Title Page
-
Site conducted
-
Conducted on
-
Prepared by
-
Location
Data Protection Audit
Staff
-
Question two or three staff on their obligations relating to data security. Were they able to answer confidently and correctly?
-
Ask the same staff if they know where to access the company's data protection policies. Did they answer correctly?
-
Ask the same staff to explain how they would report a suspected data breach. Did they answer correctly?
-
Have all staff completed GDPR training within the last three years?
-
Have any staff been subject to disciplinary action in relation to data protection and security within the last six months? If so, provide details.
-
Have all staff signed an Employee Privacy Notice, which is stored on their personnel file?
Hard Copy Documentation and Physical Access
-
Are all offices, files and cabinets containing personal data locked when not in use?
-
Has any confidential waste been disposed of in the last six months and, if so, is there a destruction certificate? (Use 'N/A' if not destruction has taken place)
-
Has anybody inappropriately accessed or attempted to access confidential records in the last six months? If so, provide details.
Digital Access to Records
-
Is the allocation of administrator rights to electronic platforms (Coolcare, PCS, etc) restricted to only those who need it?
-
Have all staff who have left employment within the last six months had their access right removed quickly?
-
Do all staff use only their own login information when accessing personal data? For example, staff sharing a PCS account would not be appropriate.
-
Spot check the computers in the building. Are all screen locked when not in use?
-
Has anybody inappropriately accessed or attempted to access confidential digital records in the last six months? If so, provide details.
-
Have appropriate security measures been applied to all computers and mobile devices? I.e. are all appropriately password protected?
-
In the last six months, have you seen any evidence of staff using company computers inappropriately, such as for downloading unapproved software, social media, etc?
Sharing Data / Legal Requirements
-
Is company policy for sharing personal information via post being followed?
-
Is company policy for sharing information via email being followed?
-
Do you know how to access the company's Information Access Register? If not, speak with the Compliance Director.
-
Have all residents and their next of kin been issued with a GDPR Fair Processing Notice?
