Conditions

Document Sample
Conditions Powered By Docstoc
					                                                         Organisational Accreditation Conditions and Criteria
Organisation Name

Completed by

Applicable Conditions


Date of compilation




ContactPoint Organisational Accreditation Criteria Selector
                 Answering questions 1-9 using the drop-downs will eliminate the accreditation criteria that do not apply to your organisation.
                 Click print once complete to print your personalised list of accreditation criteria.
        Q. No.                                                     Questions                                                                                 Y/N

           1               Will you be feeding data up to ContactPoint?                                                                                        Y

           2               Will you have staff querying ContactPoint?                                                                                          Y

           3               Will you use shielding functionality?                                                                                               Y
           4               Will you use sensitive services functionality?                                                                                      Y
           5               Will you seek consent to hold records for young people aged 18 and over?                                                            Y

           6               Will you use mediated access?                                                                                                       Y

           7               Will you use emergency shielding override functionality?                                                                            Y

           8               Will you use child death reporting functionality?                                                                                   Y
           9               Will you use fixing accountable body functionality?                                                                                 Y
        ERROR               *You must answer yes to one or both of questions 1&2 to be involved                                                            ERROR
                                                        with ContactPoint*


                                                                                                                                                                                                                                                  Anticipated work                                                  RED, Amber, Green
Condition Number           Department / Division                                                                  Criterion                                                                                  UA   Data Feed   Query   Other                          Policy in Place   Link to Policy & Procedure                       Anticipated Resolution Review date   Notes   Assumptions
                                                                                                                                                                                                                                                  needed                                                            (RAG)

Org01                      HR Record-Keeping: are records kept of employees and contractors?                      Are records kept of employees and contractors?                                             Y                    Y                      New


                           HR Entry Procedure: is there an induction process that is followed for new             Is there an induction process that is followed for new employees, or when an employee                                                  New
Org02                                                                                                                                                                                                                             Y
                           employees, or when an employee needs to use ContactPoint?                              needs to use contact point?

                           HR Exit Procedures: does the organisation ensure that tokens and accounts              Does the organisation ensure that token and accounts are withdrawn when a member of                                                    New
Org03                                                                                                                                                                                                        Y                    Y
                           are withdrawn when a member of staff no longer needs to use ContactPoint?              staff no longer needs to use ContactPoint?

Org04                      Enhanced CRB Checks: does the organisation schedule eCRB checks?                       Does the organisation ensure schedule eCRB checks?                                         Y                    Y                      New

                           User Training: does the organisation ensure training is delivered for all                                                                                                                                                     New
Org05                                                                                                             Does the organisation ensure training is provided for all ContactPoint users?                                   Y
                           ContactPoint users?

                           Disciplinary Procedure: does the organisation recognise misuse as an
                                                                                                                  Does the organisation recognise misuse as an appropriately serious disciplinary offence                                                New
Org06                      appropriately serious disciplinary offence and have a procedure to discipline                                                                                                     Y                    Y
                                                                                                                  and have a procedure to discipline those who misuse the system?
                           those who misuse the system?

                           Internal Audit or Control– Risk Monitoring: does the organisation have a               Does the organisation have a mechanism for checking that required processes are being                                                  New
Org07                                                                                                                                                                                                        Y        Y           Y
                           mechanism for checking that required processes are being followed?                     followed?

                           Policy and Process for Shielding: if the organisation is to shield records does it
                                                                                                              If the organisation is to shield records does it have processes to raise and lower                                                         New
Org08                      have processes to raise and lower shielding, and to handle emergency                                                                                                                       Y                       A
                                                                                                              shielding, and to handle emergency situations?
                           situations?


                           Policy and Process for Consent to Share Sensitive Services: if the organisation
                                                                                                           If the organisation is to handle sensitive services records does it have policies and                                                         New
Org09                      is to handle sensitive service records, does it have policies and procedures in                                                                                                            Y                       B
                                                                                                           procedures in place to obtain consent and handle any withdrawal of consents?
                           place to obtain consent and handle any withdrawal of consent?


