Digital Security and Data Protection Audit - Care Homes

Evidence to check

• • Policy is current, reviewed and aligned with GDPR and the Data Protection Act 2018
• • Policy covers digital systems, paper records, emails, CCTV, photos, mobile devices, remote access and data breaches
• • Staff can explain how they protect resident confidentiality in practice
• • Observed practice matches the policy, not just the written procedure

Evidence to check

• • Named DPO or responsible lead is documented
• • Staff know who to contact for data protection concerns
• • Data protection incidents, audits and actions are reviewed by the responsible person
• • Leadership oversight is recorded through governance or management meetings

Evidence to check

• • Training records for induction and refresher data protection training
• • Staff can answer practical scenarios about confidentiality, emails, records, visitors and relatives
• • Agency and temporary staff receive local confidentiality guidance
• • Training is repeated after breaches, near misses or audit concerns

Evidence to check

• • Laptops, tablets, smartphones and shared devices are password, PIN, biometric or multi-factor protected where appropriate
• • Devices are encrypted or protected by approved security controls
• • Devices lock automatically when not in use
• • Lost, stolen or damaged device procedures are known and followed

Evidence to check

• • Digital system access is role-based
• • Paper records are stored securely and not left visible to residents, visitors or unauthorised staff
• • Staff only access records they need for their role
• • Access arrangements are reviewed when staff change role or leave

Evidence to check

• • Software updates and security patches are managed
• • Suppliers provide assurance around system security where applicable
• • Faults, outages or cyber concerns are recorded and escalated
• • Unsupported systems or devices are identified and risk-assessed

Evidence to check

• • Password policy includes strong password and account security requirements
• • Staff do not share logins or write passwords where others can access them
• • Multi-factor authentication is used where available or required
• • Weak password practice is challenged and corrected

Evidence to check

• • Policy covers personal devices and mobile phone use
• • No resident information, photos or documents are stored on personal devices
• • Any authorised exception is risk assessed and documented
• • Staff understand professional boundaries around phones, photos and messaging

Evidence to check

• • Digital systems maintain user audit trails where available
• • Managers can review who accessed or amended records
• • Unusual access or amendments are investigated
• • Staff understand that record access and changes may be audited

Evidence to check

• • Backup arrangements are documented
• • Backups are secure, access-controlled and regularly completed
• • Disaster recovery or downtime procedure is in place
• • Staff know how to access essential information during system failure

Evidence to check

• • Data processing agreements are held for relevant suppliers
• • Supplier GDPR and security assurances are reviewed before use
• • Data hosting, access, retention and breach responsibilities are clear
• • New systems are checked before resident or staff data is entered

Evidence to check

• • Staff use approved email accounts and secure methods where required
• • Sensitive attachments are protected or shared through approved systems
• • Email addresses are checked before sending
• • Email errors or near misses are reported and reviewed

Evidence to check

• • Approved communication platforms are clearly identified
• • Staff know which tools must not be used for resident information
• • Messaging and shared drives are access-controlled
• • Communication records are retained where required

Evidence to check

• • CCTV policy, privacy information and signage are in place
• • Purpose, lawful basis, retention period and access controls are documented
• • Residents, relatives and staff are informed where CCTV is used
• • CCTV is not used in private areas or in a way that undermines dignity

Evidence to check

• • Consent records for photos, videos, marketing, care records or family sharing
• • Images are stored on approved secure systems only
• • Consent is reviewed if use changes
• • Images are not shared on personal phones, social media or unapproved apps

Evidence to check

• • Care records contain relevant information needed for safe care
• • Records avoid excessive, outdated or irrelevant personal data
• • Data minimisation is checked during audits
• • Staff understand not to record unnecessary opinions or sensitive details without purpose

Evidence to check

• • Privacy notices are available and accessible
• • Residents or representatives are told how records are used and shared
• • Information is available in easy-read, large print or other accessible formats where needed
• • Subject access or information requests are managed appropriately

Evidence to check

• • Consent to share information is recorded and specific
• • Consent identifies who information can be shared with and what can be shared
• • Mental capacity or best-interest records are in place where relevant
• • Staff check consent before sharing information with relatives or third parties

Evidence to check

• • Data breach log includes incidents and near misses
• • Immediate containment and resident impact are recorded
• • ICO reporting threshold is considered where required
• • Learning leads to changes in training, systems or practice

Evidence to check

• • Confidential waste or shredding arrangements are in place
• • Records are not placed in general waste
• • Staff know what must be shredded or securely disposed of
• • Bins, printers and staff areas are checked for abandoned confidential information

Evidence to check

• • Agency induction includes confidentiality and record access rules
• • Contractors sign confidentiality agreements where relevant
• • Visitors are not allowed to view confidential records or screens
• • Staff challenge unauthorised access to resident information

Evidence to check

• • Separate Wi-Fi networks or access controls are in place where appropriate
• • Guest Wi-Fi does not provide access to care systems or internal files
• • Wi-Fi passwords are managed securely
• • Cyber risks from open or shared networks are reviewed

Evidence to check

• • Policy covers USBs and removable storage
• • Use is restricted or encrypted where permitted
• • Resident data is not copied to unapproved devices
• • Any use of portable storage is authorised and recorded

Evidence to check

• • Tablets, laptops, phones and care folders are stored securely
• • Devices and folders are not left unattended in public or visitor areas
• • Charging areas are secure where devices contain resident information
• • Lost or misplaced records or devices are reported promptly

Evidence to check

• • Remote access policy is in place
• • Remote users use approved devices and secure authentication
• • Access is restricted to those with a legitimate need
• • Remote working risks are reviewed, including screen privacy and secure storage

Evidence to check

• • Data protection and digital security audit records
• • Audits include digital systems, paper records, staff knowledge and physical security
• • Findings are discussed in governance or management meetings
• • Actions have owners, deadlines and completion evidence

Evidence to check

• • Emergency backup records are available for key information such as medication, emergency contacts and evacuation needs
• • Backups are current and stored securely
• • Staff know how to access backups during downtime
• • Backups are updated and destroyed securely when replaced

Evidence to check

• • Consent records identify platform, purpose and information shared
• • Resident or representative understands how the platform is used where possible
• • Access to family portals is controlled and reviewed
• • Consent is reviewed when use of the platform changes

Evidence to check

• • Care plans identify digital support needs where relevant
• • Residents are supported with online safety, scams, privacy and passwords where agreed
• • Staff respect resident autonomy while offering proportionate support
• • Concerns about exploitation, coercion or online abuse are escalated appropriately

Evidence to check

• • Audit includes observation as well as document review
• • Staff are questioned on practical confidentiality scenarios
• • Audit checks shared spaces, nurses' stations, offices, printers and handheld devices
• • Findings lead to visible improvements in confidentiality practice

Evidence to check

• • Staff can explain how they protect confidentiality during conversations
• • Observations show private discussions happen in appropriate spaces
• • Information is not disclosed to relatives without consent or lawful basis
• • Concerns about overheard information are recorded and acted on

Evidence to check

• • Risk register includes cyber security, system downtime, data breaches or confidentiality risks where relevant
• • Risks are rated, reviewed and assigned to responsible leads
• • Controls and further actions are recorded
• • Senior leaders monitor unresolved or high-risk digital issues