[updated 6 March 2020]

This page supports the step-by-step workshop delivered by OACP to support care providers in Oxfordshire obtain NHSmail. The workshop was funded by NHS Hampshire to support small care providers to reach the entry level standard on the Data Security Protection Toolkit required. In addition OACP is grateful to West Midlands Care Association for sharing their knowledge as part of their pilot project funded by NHS Digital.

The key drivers for care providers:

  1. Compliance for NHS contracts;
  2. Better data protection when sharing confidential information;
  3. Evidence for KLOE W2.8.

Core documents:

Step by step:

  1. Appoint your Data Protection Champion (small providers are not required to have a Data Protection Officer)
  2. Identify your Senior Information Risk Owner – can be the same person as Data Protection Champion, or a Board member/ Trustee/ Director.
  3. Register with the Information Commissioner’s Office or search for your organisation’s existing reference number if already registered [url]
  4. Create core data policies
    1. Data Security Policy – Data Security Policy template [docx]
    2. Data Quality Policy – Data Quality Policy template [docx]
    3. Records Management – Record Keeping policy template [docx]
      • discretionary Network Security Policy template– talk to your ICT supplier about this [docx]
  5. Create an Information Asset Register – Information Asset Register Template [xslx]
  6. Create a Record of Processing Activities – ROPA template [xslx]
  7. Schedule an Information Asset Register review date – annually or following large data management changes like moving from paper to electronic records
  8. Create your Data Protection Policy – Data protection policy template [docx]
  9. Review staff employment contracts and insert confidentiality clause if not already included – Staff Confidentiality clause template [docx]
  10. Confirm you have all the required basic Data Policies in place – ask your SIRO to sign off your compliance.
  11. Think about how to train staff and make them aware of data security:
    1. Staff Data Security and Protection Code of Conduct Guidance [docx]
    2. Staff Guidance on Subject Access Requests – Individual Rights [pdf]
    3. Staff Guidance on data sharing [docx]
    4. Staff Guidance on Data Quality Record Keeping [docx]
    5. Staff Guidance on Data Breaches [docx]
  12. Create a Privacy Notice
    1. for your website
    2. and / or a Citizen Leaflet to use as a handout or on the wall of your public area
  13. Ensure you have a Data Breach reporting process – template [docx]
  14. Create a record of all staff and their roles
  15. Complete a Data Protection Impact Assessment for each system that stores, processes and shares confidential information – template [docx]
    1. DPIA guidance [url]
    2. A new DPIA is required for all new data storage, processing and sharing systems.
  16. Create a list of suppliers – all companies or people (sole traders), which your organisation purchases from – template [xslx]

When complete:

  1. Register your account
    1. You will need your ODS code
    2. Contact [email protected] if unsure
  2. Complete your profile
  3. Upload your evidence
  4. Publish your entry

Further Templates, Guidance and Links

Please direct any questions to OACP through the form below

  • Let us know what your query is and we will get back to you as soon as possible.