Printed from CheckTick DSPT Compliance Documentation
Data Security & Protection Master Index (Board Approved)
Organisation: CheckTick Version: 2025.1 Board Approval Date: 29/12/2025 Review Cycle: Annual Approval Officers: Dr Serena Haywood (SIRO/DPO), Dr Simon Chapman (CTO)
1. Governance & Data Protection
These policies define our legal framework and accountability structure.
- Lawful Basis & Principles: Consent Policy | Opt-Out Statement
- Clinical Confidentiality: Caldicott Guardian Statement
- Impact Assessments: DPIA: Survey Platform
- Transparency: Privacy Policy | Refund Policy
- Data Mapping: Data Flow Mapping | Asset Register
2. Technical Security & Software Integrity
Our technical controls for protecting data against unauthorized access and cyber threats.
- Security Architecture: Security Overview (OWASP)
- Encryption Standards: Encryption Technical Reference
- Identity Management: Authentication & Permissions | OIDC Setup
- Vulnerability Control: Vulnerability Management Policy | Pentest Response AD24502-RPT-01
- Certifications: Cyber Essentials Plus Certificate (PDF)
- Development Standards: Documentation for Developers
3. Clinical Safety
Clinical risk management in accordance with NHS England DCB0129.
- Clinical Safety Case: Clinical Safety Case Report (DCB0129)
4. Operational Resilience & Continuity
Procedures to ensure data availability and recovery in the event of an incident.
- Disaster Recovery Plan: Business Continuity & DR
- Breach Management: Incident Response Plan
- Verification Logs: Annual DR Test Report | Backup Log
5. Individual Rights & Staff Responsibilities
How we interact with data subjects and ensure staff competency.
- Rights Procedures: Individual Rights Procedure
- Rights Tracking: Data Rights Request Tracker
- Staff Competency: Training & Awareness Log
- Board Oversight: Board Review Minutes
Note for Auditors: All items in the compliance folder are internal-facing governance documents. All links to https://checktick.uk/docs/ refer to our publicly accessible documentation portal provided for transparency to users and self-hosters regarding our security architecture and data handling practices.