To be completed where suppliers will process personal data on behalf of
Sandwell and West Birmingham Hospitals NHS Trust
GDPR Article 28(1) places an obligation on the Controller (SWBH) to use only processors
who provide sufficient guarantees that they will handle personal information securely and
in accordance with the individuals’ rights.
Contracting managers shall ensure that suppliers who will be processing personal data in
order to provide goods and services to the Trust provide sufficient assurance that they will
comply with GDPR requirements and protect the rights of individuals.
Data to be processed
Subject Matter of the
Processing: [This should be a
high level, short description of
what the processing is about]
Expected Duration of
Processing: [Clearly set out the
(Tick if Applicable)
duration of the processing
Nature of the processing: [This Collection (Tick if
Retrieval (Tick if Applicable)
means any action which will be Applicable)
undertaken with the personal
Recording (Tick if
Consultation (Tick if Applicable)
Use (Tick if Applicable)
Structuring (Tick if
Disclosure by Transmission,
Dissemination, or Otherwise
Making Available (Tick if
Storage (Tick if
Alignment or Combination
(Tick if Applicable)
Adaptation (Tick if
Restriction (Tick if Applicable)
Alteration (Tick if
Erasure or Destruction
(including by manual and
automated means) (Tick if
Purposes of the processing:
[Please be as specific as
possible, but make sure that you
cover all intended purposes. The
purpose might include:
employment processing, statutory
Type of Personal Data:
[Examples here include: name,
address, date of birth, NI number,
telephone number, pay, images,
biometric data etc]
Categories of Data Subject:
[Examples include: Staff
(including volunteers, agents, and
temporary workers), Co-ordinating
Commissioners/ clients, suppliers,
patients, students / pupils,
members of the public, users of a
particular website etc]
Data Protection Registration Number:
Data Protection Officer Name:
Data Protection Officer Contact Details:
Registered Caldicott Guardian Name:
Caldicott Guardian E-mail Address and Telephone Number:
Registered Senior Information Risk
Senior Information Risk Owner E-mail Address and
Owner (SIRO) Name:
Information Governance Lead Name:
Information Governance Lead E-mail Address and
Mandatory Data Security and Protection
Yes (Tick if
No (Tick if
Toolkit Evidence Items Met?
Where will the data be processed?
Please provide details of the pre-employment and ongoing screening checks undertaken on individuals
prior to employment and throughout their period of employment.
Please provide details of ongoing screening checks undertaken on staff throughout their period of
employment and the frequency of those checks.
Please confirm which of the following staff groups Permanent
are required to complete data security and
Frequency of Training
How does the organisation ensure that data
security and protection training is completed by
How does the organisation ensure that the
training has been understood correctly?
Please provide a copy of:
Policy covering data protection compliance (Tick to confirm
Policy covering compliance with the Common Law Duty of
Confidence (Tick to confirm provided)
Subject Access Request Procedure (Tick to confirm provided)
Policy covering information Security (Tick to confirm
Will you be using third party processors
in order to provide the service
Please provide the name(s) of the third
Third Party Processor Name Services Provided
party processors and the nature of the
Please provide a copy of the contract clauses under which each of the third party processors is
Please confirm what due diligence has been conducted on each processor in the supply chain to ensure
that they comply with the requirements of the General Data Protection Regulations and the Data
Protection Act 2018.
How does the organisation ensure that all third party processors in the supply chain comply with their
legal and contractual obligations in respect of the handling of personal, special category and
Does the organisation use any sub-processors who are located outside of the UK? This will
include IT support provided by suppliers outside of the EEA.
If yes, please provide: Purpose for Transfer:
How does the organisation ensure compliance with the Data Protection Principles are adhered to?
How does the organisation ensure that data protection and data security risks are identified and
How does the organisation ensure that data subjects' rights are complied with? Please provide a copy
of procedures wherever possible
How does the organisation ensure that the obligation to ensure that data protection is built into
processing activities by design and default?
What physical, logical and administrative controls has the organisation implemented to ensure the
ongoing confidentiality, integrity, availability of personal, special category and confidential personal
data and the resilience of the systems and services processing the data.
How does the organisation ensure that the physical, logical and administrative controls identified
above are effective?
How many personal, special category or personal confidential data incidents has the organisation
experienced during the past 12 months? Please state the nature of the incident.
How many complaints has the organisation received from the Information Commissioners Office which
have been upheld in the past 12 months? Please state the nature of the complaints.
How many concerns and/or complaints has the organisation received from data subjects in the past 12
months? Please state the nature of the complaint.
Redacted copies of any Information Commissioner's Office enforcement notices and respective
Anonymised details of any compensation paid or claimed by a data subject, or any circumstances likely
to give rise to a claim for unlawful processing.
Details of any failure (or alleged failure) to comply with the requirements of the General Data
Protection Regulations, the Data Protection Act 2018, or its predecessor the Data Protection Act 1998
I confirm that the information I have provided above is complete and correct to the best of my
Name of Person Completing Questionnaire:
Job Title of Person Completing Questionnaire:
Contact Details of Person Completing
Date of Completion: