Digital Security and Data Protection Audit - Care Homes

Q1 | Unanswered

Is there an up-to-date data protection and digital security policy aligned with GDPR and the Data Protection Act 2018?

Q2 | Unanswered

Is there a named Data Protection Officer or responsible person overseeing compliance and incident response?

Q3 | Unanswered

Are staff trained on data protection, confidentiality, and secure record handling during induction and at regular intervals?

Q4 | Unanswered

Are digital devices (e.g., laptops, tablets, smartphones) encrypted, password-protected, and only accessible by authorised users?

Q5 | Unanswered

Are care records, both digital and paper, stored securely with access restricted based on role and need?

Q6 | Unanswered

Are digital systems (e.g., care planning software, medication systems) updated regularly with security patches and monitored for threats?

Q7 | Unanswered

Are passwords changed routinely and strong password policies enforced across all platforms?

Q8 | Unanswered

Are staff prohibited from using personal devices to access or record confidential information?

Q9 | Unanswered

Are records of staff access to digital systems (e.g., log-ins, amendments) auditable and retained securely?

Q10 | Unanswered

Is data backed up regularly and stored securely, with disaster recovery procedures in place?

Q11 | Unanswered

Are any data processing agreements in place with third-party IT or software providers, ensuring GDPR compliance?

Q12 | Unanswered

Are emails containing personal information sent via secure channels or encrypted services?

Q13 | Unanswered

Is there a clear protocol for the use of digital communication tools (e.g., email, apps, shared drives) within the home?

Q14 | Unanswered

Are CCTV systems, if in use, registered, compliant with ICO requirements, and clearly signed in public spaces?

Q15 | Unanswered

Are any staff photos, resident images, or videos stored and shared only with written consent?

Q16 | Unanswered

Is personal data collected only when necessary and for lawful, transparent purposes?

Q17 | Unanswered

Are residents informed of their data rights and how their personal information is used, stored, and shared?

Q18 | Unanswered

Are consent forms for data sharing (e.g., with relatives, professionals, digital platforms) up to date and signed?

Q19 | Unanswered

Are data breaches logged, investigated, reported (where required to the ICO), and used for learning?

Q20 | Unanswered

Are printed records (e.g., handover sheets, MAR charts, visitor logs) shredded or disposed of securely?

Q21 | Unanswered

Are agency staff and contractors informed of data protection expectations while on site?

Q22 | Unanswered

Is Wi-Fi access separated between resident, staff, and guest usage to protect sensitive data?

Q23 | Unanswered

Is the use of USBs or portable storage devices controlled and monitored?

Q24 | Unanswered

Are physical devices (e.g., tablets, care plan folders) stored securely when not in use?

Q25 | Unanswered

Is remote access to systems (e.g., for managers) protected by VPN, two-factor authentication, or similar safeguards?

Q26 | Unanswered

Are data protection audits carried out regularly and findings discussed in governance meetings?

Q27 | Unanswered

Are paper-based emergency backups for key records (e.g., medication, emergency contacts) kept securely?

Q28 | Unanswered

Is consent for third-party platforms (e.g., care monitoring apps, family portals) clearly documented and reviewed regularly?

Q29 | Unanswered

Are residents supported to understand digital risks if they access Wi-Fi or use devices independently?