<aside> ❗ This page is shared publicly, be careful when you're making edits ❗

</aside>

<aside> 🔒 We always try to go beyond the minimum data security and protection requirements. When you look us up on the DSP Toolkit website all you'll see is a statement saying "Standards Exceeded" for the past three years. We don't think that that tells you very much. So we wanted to show you how we have exceeded the standards, rather than expecting you to just trust that we have. We have tried to make this page as easy to read as possible, so in a few cases we've combined duplicative questions from the toolkit into one answer.

</aside>

1. Personal Confidential Data

All staff ensure that personal confidential data is handled, stored and transmitted securely, whether in electronic or paper form. Personal confidential data is only shared for lawful and appropriate purposes

• 1.1 There is senior ownership of data security and protection within the organisation
• 1.2 There are clear data security and protection policies in place and these are understood by staff and available to the public
• 1.3 Individuals’ rights are respected and supported (GDPR Article 12-22)
• 1.4 Records of processing activities are documented for all uses and flows of personal information (GDPR Article 30 and DPA 18 Schedule 1 Part 4)
• 1.5 Personal information is used and shared lawfully
• 1.6 The use of personal information is subject to data protection by design and by default
• 1.7 Effective data quality controls are in place and records are maintained appropriately
• 1.8 There is a clear understanding and management of the identified and significant risks to sensitive information and services

2. Staff Responsibilities

All staff understand their responsibilities under the National Data Guardian’s Data Security Standards, including their obligation to handle information responsibly and their personal accountability for deliberate or avoidable breaches

• 2.1 Staff are supported in understanding their obligations under the National Data Guardian’s Data Security Standards

3. Training

All staff complete appropriate annual data security training and pass a mandatory test, provided linked to the revised Information Governance Toolkit

• 3.1 There has been an assessment of data security and protection training needs across the organisation
• 3.2 Staff have completed data security and protection and cyber security training
• 3.3 Staff with specialist roles receive data security and protection training suitable to their role