s), desktop computers, laptops, tablets, smart phones, or other devices.
Are these devices supplied by your organisation?
If not, do you have a ‘bring your own device’ policy?
What operating systems are installed on these devices?
Which anti-virus software is installed on which devices? Who is responsible for installing it on devices?
Does the antivirus software run scheduled scans to check for viruses? Please give details.
Are operating system updates (including security patches) applied to devices automatically or manually? What are the arrangements?
Is there a network firewall in place?
How are laptops and tablets protected to keep data safe when they are used out of the office? For example:
Encryption e.g. password protection before the operating system
Operating system password
Configured to be remotely tracked and/or wiped if lost or stolen
Set to automatically update installed (non-operating system) software / programmes
How are smartphones protected to keep data safe when they are used out of the office? For example:
PIN/Password protection/fingerprint recognition
Configured to be remotely tracked and/or wiped if lost or stolen e.g. using an app such as Google’s Find My Device or Apple’s Find My iPhone?
Set to automatically update installed (non-operating system) apps
Do staff use portable devices e.g. memory sticks, CDs or other removable storage? If yes, how do you manage the risks of using removable media?
Is your data backed up? If yes, what data and how is it backed up and how often?
Are the backups tested to see if the information can be restored i.e. disaster recovery testing? Please give details.
What email system is used by the organisation? If not NHSMail, is it a secure system? If so, has the system been registered with NHS Digital?
Do you have an effective up-to-date spam filter in place?
Who adds new users to your electronic systems?
When staff login to computers or to systems holding personal or sensitive data, are there any logins which are shared between staff? i.e. one shared login for several staff as opposed to a separate login per person.
What are the arrangements for staff changing login passwords? Does the system enforce password changes at regular intervals for example?
Do you (or third party applications) impose password policies i.e. how ‘strong’ are your passwords? For example, do you require a mixture of text and numbers?
Is two-factor authentication used (e.g. with tokens, texts, apps)? Please give details.
How many passwords will staff be likely to have in total?
Is there somewhere safe that staff can keep passwords (e.g. a safe or password manager software such as LastPass, 1Password or a browser password manager)?
What happens to staff’s accounts on the system(s), their email address and files when someone leaves or changes role?