                           Policy and Process for Consent for Records Over 18 Years: if the organisation
                                                                                                         If the organisation is to handle records for over -18's, does it have policies and                                                              New
Org10                      is to handle records for over-18’s, does it have policies and procedures in                                                                                                                Y                       C
                                                                                                         procedures in place to obtain consent and handle any withdrawals of consents?
                           place to obtain consent and handle any withdrawal of consent?


                           Policy and Process for Mediated Access: if the organisation is to use mediated If the organisation is to use mediated access does it have in place policies and                                                               New
Org11                                                                                                                                                                                                                             Y           D
                           access does it have in place policies and processes for the use of this function? procedures for the use of this function?

                           Policy and Process for Token Management: does the organisation have
                                                                                                                  Does the organisation have instruction on how to work with LA on the issues, return,                                                   New
Org12                      instructions on how to work with the LA on the issue, return, loss or damage                                                                                                      Y        Y           Y
                                                                                                                  loss or damage of tokens?
                           of tokens?


                           Policy for Maintaining Personal Data: does the organisation have policies that Does the organisation have policies that users must keep personal data held about them                                                         New
Org13                                                                                                                                                                                                        Y        Y           Y
                           users must keep personal data held about them in ContactPoint up to date?      in ContactPoint up to date?


                           Policy for Resetting Lost Passwords: does the organisation provide guidance            Does the organisation provide guidance on how to reset any forgotten or stolen                                                         New
Org14                                                                                                                                                                                                        Y        Y           Y
                           on how to reset any lost passwords?                                                    password

                           Policy and Process for Reporting and Handling Security Breaches: does the
                                                                                                          Does the organisation have policies on the reporting of security breaches and processes                                                        New
Org15                      organisation have policies on the reporting of security breaches and processes                                                                                                    Y        Y           Y
                                                                                                          for following these up.
                           for following these up?

                           Policy for Accurate and Complete Data Recording: does the organisation have
                                                                                                           Does the organisation have policies on the accuracy sand completeness of capture and                                                          New
Org16                      policies on the accuracy and completeness of capture and entry of data in their                                                                                                   Y        Y
                                                                                                           entry of data in their system
                           systems?

                           Policy and Process for DSAR: does the organisation have a policy on the                Does the organisation have a policy on the handling of data subject access request and a                                               New
Org17                                                                                                                                                                                                                 Y           Y
                           handling of data subject access requests and a procedure to handle them?               procedure to handle them.
                                                                                                                  Does the organisation have a policy and procedure for investigating the use of                                                         New
Org18                      Policy and process for investigating the use of emergency shielding override.                                                                                                                          Y           E
                                                                                                                  emergency shielding override?
                           Policy and Process for Usage Report Monitoring: does the organisation have a
                                                                                                          Does the organisation have a policy and process in place that ensures line management                                                          New
Org19                      policy and process in place that ensures line management monitor their staff’s                                                                                                    Y                    Y
                                                                                                          monitor their staff's usage of ContactPoint
                           usage of ContactPoint.

                           Workstation Requirements: are workstations correctly set up to use                                                                                                                                                            New
Org20                                                                                                             Are workstations correctly set up to use ContactPoint                                      Y                    Y
                           ContactPoint.

                           Network Infrastructure: ensures the organisations networks are configured              Ensure that the organisations network are configured securely- is the organisation's                                                   New
Org21                                                                                                                                                                                                        Y        Y           Y
                           securely.                                                                              network securely configured?

