The ten data security standards to be met are:
- Colleagues handle, store and transmit personal confidential data securely, whether in electronic or paper form.
- Colleagues understand their responsibilities under the national data guardian’s data security standards.
- Colleagues complete appropriate annual data security training and pass a mandatory test.
- Personal confidential data is only accessible to colleagues who need it for their role and access is removed as soon as it is no longer required.
- Security breaches and near misses are recorded and used to inform the management of problem processes.
- Cyber-attacks against services are identified and resisted and CareCERT security advice responded to.
- A continuity plan is in place to respond to threats to data security, including significant data breaches or near misses.
- No unsupported operating systems, software or internet browsers are used within the IT estate.
- A strategy is in place for protecting IT systems for cyber threats.
- IT suppliers understand their obligations as data processors under General Data Protection Regulation (GDPR).