Excerpt of the CODE Data Security and Protection Toolkit SolutionRemember to remove all square brackets. Sections in yellow do not need to be completed this time.

DO NOT CLICK THE ‘CONFIRMED’ TICK BOX THAT APPEARS UNTIL YOU HAVE PROPERLY CHECKED EACH SECTION

This improvement plan is only for members who offer NHS treatment and is to aid completion of the online DSP toolkit. The Information Governance Lead (“IG Lead”) is [[the name is filled in by iComply Automatically]]. See the help section of the DSP toolkit for additional guidance www.dsptoolkit.nhs.uk/Help.

Assertion: There is senior ownership of data security and protection within the organisationPrompt Prompt details Evidence Initial doneName of Senior Information Risk Owner.

This is the person who is responsible for data security and could be combined with the Caldicott Guardian.

Enter text: The person responsible for data security is the Data Controller, who is the practice owner [[Practice owner name filled in by iComply automatically]].

SIRO Responsibility for data security has been assigned.

This is a formally assigned responsibility for data security to the relevant individual. It could form part of their job description or be an email from the appropriate manager in your organisation.

Tick box, enter comment: The SIRO is the Information Governance Lead [[the name is filled in by iComply Automatically]].

Terms of use: information in templates, modules, CODE and iComply is written in general terms and is believed to be based on the relevant legislation, regulations and good practice guidance. This information is indicative only and is intended as a guide for you to review and take particular professional advice to suit your circumstances. CODE is a trading name of the Confederation of Dental Employers Ltd and it licenses information to Codeplan Ltd. CODE and Codeplan do not accept any liability for any loss or claim that may arise from reliance on information provided. The use of this document indicates acceptance of these terms. ©CODE 2018.

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 1 of 9, Folder 1

M 217A

Excerpt of the CODE Data Security and Protection Toolkit (NHS) Remember to remove all square brackets when you have made the choices. Sections in yellow do not need to be completed this time.

Assertion: There is senior ownership of data security and protection within the organisationPrompt Prompt details Evidence Initial doneName of Caldicott Guardian.

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people's health and care information and making sure it is used properly. This can be the same person as other roles highlighted. If not relevant for your organisation mark N/A.

[Enter N/A, enter comment: We do not consider it necessary to have a Caldicott Guardian in our dental practice because the whole practice team is regularly trained in our information governance procedures and policies to meet the requirements of the Data Protection Act 2018 at iComply practice meetings, to ensure that personal information about those who use our services is used legally, ethically and appropriately. Much of the evidence is detailed further in this submission. Additionally the team are regularly trained at iComply practice meetings on patient confidentiality, so that confidentiality is maintained. The team have read and agreed to follow the following policies and procedures:

Confidentiality Policy (M 233-CON) Data Quality Policy (M 233-DPQ) – has Caldicott principles Data Protection and Information Security Policy (M 233-

DPT) Referrals Policy and Protocol (M 233-RFL) Social Media Policy (M 233-SMD)

The Data Quality Policy is uploaded later on.]Who are your staff with responsibility for data protection and/or security?

Record names and job titles only for staff who have a specialised role.

[Enter text adding names as necessary: The Information Governance Lead is [[the name is filled in by iComply Automatically]].The Data Controller is the practice owner [[[the name is filled in by iComply Automatically]].]

Staff awareness- Leadership (Q1) I feel data security and protection are important for my organisation.

The percentage of respondents in your organisation who “agree” or “strongly agree” with this statement, taken from the national Data Security Awareness training Survey Question 1. Organisations may capture this information locally where the training is delivered locally.

Yellow shading means not this year or not mandatory.

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 2 of 9, Folder 1

M 217A

Excerpt of the CODE Data Security and Protection Toolkit (NHS) Remember to remove all square brackets when you have made the choices. Sections in yellow do not need to be completed this time.

Assertion: There is senior ownership of data security and protection within the organisationPrompt Prompt details Evidence Initial doneName of Appointed Data Protection Officer.

A Data Protection Officer (DPO) is a role mandated for public bodies, for organisations carrying out regular and systematic monitoring of data subjects on a large scale, and for organisations carrying out large scale processing of special categories (e.g. health and social care) data or criminal convictions data. The DPO advises the organisation on data protection matters, monitors compliance and is a point of contact on data protection for the public and the ICO.

[Enter text: The DPO is the IG Lead; orThe DPO is an external consultancy [consultancy name]; orThe DPO is a specialist employee [employee name].