                           Policy, processes, training and resources provided for first-line support for          Are policies processes, training and resources provided for first-line support of                                                      New
Org22                                                                                                                                                                                                                             Y
                           ContactPoint users.                                                                    ContactPoint users ?
Org23                      Policy for reporting child death.                                                      Does the organisation have in place policy for reporting a child's death                            Y                       F          New

Org24                      Policy and process for fixing a child’s accountable body.                              Does the organisation have in place police for fixing a child's accountable body?                   Y                       G          New

Org25                      Management commitment for data supply – OADS.                                          Is management committed to data supply-OADS                                                         Y                                  New

Org26                      Management commitment to comply – for query access.                                    Is management committed to comply with procedure for query access?                                              Y                      New

                                                                                                                  Does the organisation have in place policies and procedures for dealing with disputed                                                  New
Org27                      Policy and process for handling disputed data.                                                                                                                                             Y
                                                                                                                  data

Org28                      System upgrade processes.                                                              Does the organisation have in place a process for system upgrade.                                   Y           Y                      New




Keys                       Applicable Condition
Y                          Criterion is applicable

N                          Criterion is not applicable

A                          Org using Shielding functionality

B                          Org using Sensitive Services functionality
C                          Org Seeking Consent to Hold Records for People 18 Years and Over
D                          Organisation will use Mediated Access
E                          Organisation will use Emergency Shielding
F                          Organisation will use Child Death Reporting functionality
G                          Organisation will use Fixing Accountable Body functionality
None                       No Work - policy etc is in place
Min                        Minimal Work - With some revision of existing policies and processes
Sig                        Significant Work - With significant revision of existing policies and processes
New                        New Work - Completely new policies etc to be created




1
        HR Record-Keeping: are records kept of employees
Org01                                                                       Dependancies
                      and contractors?


        Conditions
        • Staff records are kept up to date
        • Organisation knows who is employed at any given time
        • Organisation knows the identity of agency staff employed
        at any given time
        • Job descriptions are used
        • Employment contracts refer to the job description, staff
        handbook and disciplinary processes
        • A staff handbook (or equivalent) sets out responsibilities
        for: information sharing and appropriate use of
        ContactPoint, use of passwords and tokens, using
        mediated access in appropriate circumstances
        • A staff handbook describes what is considered to be
        misuse of the sustem, and makes the penalties clear for
        such misuse                                                     Org06
        • Organisation knows who is set up as a user of
        ContactPoint at any given time and could construct a list of
        users at any point from the previous six years

        Testing
        There are staff records and the organisation states that they
        are kept up to date and are accurate. .

        Can generate a list of ContactPoint users for a given period
        A staff handbook or equivalent contains relevant information
        on the use of ContactPoint and the consequences of
        misuse.

        The ContactPoint Team should be able to:
        See evidence that HR records are kept.
        Select a number of records at random from the HR system
        of staff that work with ContactPoint and check that the data
        held on these records is up to date.
        Select a person working in the organisation and verify that
        they have an HR record that is up to date.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        HR Entry Procedure: is there an induction process
Org02   that is followed for new employees, or when an                      Dependancies
        employee needs to use ContactPoint?


        Conditions
        • A process is in place to handle all staff or contractors that
        join a team using ContactPoint.                                 Org01
        • That this process triggers – eCRB checks, training,
        modifications to job descriptions and other training as needed
        regarding the duties and responsibilities of that member of
        staff.                                                          Org04, Org05

        Testing
        Processes are in place.
        There is evidence that the processes are being followed.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are
        kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        HR Exit Procedures: does the organisation ensure that
Org03   tokens and accounts are withdrawn when a member of staff                   Dependancies
        no longer needs to use ContactPoint?


        Conditions
        • There is a leaver’s process that is used for all staff leaving
        employment.                                                              Org01
        • The leaver’s process, amongst other administrative tasks, triggers
        the return of tokens and closure of the staff member’s ContactPoint
        account.                                                                 Org12
        • The leaver’s process or similar also caters for staff transferring out
        of a team and no longer needing access to ContactPoint.
        • It is clear in handbooks and employment contracts that attempts to
        use ContactPoint after leaving employment is classed as serious
        misuse and is a potential criminal offence.                              Org01

        Testing
        There is a leaver’s process and that it is followed for all staff that
        had access to ContactPoint.
        The leaver’s process or equivalent caters for staff transferring out of
        a team.
        Tokens are tracked through the use of a log that shows when they
        were returned, and that return dates correspond to dates when
        accounts were closed.

