DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:

Size: px

Start display at page:

Download "DATA PROTECTION SELF-ASSESSMENT TOOL. Protecture:"

Sherilyn Miller
7 years ago
Views:

1 DATA PROTECTION SELF-ASSESSMENT TOOL Protecture:

2 Instructions for use touches many varied aspects of an organisation. Across six key areas, the self-assessment notes where a decision should have been made, or an action taken, in order to ensure compliance across your organisation. The Position column is where you indicate one of three possible positions: 1. Yes you consider yourself compliant. Record your evidence for this position. 2. No you believe you do not need to address the issue (e.g. because of the size of your organisation). Record your rationale for this position. 3. Under Review the issue is under. Record the actions you plan to address the issue, e.g. who has been allocated responsibility and the timescale / next date. The results of your self-assessment should then be summarised on the following page. This will enable you to prioritise actions and changes in the areas of greatest risk. Subscribers Subscribers to our data protection service get four hours of data protection advice and guidance i.e. we would work though the self-assessment tool with you, if needed. We would then address any gaps you might have. For example, work with you to make changes to existing policies; deliver any onsite training; audit systems or processes. Our Subscribers also have access to guidance, template policies and checklists via the Members Area of our website (the Reference column of this Self-assessment Tool refers to these). P a g e 1 of 12

3 Index Number of Action Points Position Y N Action Plan 01 Roles and Responsibilities staff, agency workers and service providers 4 02 Your staff 3 03 Your day-to-day handling of personal information 5 04 Your buildings (physical security) and offsite working 2 05 Your handling of information security incidents 1 06 Your handling of requests for access to personal information 2 Top 3 priorities: P a g e 2 of 12

4 01 Action point A : Roles and Responsibilities staff, agency workers and service providers Your employees: Appoint or confirm the following roles: 1. Senior Management Glossary Y N Under 2. Oversight Glossary Y N Under 3. Audit Glossary Y N Under 4. Senior Information Risk Owner (SIRO) Glossary Y N Under 5. Information Asset Owners (IAOs) Glossary Y N Under 6. Managers Glossary Y N Under 7. Human Resources Glossary Y N Under 8. Users Glossary Y N Under 9. Officer Glossary Y N Under 10. Information Security Officer Glossary Y N Under 11. Facilities Management Glossary Y N Under 12. Legal Services Glossary Y N Under 13. Business Continuity Glossary Y N Under P a g e 3 of 12

5 01 Action point B: Roles and Responsibilities staff, agency workers and service providers Your employees: Adopt or amend Human Resources policy, to address the following areas: 1. Before employment prior to access to personal data 2. During employment accessing personal data 3. After employment no longer accessing personal data 4. Emergency suspension of a User s access Y N Under Action point C: Agency workers and service providers: Adopt or amend contract clauses / terms and conditions to address the following: 1. Third parties with temporary access to personal data 2. Engaging third parties on a contractual basis 3. Engaging third parties on a non-contractual (information sharing) basis Action point D: Glossary DP Guide 01 Y N Under Your organisation: Ensure notification with the Information Commissioner s Office (ICO) 1. Notification with the ICO Y N Under 2. Annual of notification Y N Under P a g e 4 of 12

6 02 Your staff Action point A: Provide data protection training and awareness, and maintain evidence it has been received for each User 1. At induction DP Guide 02 Y N Under 2. Annually DP Guide 02 Y N Under 3. When new systems / policies are introduced Action point B: DP Guide 02 Y N Under Adopt or amend an Acceptable Use Policy (AUP) 1. Evidence maintained of Users receiving and signing their AUP AUP addresses the following areas 2. Sharing and disclosing personal information DP Guide 02 Y N Under DP Guide 02 Y N Under 3. Use of DP Guide 02 Y N Under 4. Use of the internet DP Guide 02 Y N Under 5. Monitoring DP Guide 02 Y N Under 6. Personal use DP Guide 02 Y N Under 7. Computer Misuse DP Guide 02 Y N Under 8. Adherence to policies and procedures DP Guide 02 Y N Under P a g e 5 of 12

7 02 Your staff Action point C: Adopt or amend the following Policies and / or guidance for use by all Users: 1. Password Policy 03.C.4 below Y N Under 2. Clear Desk, Clear Screen and Secure Waste Policy 03.C.7 below Y N Under 3. Offsite Working Policy 04.B. below Y N Under 4. Removable Media Policy 03.B.4 below Y N Under 5. Sharing Personal Information Policy 03.B.5 below Y N Under For access to the complete Self-Assessment Tool please get in touch. Call help@protecture.org.uk Complete the Contact Us form: P a g e 6 of 12

Nottinghamshire County Council. Data protection audit report

Nottinghamshire County Council Data protection audit report Executive summary October 2015 1. Background The Information Commissioner is responsible for enforcing and promoting compliance with the Data