Control measure: Training completion is monitored in line with organisational requirements.
Risk: If staff do not complete training, as well as a lack of evidence that training is completed in line with organisational requirements, there is a risk that they are not sufficiently trained to ensure compliance. This may breach UK GDPR articles 5(1)(f), 5(2) or 32.
Ways to meet our expectations:
- Set KPI or targets for training completion rates.
- Produce periodic reports to monitor all data protection training completion.
- Discuss training completion reports at information governance steering groups or forums.
- Share training completion reports with senior management.
- Ask Heads of departments, or equivalent, to regularly review training completion rates for their own department.
- Build in information governance and data protection development objectives as part of personal development reviews or annual appraisal process and support staff in achieving those objectives.
- Monitor individual information governance and data protection related training objectives as part of the annual staff appraisal process.
- Seek staff feedback for current training provisions to confirm they have read and understood the training, and provide a way to give anonymous feedback, if not.
Options to consider:
- Create reporting mechanisms to assign accountability.
- Review the effectiveness of the reporting mechanism in communicating and highlighting issues and areas of concern.
- Share best practice on how to improve or maintain training completion rates.
- Make anonymous feedback methods available for staff to communicate their thoughts about the training.
- Request feedback or share a satisfaction survey with staff after they complete the training.