        The ContactPoint Team should be able to:
        Take user records from the ContactPoint IdP, select a few records
        at random, and reconstruct the leaver’s process including the return
        of a token. Record dates should show the prompt execution of the
        process.

        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Enhanced CRB Checks: does the organisation
Org04                                                                     Dependancies
        schedule eCRB checks?


        Conditions
        • A process is in place to ensure users have an enhanced CRB
        check not older than three years. That enhanced CRB checks
        are reapplied for in advance of their expiry date to provide for
        continuity of use.                                               Org02
        • That a list of users, the existence of their enhanced CRB
        status and renewal dates can be produced for any point of time
        over the previous six years.
        • That users failing enhanced CRB checks have their accounts
        closed and tokens returned.                                      Org12
        • That users with elapsed enhanced CRB checks are either
        suspended as users until their CRB check is renewed or have
        their account closed and token returned.

        • That the policy and process are compliant with any guidance
        issued by the ContactPoint National Team or local
        ContactPoint Team as regards handling of eCRB checks.

        Testing
        The processes exist and are being used.
        They can generate a list of ContactPoint users with details on
        enhanced CRB status for a given period.

        The ContactPoint Team should be able to:
        Select users from the IdP and see evidence of their CRB
        status.
        See evidence that local copies of policies and processes are
        kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        User Training: does the organisation ensure training is
Org05                                                                     Dependancies
        delivered for all ContactPoint users?


        Conditions
        • A process is in place to ensure users have been trained
        before they use the system. If a user has been trained on
        ContactPoint usage by another organisation previously (and
        wish to “port” their training) confirmation of this must be
        obtained and documented.                                        Org02
        • That training records are held and can be viewed against
        each current staff member and is held for a period of 6 years
        after a staff member leaves or transfers out of post.

        Testing
        Training processes exist and are being used.
        They can generate a list of trained users.

        The ContactPoint Team should be able to:
        Select users from the IdP and see evidence of their trained
        status.
        See evidence that local copies of policies and processes are
        kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Disciplinary Procedure: does the organisation recognise
        misuse as an appropriately serious disciplinary offence and
Org06                                                                              Dependancies
        have a procedure to discipline those who misuse the
        system?


        Conditions
        • A policy is in place that makes it clear that misuse will result in an
        investigation and the application of disciplinary procedures.

        • That the policy explains clearly what will be considered misuse.
        • That there is a procedure in place to discipline staff for misuse.
        That this procedure suspends a user from using ContactPoint until
        the conclusion of the procedure.
        • That there are clear duties placed on staff to report misuse if
        suspected.
        • That there is a whistle-blowing policy and process in place to
        support staff who may wish to report misuse outside the normal
        reporting lines of the organisation.
        • That disciplinary procedure records are held and can be viewed for
        a period of 6 years after the conclusion of each case.

        Testing
        Disciplinary policies and procedures exist.
        There is clarity over what will be construed as misuse, and that this
        corresponds with ContactPoint guidance.
        Users are monitored and action taken where appropriate.
        If disciplinary action was needed, that records are kept of the
        process and decision taken.

        The ContactPoint Team should be able to:

        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Internal Audit or Control– Risk Monitoring: does the
Org07   organisation have a mechanism for checking that required               Dependancies
        processes are being followed?


        Conditions
        • Have an internal control function in place.
        • The internal control function should be aware of conditions placed
        on the organisation by ContactPoint, given the organisation’s
        accreditation profile.
        • Assess the risk of breach of these conditions bearing in mind any
        guidance issued by DCSF, their ContactPoint Team, and local
        conditions.
        • Have in place a plan showing how they will check up on
        compliance.
        • Have processes in place to conduct compliance checks, raise
        compliance reports and action any observed problems.

        Testing
        Processes in place and working.

