Information Security Self Assessment
Any questions marked with an asterisk (*) are mandatory. If a mandatory question is not relevant to your business please answer 'Not applicable'.
Your business details
Mandatory - Company or organisation name
Mandatory - Number of staff employed
Mandatory - Number of sub-contractors employed
Mandatory - Your registered or head office address
Who is your contact at Solihull Council for this contract
Your details
Mandatory - Name
Mandatory - Job title
Mandatory - Telephone number
Mandatory - Email addressInvalid - Email address
Data protection overview
Mandatory - Q1: Please provide a detailed description of the work you are carrying out on behalf of Solihull Council or for which you are tendering
Mandatory - Q3: Will the information you process on behalf of Solihull Council be held at the business address you have provided
Q6: Please indicate the types of personal/sensitive information you expect to be processing on behalf of Solihull Council
Mandatory - Q7: If you collect personal information on behalf of Solihull Council, do you explain to the individuals the reasons you are gathering the information, the exact purposes for which it will be used and any other parties with whom it may be shared. If you do not provide this please state 'Not applicable'
Premises security
IMPORTANT: When completing this section please provide answers that relate to the premises where the information you collect or process on behalf of Solihull Council will be stored or processed. If there are more than one premises, please state this and provide answers for each of the premises.
Mandatory - Q9: If you have a reception area how is it controlled
Mandatory - Q10: If there are any other entrances or exits, how are these controlled
Mandatory - Q11: Is the office area visible to anyone other than staff
Mandatory - Q13: Are visitors required to wear identification. If not please provide details why
Mandatory - Q15: Are there alarm systems protecting the premises
Mandatory - Q16: Are there windows on the premises
Mandatory - Q17A: Are the premises where the information is kept protected by security patrols
Mandatory - Q17B: Are the premises where the information is kept protected by 24 hour CCTV surveillance
People and policy
Mandatory - Q18: Please explain what measures are in place to ensure that all staff are aware of their responsibilities under Data Protection Law
Mandatory - Q19: What steps are taken to ensure the staff you employ are responsible and reliable
Mandatory - Q19A: What steps have you taken to ensure your staff have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality
Mandatory - Q20: What policies, procedures, training or other measures have you taken to adopt the security standard ISO27001/2. If you have not adopted the standard please tell us why
Mandatory - Q21: Please provide information about the Data Protection and/or Information Security Policies you have in place (e.g. your Bring Your Own Device (BYOD) and Working from Home policies)
Sub-contractors
Sub-contractors cannot be used without the authorisation of Solihull Council. If permission is being sought to use sub contractors it is important to establish what technical and organisational safeguards they have in place.
Mandatory - Q22: Will you use Sub-contractors (or other third party) to process any of Solihull Council's information as part of this contract
Other safeguards
These measures should be appropriate to the nature of the information being processed and take into account the harm which would be caused should any unauthorised loss, disclosure or destruction of the information occur
Restricting Access to information
Mandatory - Q25: What measures are in place to restrict staff from accessing information they may not be entitled to on computers
Mandatory - Q26: What measures are in place to restrict staff from accessing other types of information e.g. paper records and information held on various media such as DVDs, memory sticks
Business Continuity
Mandatory - Q27: With regard to information held on computers /servers is it backed up on a daily basis
Mandatory - Q28: Are backup tapes / discs and other media stored off site
Mandatory - Q29: What precautions are taken to protect information that is not backed up on computers (e.g. paper file) against fire/flood and other disasters
Securely Disposing of Information
Mandatory - Q30: How do you safely and securely dispose of information held on paper
Mandatory - Q31: How do you safely and securely dispose of obsolete hardware and software from which information could be recovered
Encryption Technology
Mandatory - Q32: Are all portable and mobile devices including laptops and other portable media used to store and transmit information encrypted using encryption software which meets the current standard or equivalent
Secure Transfer of Information
Data Protection
Your information may be shared with other council services and partner organisations to ensure
our records are kept accurate and to help us to identify services or benefits you may be entitled to or interested in.
We may also need to share your information for the prevention and detection of fraud and/or other crimes or as the law requires.
For further information about how we use your information please refer to the Council’s Privacy Statement on
www.solihull.gov.uk.