Control measure: Processes to locate requested information in a timely manner are in place.
Risk: If information can’t be located quickly when requested, requests may be delayed or statutory timeframes may not be met. This may breach UK GDPR articles 5(1)(f), 12, 15 and 32.
Ways to meet our expectations:
- Implement a process to quickly locate relevant current paper records (that are part of a filing system).
- Implement a process to quickly locate and retrieve paper records from archives or external storage.
- Implement a process to quickly locate relevant current electronic records.
- Implement a process to quickly locate and retrieve electronic records from archives, back-ups, or email storage.
- Assign points of contact in satellite departments or buildings who can quickly retrieve paper or electronic records stored locally.
Options to consider:
- Implement a secure self-service online portal so people can download a copy of their information quickly for themselves, rather than making a request.
- Use reliable indexes, file content pages, and descriptions of documents to help locate paper records quickly.
- Use appropriate search functionality and metadata to help locate electronic records quickly.
- Have service level agreements covering requests with third party storage providers, satellite departments, or internal teams involved in requests, such as IT or information governance teams.
- Have a named staff member or point of contact for each database or type of storage.