        The ContactPoint Team should be able to:

        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy and Process for Shielding: if the organisation is to
Org08   shield records does it have processes to raise and lower             Dependancies
        shielding, and to handle emergency situations?


        Conditions
        The Policy should cover:
        • Under what conditions shielding can or should be requested or
        withdrawn.
        • Who has the authority to request shielding or withdrawal of
        shielding.
        • Who liaises with the LA ContactPoint management team.

        • The impact on local systems in the case of a shielded record.
        The Process should cover:
        • How a shielding decision is made.
        • Follow-up actions that review the status of the record and
        recommend continuation or withdrawal of shielding status.
        • How the shielding is withdrawn.
        • How the organisation will liaise with the Local Authority
        ContactPoint management team.

        Testing
        There should be evidence that policy and processes are
        documented and deployed.

        There should be evidence that the processes are being followed.

        The ContactPoint Team should be able to:

        See evidence that local copies of policies and processes are kept.
Responsibility   RAG Status   Gaps identified
Target date for   Actual date of
 completion        completion
        Policy and Process for Consent to Share Sensitive
        Services: if the organisation is to handle sensitive
Org09   service records, does it have policies and procedures in        Dependancies
        place to obtain consent and handle any withdrawal of
        consent?


        Conditions
        The Policy should cover:
        • That sensitive service details are only supplied to
        ContactPoint with the consent of the parent, carer or child.
        • Under what conditions sensitive service details will be
        provided to ContactPoint.
        • Under what conditions sensitive services should be deleted
        from ContactPoint.

        • Record keeping – who gave consent, to whom, on what date.
        • Response times for removal of sensitive service details.
        The Process should cover:

        • Securing consent from a parent, carer or child and enabling
        the provision of sensitive service details to ContactPoint.
        • Withdrawal of consent and ensuring removal of the
        information from ContactPoint.

        Testing
        There should be evidence that policy and processes are
        documented and deployed.
        There should be evidence that the processes are being
        followed.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are
        kept.
Responsibility   RAG Status   Gaps identified
Target date for   Actual date of
 completion        completion
        Policy and Process for Consent for Records Over 18 Years:
        if the organisation is to handle records for over-18’s, does it
Org10                                                                        Dependancies
        have policies and procedures in place to obtain consent
        and handle any withdrawal of consent?


        Conditions
        The Policy should cover:
        • Under what conditions will the organisation send a request to
        extend a child record beyond their 18th birthday.
        • Under what conditions the organisation will rescind a request to
        extend a child record.
        The Process should cover:
        • Securing consent from a young person or their parent or carer to
        provide details to ContactPoint beyond the young person’s 18th
        birthday.
        • Withdrawal of consent and ensuring removal of the information
        from ContactPoint.
        • Liaison with the ContactPoint management team to immediately
        archive the record.

        Testing
        There should be evidence that policy and processes are
        documented and deployed.

        There should be evidence that the processes are being followed.

        The ContactPoint Team should be able to:

        See evidence that local copies of policies and processes are kept.
Responsibility   RAG Status   Gaps identified
Target date for   Actual date of
 completion        completion
        Policy and Process for Mediated Access: if the
        organisation is to use mediated access does it have in
Org11                                                                   Dependancies
        place policies and processes for the use of this
        function?


        Conditions
        The Policy should cover:
        • Who may need to use mediated access and who will perform
        the mediator role.
        • Under what conditions will mediated access be allowed.
        • Training required for mediator and mediatee.
        • The difference between mediation and information sharing.
        • Reporting incidents.
        • Record keeping.
        The Process should cover:
        • How to obtain the rights to perform mediated access and to
        mediate
        • Handling a mediated access session including authentication
        of the mediatee.
        • That mediators are checked that they do not continue to
        access ContactPoint as a mediator once a mediated session
        has completed.

        Testing
        There should be evidence that policy and processes are
        documented and deployed.
        There should be evidence that the processes are being
        followed.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are
        kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy and Process for Token Management: does the
Org12   organisation have instructions on how to work with the                Dependancies
        LA on the issue, return, loss or damage of tokens?


