3.1. Approaching Standards Evidence items (2020-21)

Social care organisations which have not previously published a full DSPT assessment are able to publish an ‘Approaching Standards’ assessment indicating that care providers who have demonstrated good progress but have not yet reached Standards Met

The following organisation types are eligible to publish an Approaching Standards assessment:

- Social care

The Approaching Standards Data Security and Protection Toolkit evidence items are: 

1.1.2 Who has responsibility for data security and protection and how has this responsibility been formally assigned?
1.2.1 Does your organisation have up to date policies in place for data protection and for data and cyber security?
1.3.1 What is your organisation’s Information Commissioner’s Office (ICO) registration number?
1.3.2 Does your organisation have a privacy notice?
1.4.1 Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information?
1.6.1 Does your organisation’s data protection policy describe how you keep personal data safe and secure?
1.6.2 How does your organisation make sure that paper records are safe when taken out of the building?
1.6.3 Briefly describe the physical controls your buildings have that prevent unauthorised access to personal data.
1.6.5 Does your organisation’s data protection policy describe how you identify and minimise risks to personal data when introducing, or changing, a process or starting a new project involving personal data?
1.6.6 If staff, directors, trustees and volunteers use their own devices (e.g. phones) for work purposes, does your organisation have a bring your own device policy and is there evidence of how this policy is enforced?
1.7.2 If your organisation uses third parties to destroy records or equipment that hold personal data, is there a written contract in place that has been reviewed since 1st April 2020? This contract should meet the requirements set out in data protection regulations.
1.7.3 If your organisation destroys any records or equipment that hold personal data, how does it make sure that this is done securely?
1.7.4 Does your organisation have a timetable which sets out how long you retain records for?
2.2.1 Does your organisation have an induction process that covers data security and protection, and cyber security?
2.2.2 Do all employment contracts, and volunteer agreements, contain data security requirements?
4.1.1 Does your organisation have an up to date record of staff, and volunteers if you have them, and their roles?
4.1.2 Does your organisation know who has access to personal and confidential data through its IT system(s)?
4.2.5 Does your organisation have a reliable way of removing or amending people’s access to IT systems when they leave or change roles?
4.5.4 How does your organisation make sure that staff, directors, trustees and volunteers use good password practice?
6.1.1 Does your organisation have a system in place to report data breaches?
6.1.4 If your organisation has had a data breach, were the management team notified, and did they approve the actions planned to minimise the risk of a recurrence?
6.1.5 If your organisation has had a data breach, were all individuals who were affected informed?
6.2.3 Do all the computers and other devices used across your organisation have antivirus/antimalware software which is kept up to date?
7.3.1 How does your organisation make sure that there are working backups of all important data and information?
7.3.2 All emergency contacts are kept securely, in hardcopy and are up-to-date.
8.3.5 How does your organisation make sure that the latest software updates are downloaded and installed?
10.1.2 Does your organisation have a list of its suppliers that handle personal information, the products and services they deliver, and their contact details?