Control measure: Access controls are in place to prevent unauthorised access to physical records.
Risk: If physical access is not controlled, personal information may be accessed by people who should not have access. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Keep physical records in locked rooms, cabinets, cupboards, or drawers.
- Have an access log to show who has accessed physical records.
- Ensure staff are aware that they should not leave records unattended without locking them away.
Options to consider:
- Run regular staff awareness exercises.
- Check locks and access log completion on site walks.
- Check for unattended records on desks on site walks.
Control measure: The security of physical records storage areas and buildings is periodically audited.
Risk: If physical records storage areas are not secured, personal information may be accessed by people who should not have access. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Review the security and integrity of buildings and records storage areas regularly as part of internal and external audit programmes.
- Review the security and integrity of third-party records storage areas and premises periodically.
- Document in contracts the right to audit third-party records storage providers.
Options to consider:
- Check the security and integrity of records storage areas and buildings on site walks.
- Schedule regular visits to third-party records storage providers as part of relationship management processes.
Control measure: Access controls are in place to prevent unauthorised access to electronic records.
Risk: If access is not controlled, personal information may be accessed by people who should not have access. May breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Document access control processes in a policy.
- Get input from the Records Manager into access control processes.
- Assign access rights based on documented job role profiles.
- Have a process to quickly grant, amend, and remove access rights to new starters, movers, and leavers.
- Ensure access control measures that are detailed in policies include appropriate technical solutions (eg password rules, anti-malware and virus protection, firewall controls and vulnerability testing).
- Monitor systems and records access regularly to identify inappropriate or unauthorised access.
Options to consider:
- Use a ticketing system to action access requests and log changes.
- Include an action to remove access to a leavers’ checklist.
- Assign end-dates to access permissions, particularly for temporary roles or where access isn’t needed permanently.
Control measure: User access permissions for electronic records is logged and periodically reviewed.
Risk: If access permissions are not logged and reviewed periodically, staff may retain access permissions to personal information that they should not have access to. This may breach UK GDPR articles 5(1)(f), 5(2), and 32.
Ways to meet our expectations:
- Log all access rights granted.
- Review all access rights periodically.
- Have a process to remove access or deactivate user accounts after a period of inactivity.
Options to consider:
- Review access rights and role profiles as a standing agenda item at a relevant meeting.
- Record minutes of meetings where access rights and role profiles are reviewed.
- Assign end-dates to access permissions, with automatic deactivation, particularly for temporary roles or where access isn’t needed permanently.