        Conditions
        The Policy should cover:
        • Who will be issued with a token.                                Org02, Org05
        • When they are allowed to use the token. When they should
        return the token.
        • When tokens can be replaced.
        • The duty to report a lost or compromised token.
        • Local record keeping about tokens.
        The Process should cover:

        • How tokens are issued and returned. How tokens are replaced.
        • How to report a lost or compromised token.

        Testing
        There should be evidence that policy and processes are
        documented and deployed.

        There should be evidence that the processes are being followed.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are
        kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy for Maintaining Personal Data: does the
        organisation have policies that users must keep
Org13                                                                        Dependancies
        personal data held about them in ContactPoint up to
        date?


        Conditions
        The Policy should cover:
        • Personal details held in the IdP should be kept up to date by
        individuals.

        • Personal data can identify the user within the organisation.
        • Sets out any local rules on the format or content of data
        provided.

        • Specific attention is placed on the duty of the user manager
        to enter and ensure the accuracy of eCRB and training dates.      Org04, Org05
        • Any RAO data should be kept up to date.
        • Password reminders are kept up to date.

        Testing
        There should be evidence that the policy is documented and
        deployed.
        There should be evidence that the policy is complied with

        The ContactPoint Team should be able to:
        See evidence that local copies of the policy is kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy for Resetting Lost Passwords: does the organisation
Org14                                                                         Dependancies
        provide guidance on how to reset any lost passwords?


        Conditions
        The Policy should cover:
        • User managers have the right to reset passwords. The policy
        statement must provide information on who to contact in the case of
        a lost password and reinforce the importance of using ContactPoint
        under a user’s own account.

        Testing
        There should be evidence that the policy is documented and
        deployed.
        There should be evidence that the policy is complied with

        The ContactPoint Team should be able to:
        See evidence that local copies of the policy is kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy and Process for Reporting and Handling Security
        Breaches: does the organisation have policies on the
Org15                                                                        Dependancies
        reporting of security breaches and processes for
        following these up?


        Conditions
        The Policy should cover:
        • That staff have a duty to report security breaches to a
        nominated person in accordance with the process.

        • The type of incidents that may be considered a security breach.
        The Process should cover:

        • Communicating the importance of reporting security breaches,
        to whom, and examples of what may be considered a breach.
        • That all incidents are logged, together with notes on follow-up
        action.
        • How to classify incidents.
        • What action is required:
          o Under what circumstances will re-training or training be
        required?
          o Under what circumstances will staff in general require further
        guidance?

         o Under what circumstances will disciplinary action be needed?
         o Under what circumstances will guidance or processes need to
        be modified?

        Testing
        There should be evidence that policy is documented and
        deployed.
        There should be evidence that the policy is complied with.
        Guidance on follow up action that should be taken is appropriate
        given explained circumstances.
        There should be evidence that processes are documented and
        complied with.
        If incidents have been reported, any follow up action has been
        documented and is appropriate.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are
        kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy for Accurate and Complete Data Recording: does the
Org16   organisation have policies on the accuracy and completeness               Dependancies
        of capture and entry of data in their systems?


        Conditions
        The Policy should cover:
        • The duty of practitioners to capture and enter data as accurately and
        completely as possible.
        • The duty of practitioners to locate the child record on ContactPoint
        where possible when first contact is made with the child, so as to
        facilitate high-levels of data matching.
        • The duty to check that details continue to be correct each time they
        meet with a parent or child.
        • What will be done administratively to monitor or measure data
        quality.
        • What will be done to maintain accuracy and completeness of records
        kept for a period of time after the child completes their involvement
        with the organisation.

        Testing
        There should be evidence that the policy is documented and
        deployed.
        There should be evidence that the policy is complied with
        There should be evidence that data quality can be measured or
        checked, and that it is monitored on a regular basis

        The ContactPoint Team should be able to:
        See evidence that local copies of the policy is kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy and Process for DSAR: does the organisation have a
Org17   policy on the handling of data subject access requests and a                  Dependancies
        procedure to handle them?