If your DPO is your IG Lead enter comment: As we are an NHS practice we must have a DPO even though we do not process large amounts of data or change our data processing regularly. Once it has been set up our data processing is quite simple and routine.]

When were the data security and protection policy or policies last updated?

Policies should be reviewed and updated regularly. [Enter the date the last iComply Information Governance review was carried out. Note that in June 2018 an additional ‘catch up’ review was added to your iComply calendar.

Enter comment: All data protection and security policies and procedures are reviewed annually in iComply. Additionally all of the other related policies and procedures are reviewed annually in their own activities in our iComply compliance cycle. All policies and procedures are updated regularly in iComply by CODE as regulations, legislation or good practice guidance changes.]

Policy has been approved by the person with overall responsibility for data security.

Policies should be formally approved. [Tick box, enter comment: The IG Lead approves the IG policies and procedures, other related policies and procedures are reviewed and approved by the Practice Manager [[the name is filled in by iComply Automatically]]] or other responsible person. iComply keeps a full audit trail.]

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 3 of 9, Folder 1

M 217A

Excerpt of the CODE Data Security and Protection Toolkit (NHS) Remember to remove all square brackets when you have made the choices. Sections in yellow do not need to be completed this time.

Assertion: There are clear data security and protection policies in place and these are understood by staff and available to the publicPrompt Prompt details Evidence Initial doneData Security and Protection Policies available to the public.

Normally an internet link, but if not available on a website then record where it is available.Policies should be shared unless this causes a security risk to the organisation. Publishing your policies will assist you to meet the transparency requirements of GDPR.

[Select “Input the link” to your privacy notice (M 217T), which is on your website.[Write comment: Our Privacy Notice (M 217T) is available on the practice website and in hard copy from the practice. It informs people that they can request copies of all other data protection policies and procedures from the practice.]

Staff awareness - Polices (Q2). I know the rules about who I share data with and how.

The percentage of respondents in your organisation who “agree” or “strongly agree” with this statement, taken from the national Data Security Awareness training Survey Question 2. Organisations may capture this information locally where the training is delivered locally. This evidence item is not mandatory in 18/19.

Yellow shading means not this year.

Staff awareness – Policies (Q3). I know who to ask questions about data security in my organisation.

The percentage of respondents in your organisation who “agree” or “strongly agree”, taken from the national Data Security Awareness training Survey Question 3. Organisations may capture this information locally where the training is delivered locally.

Yellow shading means not this year.

ICO Registration Number.

You can get this number from the Information Commissioner's Office website (https://ico.org.uk/for-organisations/).

Enter number.

Transparency information is published and available to the public.

Usually a web page link or a publicly available document, where you publish what information you collect or manage for patients and the public. Covering records where personal data is collected directly and indirectly.

[Select “Specify an Internet/Intranet link to the document” and put the link to your Privacy Notice M 217T on the practice website. Add comment: Our Privacy Notice informs people that they can request copies of all other data protection policies and procedures from the practice.]

Assertion: There are clear data security and protection policies in place and these are understood by staff and available to the publicPrompt Prompt details Evidence Initial doneHow have Individuals This could be a website, leaflet, letter or other [Select “Upload a Document”: Upload your Privacy Notice (M 217T).

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 4 of 9, Folder 1

M 217A

Excerpt of the CODE Data Security and Protection Toolkit (NHS) Remember to remove all square brackets when you have made the choices. Sections in yellow do not need to be completed this time.

Assertion: There are clear data security and protection policies in place and these are understood by staff and available to the publicPrompt Prompt details Evidence Initial donebeen informed about their rights and how to exercise them?

method. Would include a list of rights and when/whether they apply to the processing undertaken by the organisation, contact details and procedure for subject access, and other rights requests.

Enter comment: Our Privacy Notice is available on the practice website and in hard copy from the practice. It informs people that they can request copies of all other data protection policies and procedures from the practice.]

There is a staff procedure about how to provide information about processing and individuals’ rights at the correct time.

A copy of the procedure or a link to where it is held, such as on your website or in a policy folder.

[Select “Upload a Document”: Upload Information Governance Procedures (M 217C).Add comment: Our procedure about how to provide information on processing and individuals’ rights procedures are included in the attached document called Information Governance Procedures (M 217C), which is reviewed annually. Our Privacy Notice on the practice website and available at the practice in hard copy refers to (M 217C) and informs people that they can request a copy of (M 217C).]

There is an updated subject access process to meet shorter GDPR timescales.

A copy of the procedure or a link to where it is held on your website read ICO Guidance .

[Select “Reference a previously uploaded document” and choose (M 217C). Add Comment: It’s in our Information Governance Procedures (M 217C).]

