Control measure: The induction training is sufficiently comprehensive, effective, kept up-to-date and delivered within an appropriate timeframe.
Risk: Having insufficient or out-of-date induction training, or allowing staff to begin working with personal information before undergoing induction training, greatly increases the risk of a personal data breach. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Include key areas of data protection in the induction programme, such as handling requests, data sharing, information security, personal data breaches and records management.
- Assign responsibility for overseeing and approving induction training to the Data Protection Officer (DPO), information governance manager or equivalent.
- Require all grades, including senior managers, to complete induction training.
- Deliver induction training to all staff including voluntary, temporary and contract staff.
- Ensure staff have completed the induction training before being permitted to process personal information.
- Provide alternative induction training to non-computer based staff, if the induction training is primarily computer based.
- Periodically review induction training material to ensure it remains up-to-date.
- Assess staff understanding of the training using a knowledge check with a minimum pass mark. Support staff who need further training if they consistently do not achieve the minimum pass mark.
Options to consider:
- Develop a standard induction training schedule which includes mandatory training at the start of employment.
- Assign responsibility to heads of departments or managers for confirming staff have completed induction training prior to permitting them access to personal information.
- Ensure all staff, including senior staff, are required to keep a record of completed training.
- Sign up for the ICO newsletter to receive data protection related updates and news.
- Become familiar with the ICO training material as a source of information and guidance.
- Use the ICO website to validate training material.
- Request staff feedback.
- Use organisational reports to feed back into training so you can address any areas of concern through induction training. For example, information governance, data protection and information security, as well as quality assurance feedback.