The ICO exists to empower you through information.

Control measure: There is an all-staff data protection and information governance training programme.

Risk: Without an overarching training programme that is fully supported and overseen by senior management, there is a risk that staff are not trained in data protection and how it applies in the context of their role. There is also a risk that they will have access to personal information without fully understanding their responsibilities in its protection and security. This may breach articles 5(1) and 5(2) of the UK GDPR.

Ways to meet our expectations:

  • Incorporate national and sector-specific requirements in the training programme.
  • Ensure the programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.
  • Consider the training needs of all staff and use this information to compile the training programme.
  • Assign responsibilities for managing information governance and data protection training across your organisation and have training plans or strategies in place to meet training needs within agreed timescales.
  • Have dedicated and trained resources available to deliver training to all staff.
  • Regularly review the programme to ensure that it remains accurate and up to date.
  • Require senior management to sign off the programme.

Options to consider:

  • Get the input and direction from the DPO or information governance staff team members, as appropriate, into the training programme content. 
  • Request staff feedback on the training content. 
  • Include relevant DPA 2018 Part 3 and 4 (law enforcement processing) content into the training programme, alongside Part 2 (general processing) content. 

Have you considered the effectiveness of your accountability measures?

  • Are you meeting staff training needs effectively?
  • Have your trainers received appropriate training?
  • Are their responsibilities clear and could they explain how you implement their responsibilities in practice?

 

Control measure: The training programme includes induction and refresher training for all staff on data protection and information governance.

Risk: Having insufficient or out-of-date induction training, or allowing staff to begin working with personal information before undergoing induction training, greatly increases the risk of a personal data breach. Staff knowledge diminishes in value and effectiveness if staff do not undergo up-to-date refresher training. This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Ensure appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
  • Deliver induction and refresher training to all staff, regardless of how long they will be working for your organisation, their contractual status or grade.
  • Deliver induction training to all staff prior to accessing personal information and within one month of their start date.
  • Ensure staff complete refresher training at appropriate intervals.

Options to consider:

  • Develop a standard induction training schedule which includes mandatory training at the start of employment. 
  • Assign responsibility to heads of departments or managers for confirming staff have completed induction training prior to permitting them access to personal information.
  • Ensure all staff, including senior staff, are required to keep a record of completed training.
  • Sign up for the ICO newsletter to receive data protection related updates and news.
  • Become familiar with the ICO training material as a source of information and guidance.
  • Use the ICO website to validate training material.
  • Request staff feedback.
  • Use organisational reports to feed back into training so you can address any areas of concern through induction training. For example, information governance, data protection and information security, as well as quality assurance feedback.
  • Implement a system which notifies staff and managers about upcoming refresher training.
  • Periodically refresh training material to keep staff engaged.
  • Periodically review and change assessment questions.
  • Set a specified timeframe for staff to complete refresher training.
  • Remove access to personal information if staff do not complete refresher training within the specified timeframe.
  • Monitor staff completion rates.
  • Assign responsibility to heads of departments or managers to confirm staff have completed refresher training within a specified time frame.

Have you considered the effectiveness of your accountability measures?

  • Could we observe your training delivery methods?
  • Is it effective?
  • Do you follow up on ‘no shows’?
  • Could staff explain their training records?

 

Control measure: Specialised roles or functions with key data protection responsibilities (such as DPOs, subject access and records management teams) receive additional training and professional development beyond the basic level provided to all staff.

Risk: If staff in specialist roles do not receive additional specialised training, there is a heightened risk of a personal data breach or non-compliance with data protection law. 

Ways to meet our expectations:

  • Complete a training needs analysis for information governance and data protection staff to inform the training plan and to ensure it is specific to their responsibilities.
  • Detail training and skills requirements in job descriptions.
  • Have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development, and are subject to proportionate refresher training.
  • Keep on record copies of the training material provided as well as details of who received the training.

Options to consider:

  • Seek specialist external training for staff.
  • Ask the DPO, information governance manager or equivalent, to help develop any in-house training and periodically review the content.

Have you considered the effectiveness of your accountability measures?

  • Do staff consider that you identify their training needs specifically?
  • Are there appropriate plans to meet those needs?
  • Are the training materials effective?

 

Control measure: There is evidence to demonstrate that staff complete and understand the training, and this is monitored appropriately through assessments or surveys.

Risk: If staff do not complete training, and there is a lack of evidence that training is completed in line with organisational requirements, there is a risk that they are not sufficiently trained to ensure compliance. This may breach articles 5(1)(f), 5(2) or 32 of the UK GDPR. 

Ways to meet our expectations:

  • Conduct an assessment at the end of the training to test staff understanding and make sure that it is effective, which could include a minimum pass mark.
  • Keep copies of the training material provided on record as well as details of who receives the training.
  • Monitor training completion in line with organisational requirements at all levels of the organisation, and follow up with staff who do not complete the training.
  • Enable staff to provide feedback on the training they receive.

Options to consider:

  • Create reporting mechanisms to assign accountability.
  • Set KPI or targets for training completion rates.
  • Review the effectiveness of the reporting mechanism in communicating and highlighting issues and areas of concern.
  • Share best practice on how to improve or maintain training completion rates.
  • Make anonymous feedback methods available for staff to communicate their thoughts about the training.
  • Request feedback or share a satisfaction survey with staff after they complete the training.
  • Build in information governance and data protection development objectives as part of personal development reviews or the annual appraisal process and support staff in achieving those objectives. 
  • Monitor individual information governance and data protection related training objectives as part of the annual staff appraisal process.

Have you considered the effectiveness of your accountability measures?

  • Do staff react positively to the training?
  • Is there an easy way to provide feedback?
  • Does that process result in changes?
  • Are senior managers aware of training monitoring outcomes?

 

Control measure: Awareness is raised across the organisation of data protection, information governance and associated policies and procedures in meetings or staff forums. It is easy for staff to access relevant material.

Risk: If staff are not made aware of important messages effectively, as limited types of communication are used, some key messaging may not reach staff in a timely manner. This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Use a variety of appropriate methods to raise staff awareness and the profile of data protection and information governance, for example by emails, team briefings and meetings, posters, handouts and blogs.
  • Make it easy for staff to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.

Options to consider:

  • Display awareness raising posters around the premises.
  • Use screensavers to help raise staff awareness. 

Have you considered the effectiveness of your accountability measures?

  • Could we observe awareness-raising materials around your office?
  • Would staff know who to contact?
  • Do you make it easy for them to find and access relevant information?