3.1. Entry Level Evidence items (2020-21)

Small organisations which have not previously published a full DSPT assessment are able to publish an ‘Entry Level’ assessment indicating that, while the DSPT Standard is not being met, critical Data Security Measures have been implemented. 

The following organisation types are eligible to publish an entry level assessment:

- Care Home

- Charity / Hospice

- Dentist (NHS)

- Dentist (Private)

- Domiciliary Care Organisation

- NHS Business Partner

- Optician

- Pharmacy

The Entry Level Data Security and Protection Toolkit evidence items are: 

1.2.1      Does your organisation have up to date policies in place for data protection and for data and cyber security?

1.3.1      What is your organisation’s Information Commissioner’s Office (ICO) registration number?

1.3.2      Does your organisation have a privacy notice?

1.4.1      Does your organisation have an up to date list of the ways in which it holds and shares different types of personal and sensitive information?  

1.6.1      Does your organisation’s data protection policy describe how you keep personal data safe and secure? 

1.6.5      Does your organisation’s data protection policy describe how you identify and minimise risks to personal data when introducing, or changing, a process or starting a new project involving personal data?

2.2.1      Does your organisation have an induction process that covers data security and protection, and cyber security?

2.2.2      Do all employment contracts, and volunteer agreements, contain data security requirements?

4.1.1      Does your organisation have an up to date record of staff, and volunteers if you have them, and their roles?

6.1.1      Does your organisation have a system in place to report data breaches?

10.1.2    Does your organisation have a list of its suppliers that handle personal information, the products and services they deliver, and their contact details?