        Conditions
        The Policy should cover:
        • A policy on the right of individuals to request a DSAR and the scope
        the local organisation has to make changes to that data.

        • Time limits for response, including verification of the identity of the
        person requesting information and their rights to see such data.
        The Process should cover:
        • The data held within local systems.
        • How to apply for a DSAR.
        • Vetting procedures to verify the applicant has the right to see the
        data and is who they say they are.
        • The disclosure of data.
        • Identification of any data in error and correction of such data if within
        the scope of that organisation’s data set.
        • Referring the applicant on to the appropriate organisation to progress
        their request to have data cleaned.
        • Raising a request to the Data Manager to use the Trump Card
        function to correct data within the ContactPoint system.

        Testing

        • There should be evidence that policy is documented and deployed.
        • There should be evidence that the policy is complied with.
        • There should be evidence that the process is documented, deployed
        and followed.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy and process for investigating the use of emergency
Org18                                                                          Dependancies
        shielding override.


        Conditions
        The Policy should cover:
        • Explain under what conditions ESO may be used, by whom.
        • State that an investigation will be held each time it is used.
        • State that misuse is a disciplinary offence.
        The Process should cover:
        • Explain how the organisation establishes when ESO has been
        used.
        • Explain how the investigation will take place.
        • Explain how the results will be reported, to whom, and how follow-
        up action will be performed and verified.
        • Explain how the organisation regularly reviews access rights to
        ESO to ensure they are still valid and properly allocated.

        Testing
        There should be evidence that policy and processes are
        documented and deployed.

        There should be evidence that the processes are being followed.

        The ContactPoint Team should be able to:

        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy and Process for Usage Report Monitoring: does the
Org19   organisation have a policy and process in place that ensures                  Dependancies
        line management monitor their staff’s usage of ContactPoint.


        Conditions
        The Policy should cover:

        • The frequency at which management should draw down usage reports
        • Accountability and responsibility for reviewing reports and taking action
        if suspicious use is detected.
        • That practitioners are informed that their usage is audited, reviewed,
        and that suspicious usage will be followed-up.
        The Process should cover:

        • Ensures usage reports are drawn from ContactPoint and that managers
        and the local user manager reviews these reports on a regular basis.
        • Ensures follow up action is taken if suspicious use is detected.    Org06

        • Ensures thresholds on reports are reviewed on a regular basis to make
        sure they are appropriate to the organisation and patterns of usage, (as if
        they are too narrowly set they may never return any results).

        Testing
        There should be evidence that policy and processes are documented and
        deployed.
        There should be evidence that the processes are being followed.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Workstation Requirements: are workstations correctly set up
Org20                                                                                Dependancies
        to use ContactPoint.


        Conditions
        • Specific guidance as to workstation configuration will be made
        available that interprets security requirements for a variety of different
        end-user conditions.
         • The organisation is asked to comply with these guidelines and to
        take steps to ensure compliance – this will require policy and
        processes to be in place.

        Testing
        Policies must be in place to explain how workstations should be set up
        and operated.
         Processes must be in place to verify that policy is complied with.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Network Infrastructure: ensures the organisations networks
Org21                                                                             Dependancies
        are configured securely.


        Conditions
        • Specific guidance as to network infrastructure configuration will be
        made available that interprets security requirements for a variety of
        different organisational IT provision conditions.
        • The organisation is asked to comply with these guidelines and to take
        steps to ensure compliance – this will require policy and processes to
        be in place.

        Testing
        Policies must be in place to explain how the network should be set up
        and configured.
        Processes must be in place to verify that policy is complied with.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy, processes, training and resources provided for first-
Org22                                                                              Dependancies
        line support for ContactPoint users.


