SMBC Web Form

Any questions marked with an asterisk (*) are mandatory. If a mandatory question is not relevant to your business please answer 'Not applicable'.

Your business details

* Company or organisation name

* Number of staff employed

* Number of sub-contractors employed

* Your registered or head office address

Who is your contact at Solihull Council for this contract

Contact name

Contact telephone number

Contact email address

Your details

* Name

* Job title

* Telephone number

* Email address

Data protection overview

* Q1: Please provide a detailed description of the work you are carrying out on behalf of Solihull Council or for which you are tendering

Q2: Please provide your Data Protection Notification Number. If you are exempt from having to register with the Information Commissioner please explain the reasons why

* Q3: Will the information you process on behalf of Solihull Council be held at the business address you have provided

Q4: If you selected NO please provide details of all the addresses where the information will be processed or stored

Q5: If you use Cloud storage which provider do you use and where are they located

Q5A: What industry standard(s) has the Cloud storage provider got

Q6: Please indicate the types of personal/sensitive information you expect to be processing on behalf of Solihull Council

Name

Address or post code

Telephone number

Date of Birth or Age

Gender

Employment status

Dependent Details

Income

Racial or Ethnic origin

Political opinions

Religious or philosophical beliefs

Whether a member of a trade union

Health data

Sexual life or sexual orientation

Criminal convictions and offences

Genetic or biometric data

Other

Q6A: If you selected OTHER please provide further information

* Q7: If you collect personal information on behalf of Solihull Council, do you explain to the individuals the reasons you are gathering the information, the exact purposes for which it will be used and any other parties with whom it may be shared. If you do not provide this please state 'Not applicable'

Q8: Is the personal information you collect on behalf of Solihull Council disclosed to anyone other than Solihull Council

Premises security

IMPORTANT: When completing this section please provide answers that relate to the premises where the information you collect or process on behalf of Solihull Council will be stored or processed. If there are more than one premises, please state this and provide answers for each of the premises.

* Q9: If you have a reception area how is it controlled

* Q10: If there are any other entrances or exits, how are these controlled

* Q11: Is the office area visible to anyone other than staff

Q12: Do staff wear identification. If not please provide details why

* Q13: Are visitors required to wear identification. If not please provide details why

Q14: What measures are taken to ensure access to the premises is restricted to authorised staff and visitors only

* Q15: Are there alarm systems protecting the premises

Q15A: Are these systems linked to the police

Q15B: Are these systems linked to a monitoring service

* Q16: Are there windows on the premises

Q16A: Are the windows lockable

Q16B: Are the windows fitted with blinds

Q16C: Are the windows fitted with grids, bars, etc

Q16D: Are the windows covered with security film

Q16E: Are the windows easily accessible from public areas

* Q17A: Are the premises where the information is kept protected by security patrols

* Q17B: Are the premises where the information is kept protected by 24 hour CCTV surveillance

People and policy

* Q18: Please explain what measures are in place to ensure that all staff are aware of their responsibilities under Data Protection Law

* Q19: What steps are taken to ensure the staff you employ are responsible and reliable

* Q19A: What steps have you taken to ensure your staff have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality

* Q20: What policies, procedures, training or other measures have you taken to adopt the security standard ISO27001/2. If you have not adopted the standard please tell us why

* Q21: Please provide information about the Data Protection and/or Information Security Policies you have in place (e.g. your Bring Your Own Device (BYOD) and Working from Home policies)

21B: How do you monitor compliance with these policies

21C: How can it be demonstrated that a breach of the policies is a disciplinary offence within your organisation

Sub-contractors

Sub-contractors cannot be used without the authorisation of Solihull Council. If permission is being sought to use sub contractors it is important to establish what technical and organisational safeguards they have in place.

* Q22: Will you use Sub-contractors (or other third party) to process any of Solihull Council's information as part of this contract

Q23: How do you ensure that the sub-contractors you use have sufficient technical and organisational safeguards in place to protect the information you give them (i.e. the information provided by Solihull Council)

Q24: Please provide the names and addresses of the companies you will be using as sub-contractors for this contract and what activity or processing they will perform

Other safeguards

These measures should be appropriate to the nature of the information being processed and take into account the harm which would be caused should any unauthorised loss, disclosure or destruction of the information occur

Restricting Access to information

* Q25: What measures are in place to restrict staff from accessing information they may not be entitled to on computers

* Q26: What measures are in place to restrict staff from accessing other types of information e.g. paper records and information held on various media such as DVDs, memory sticks

Business Continuity

* Q27: With regard to information held on computers /servers is it backed up on a daily basis

Q27A: If you selected YES please provide details as to where (this includes Cloud facilities). If you selected NO please explain why not

* Q28: Are backup tapes / discs and other media stored off site

Q28A: If you selected YES where are they held. If you selected NO are there other precautions taken to protect data against fire/flood and other disasters

* Q29: What precautions are taken to protect information that is not backed up on computers (e.g. paper file) against fire/flood and other disasters

Securely Disposing of Information

* Q30: How do you safely and securely dispose of information held on paper

* Q31: How do you safely and securely dispose of obsolete hardware and software from which information could be recovered

Q31A: If you use a Cloud Storage solution, how do you ensure secure and permanent deletion of information that could be recovered from the Cloud

Encryption Technology

* Q32: Are all portable and mobile devices including laptops and other portable media used to store and transmit information encrypted using encryption software which meets the current standard or equivalent

Q32A: If you selected YES does this include Bring Your Own Device (BYOD)

Q32B: Can you please provide further information about your encryption technology. If you do not use encryption technology please explain why not

Secure Transfer of Information

Q33: Depending upon the nature of the contract, the information shared with you may or may not be highly confidential. If Solihull Council were to class the information as confidential it must be delivered to you by secure means and it may also be necessary for it to be sent back by secure means. e.g. by secure connection (HTTPS). Please describe below the facilities / options you are able to provide for the safe receipt and delivery of confidential information

Information Security Self Assessment