Audit process

The Audit Process will seek robust evidence that the key outcomes have been met. 

As a minimum, TEC Quality certified organisations must: 

• Demonstrate an understanding and application of processes supporting the three most crucial components of information security: Confidentiality, Integrity and Availability (CIA).
  
• Demonstrate awareness of and compliance with relevant legislation, regulatory guidance and best practice in relation to information governance.
  
• Have a UK GDPR policy, which also includes data retention.
  
• Have standardised systems for the inputting, checking and maintenance of accurate and up-to-date customer/user information, which shall be checked at least annually.
  
• Have procedures and mechanisms in place that ensure customers, service users and carers know how their personal information will be used and which enable customers, service users and carers to access this information.
  
• Have data sharing agreements with key partners in place to ensure that people can receive proportional support without duplication.
  
• Provide evidence that data protection breaches are reported via defined processes and that opportunities for learning are identified and shared to minimise the risk of them reoccurring.
  
• Provide evidence that Data Privacy Impact Assessments* (DPIA's) are considered and when undertaken are in line with the ICO’s ‘privacy by design’ approach.
  
• Have written procedures to manage the organisational and staff use of social media.
  
• Provide evidence that all staff understand their roles and responsibilities in relation to information governance.
  
• Have written procedures in place to ensure system access and data security are maintained e.g. password access protections, anti-virus and anti-malware software, secure sending of emails, secure encryption of electronic removable media and portable computing devices and transport/storage of paper records.
  
• Provide evidence that the physical security of IT assets and information is maintained to recognised industry standards and follows vendors recommended processes.
• Provide evidence that secure storage of and access to paper records is in place.
• Be able to demonstrate robust Cyber Security for their organisation. Compliance with Cyber Essentials (self-certificated) or DSPT as a minimum. 
  

*DPIA is a process which helps assess privacy risks to individuals in the collection, use and disclosure of personal information.