        Conditions
        • A policy should exist that states what first-line support arrangements
        the organisation will provide.
        • A first-line support facility should exist that may be configured as a
        ‘help desk’. This should be adequately staffed, and training arranged
        for those working in support.
        • Processes should be in place to guide the support facility in
        responding to a range of service requests.
        • The support facility should be advertised to all ContactPoint users so
        they are aware of who to contact in case of difficulty.
         • Processes should also be in place to support tracking and
        monitoring service requests through to resolution, including processes
        for closing calls.

        Testing
        The existence of policy and process for the support function.
        The existence of a support function, e.g. staff assigned to the role,
        awareness of how to use across ContactPoint users, and that support
        is being provided (support logs or equivalent).
        Training records for support staff.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
Org23   Policy for reporting child death.                                      Dependancies


        Conditions
        • A policy should exist that states under what conditions a date of
        death may be entered into a system, the verification that is needed,
        and the verification levels that should be recorded against that
        record.
         • From time to time, management should review the use of this
        information to ensure it is being recorded properly.

        Testing
        The existence of a policy for recording date of death.

        The ContactPoint Team should be able to:

        See evidence that local copies of policies and processes are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Policy and process for fixing a child’s accountable
Org24                                                                     Dependancies
        body.


        Conditions
        A policy should exist that:
         • States under what conditions a child may be considered as
        being placed out of area yet remain the responsibility of the
        current local authority.

        • States under what conditions a child previously placed out of
        area may have the fixed accountable body status removed.
        • States what must be recorded to ensure the child’s
        accountable body remains fixed.
        • States what must be recorded to release the fixed accountable
        body status.

        Testing
        The existence of policy.
        Some evidence of the policy being applied.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes are
        kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
Org25   Management commitment for data supply – OADS.                     Dependancies


        Conditions

        • An OADS should be signed when agreeing to supply data.

        Testing
        The existence of a signed OADS.

        General compliance with agreed performance – such as
        coverage, frequency, data quality, etc. as set out in the OADS.

        The ContactPoint Team should be able to:
        See evidence of a signed OADS
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
        Management commitment to comply – for query
Org26                                                              Dependancies
        access.


        Conditions

        • A management letter must be agreed with the
        ContactPoint Team setting out the registration profile
        and the conditions that apply, and confirming that the
        organisation will be compliant with these conditions.

        Testing
        The existence of a signed management letter
        committing the organisation to comply with accreditation
        conditions.
        Signature should be at a senior enough level to commit
        the organisation.

        The ContactPoint Team should be able to:
        See evidence of a signed OADS
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
Org27   Policy and process for handling disputed data.               Dependancies


        Conditions
        A policy should exist that:
         • explains under what circumstances data should be
        recorded as in dispute;
        A process should exist that:
        • Explains how to handle a DSAR that results in a
        dispute;                                                   Org17
        • How to record a data item as under dispute.

        Testing

        The existence of a policy and process for disputed data.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes
        are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion
Org28   System upgrade processes.                                    Dependancies


        Conditions
        • An agreement with the sponsoring ContactPoint Team
        as to what will be considered an upgrade of the system
        for accreditation purposes.                                 Org25
        • A process for making upgrades, to include:
          o The use of configuration management, change control
        procedures and release management.
          o Notifying the ContactPoint Team that an upgrade is
        planned and has been made and whether or not it is a
        material upgrade.
          o How the organisation intends to make upgrades and
        transfer of service to each new version of the system – is
        there an intention to run two versions in parallel, how can
        the organisation roll back to the old version in case of
        problems, how is data transferred across, will there be
        any impact on the RAO structure?

        Testing

        An agreement on how to treat new upgrades of software.

         A process for upgrading to new versions that maintains
        the integrity of the installed system, user base and data.

        The ContactPoint Team should be able to:
        See evidence that local copies of policies and processes
        are kept.
                                                Target date for
Responsibility   RAG Status   Gaps identified
                                                 completion
Actual date of
 completion

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:8
posted:2/26/2012
language:
pages:85