Provide details of how access to information requests have been complied with during the last 12 months.

Show evidence of the number of Subject Access Requests you have received and that they have been responded to in the relevant timescales. Especially note if any requests were answered late. If Freedom of Information Requests apply to your organisation then provide these details too.

[Select “Upload a Document”: Upload Data Requests Record (M 217RX). Add Comment: Explain how you met the requests and if any were answered late. If there have been no requests Add Comment: We have received no requests yet.]

Total ICO Fines in last 12 months.

Show details of each fine, enforcement notice, prosecutions or decision notice. If none, mark None.

Yellow shading means not this year.

Assertion: Records of processing activities are documented for all uses and flows of personal information (GDPR Article 30 and Data Protection Bill 2017 Schedule 1 Part 4)Prompt Prompt details Evidence Initial doneA record (e.g. register or The record should include for each entry: [Reference previously uploaded document: Information Governance

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 5 of 9, Folder 1

M 217A

Excerpt of the CODE Data Security and Protection Toolkit (NHS) Remember to remove all square brackets when you have made the choices. Sections in yellow do not need to be completed this time.

Assertion: Records of processing activities are documented for all uses and flows of personal information (GDPR Article 30 and Data Protection Bill 2017 Schedule 1 Part 4)Prompt Prompt details Evidence Initial doneregisters) that details each use or sharing of personal information including the legal basis for the processing.

Purpose of processing, Legal basis relied on from GDPR Article 6 and Article 9, Categories of data subject/personal data, Categories of recipients, whether information is transferred overseas, whether data is retained and disposed of in line with policies, or if not, why not, Whether a written data-sharing agreement or contract is in place, date data sharing agreement or contract ends.

Procedures (M 217C). Add Comment: The details are in Information Governance Procedures (M 217C).]

Have information flows been approved by the person responsible for data security?

A statement, email or minutes of meeting where information flows of personal confidential information were discussed and signed off.

[Tick box, enter comment: Information flows are analysed in the Sensitive Information Map, PIA and Risk Assessment (M 217Q), which was last reviewed on date of last Information Governance Review in iComply.]

Date of when information flows were approved by the person with responsibility for data security.

This date should be within the last 12 months with the personal confidential information flows being approved every 12 months.

[Enter date the (M 217Q) template was last reviewed in iComply. Enter comment: The Sensitive Information Map, PIA and Risk Assessment (M 217Q) is reviewed annually in iComply.]

Provide a list of all systems/information assets holding or sharing personal information.

This may be your information asset register including details of: The type, location, software, owner, support and maintenance arrangements, quantity of data and how critical they are to the organisation.

[Select “Upload a document”: Upload the Information Asset Log (M 217G) and the Purchased Software Log (G 135B).]

List of systems which do not support individual login with the risks outlined and what compensating measures are in place.

A risk assessment or description of the risk of each system which does not support individual logins. This should take into account the type of system, the volume of personal confidential data and how and where this is accessed. The control measures or mitigations should also be stated for each risk.

[Select “Enter text”: We do not have software or systems that process personal data without individual log-ins] or [We have xxx systems that do not have personal logins and process personal data and the details are as follows.]

Assertion: Personal information is used and shared lawfullyPrompt Prompt details Evidence Initial doneThere is approved staff In line with the organisation’s data protection policy, [Tick box, enter comment: All staff have a confidentiality clause in

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 6 of 9, Folder 1

M 217A

Excerpt of the CODE Data Security and Protection Toolkit (NHS) Remember to remove all square brackets when you have made the choices. Sections in yellow do not need to be completed this time.

Assertion: Personal information is used and shared lawfullyPrompt Prompt details Evidence Initial doneguidance on confidentiality and data protection issues.

there is guidance for staff on using and sharing personal information in accordance with data protection legislation, common law duties, and professional codes and national data opt outs, e.g. staff code of conduct, national data opt out model guidance and Data Protection Impact Assessment guidance etc. This may be held in the data protection policy.

their contracts plus they agree to follow the Confidentiality Policy (M 233-CON), the Data Protection and Information Security Policy (M 233-DPT) and the procedures in Information Governance (M 217C) previously uploaded.]

Data Protection Compliance monitoring /staff spot checks are regularly carried out to ensure guidance is being followed.

Confirmation that this has taken place within the last 12 months.

[Tick box, enter comment: We carry out annual compliance monitoring with the Compliance Monitoring Form (M 217K), this has taken place within the last 12 months.]

Results of staff spot checks and actions taken when data protection non-compliance is identified.

This should include a summary of results and who has approved it and any actions recommended and who is taking them forward.

[Select “upload document”: Upload the Compliance Monitoring Form (M 217K). Enter comments detailing any recommended actions and who took them forward.]

Staff awareness Question - Used legally and securely (Q4) …. I am happy data is used legally and securely in my organisation.

The percentage of respondents in your organisation who “agree” or “strongly agree” with this statement, taken from the national Data Security Awareness training Survey Question 4. Organisations may capture this information locally where the training is delivered locally. This evidence item is not mandatory in 18/19.

Yellow shading means not this year or not mandatory.

Assertion: The use of personal information is subject to data protection by design and by defaultPrompt Prompt details Evidence Initial DoneThere is a procedure that Your data protection by design procedures should aim [Tick box, enter comment: Data protection by design is an integral

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 7 of 9, Folder 1

M 217A

Excerpt of the CODE Data Security and Protection Toolkit (NHS) Remember to remove all square brackets when you have made the choices. Sections in yellow do not need to be completed this time.

Assertion: The use of personal information is subject to data protection by design and by defaultPrompt Prompt details Evidence Initial Donesets out the organisation’s approach to data protection by design and by default, which includes pseudonymisation requirements.

to ensure that only the minimum necessary personal data is processed, that pseudonymisation is used where possible, that processing is transparent, and where feasible, allowing individuals to monitor what is being done with their data. Together the procedures should enable your organisation to improve data protection and security.

part of our information governance procedures as detailed in (M 217C) already uploaded.]

Data Protection by design procedure has been agreed.

Data protection by design procedures should be reviewed and updated as part of your GDPR readiness.

[Tick box, enter comment: All Information Governance Procedures in (M 217) and other templates have been agreed by the IG lead.]

There are technical controls that prevent information from being inappropriately copied or downloaded.

Technical controls that can support data protection include role based access, smartcard enabled access, encryption, computer port control to prevent staff from using non-approved memory sticks, pseudonymisation techniques etc. Provide details at high level.

[Enter text: Password procedures and other technical controls are in place as detailed in Information Governance Procedures (M 217) already uploaded.]

There are physical controls that prevent unauthorised access to sites.

Physical controls that can support data protection include lockable doors, windows and cupboards, clear desk procedure, security badges, key coded locks to access secure areas, records libraries, etc. Provide details at high level.

[Enter text: We carry out an annual Physical Security Risk Assessment (M 217M) to identify physical risks and the control needed. It was recently reviews on [date of last review in iComply].]

There is a staff procedure on carrying out a Data Protection Impact Assessment that follows relevant ICO guidance.

ICO guidance available at: here. [Tick box, enter comment: We have assessed the ICO ‘DPIA Screening Checklist’ and consider that we do not need to carry out a DPIA, this will be reviewed annually. We do carry out a Privacy Impact Analysis annually with iComply using the Sensitive Information Map, PIA and Risk Assessment (M 217Q).]

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 8 of 9, Folder 1

M 217A

Excerpt of the CODE Data Security and Protection Toolkit (NHS) Remember to remove all square brackets when you have made the choices. Sections in yellow do not need to be completed this time.

Prompt Prompt details Evidence Initial doneThe Data Protection Impact Assessment Procedure has been agreed by the person in the organisation with overall responsibility for data security.

Data Protection Impact Assessment Procedure should be reviewed and updated as part of your GDPR readiness.

[Do not answer.]

The Data Protection Officer is consulted as a matter of routine when a Data Protection Impact Assessment is being carried out.

As part of the Data Protection Impact Assessments procedure. If not relevant for your organisation mark yes.

[Do not answer.]

Have any unmitigated risks been identified through the Data Protection Impact Assessment process?

Identification of unmitigated risks should form part of the Data Protection Impact Assessments procedure.

[Do not answer.]

All high risk data processing has a Data Protection Impact Assessment carried out before processing commences.

‘High risk processing’ encompasses • Automated processing.• Large scale processing of special categories data - which includes health and genetic data.• Systematic monitoring of a public area.If not relevant for your organisation tick to confirm.

[Tick box, enter comment: We do not carry out high risk data processing.]

All Data Protection Impact Assessments with unmitigated risks have been notified to the ICO.

If no unmitigated risks have been identified select Yes.

[Tick yes.]

Next IG Improvement Plan reviewiComply automatically schedules reviews and keeps records of previous reviews. If you are not an iComply member write the date of your next review here:

M 217A – Excerpt of the CODE Data Security and Protection Toolkit Solution, Version 6, Page 9 of 9, Folder 1