Control measure: Various communication methods are used on a regular basis to raise staff awareness of information governance, data protection and information security, and the associated policies and procedures.
Risk: If staff are not made aware of important messages effectively, as limited types of communication are used, some key messaging may not reach staff in a timely manner. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Use a variety of types of communication to raise staff awareness generally, not just in the information governance department.
- Periodically communicate information governance, data protection and information security policy updates to all staff.
- Feature information governance, data protection and information security messages in communications sent on a regular basis to staff (eg newsletters).
Options to consider:
- Display awareness raising posters around the premises.
- Use screensavers to help raise staff awareness.
Control measure: Staff are given the opportunity at team and department meetings to discuss information governance, data protection and information security, and associated issues.
Risk: If staff do not have a regular opportunity to discuss issues or raise questions, they will fail to ensure compliance with legislative requirements.
Ways to meet our expectations:
- Give staff an opportunity to raise questions or concerns about information governance, data protection and information security at team, department, or equivalent meetings.
- Invite information governance, data protection and information security staff to team, department, or equivalent meetings to provide more detail or focused briefings.
Options to consider:
- Add information governance, data protection and information security as standing agenda items in team briefs or meetings.
- Have a data protection champion in various key departments.
Control measure: Staff know who to contact about any information governance, data protection or information security related queries or advice.
Risk: Queries may go unasked or unanswered if staff do not know who to contact, therefore increasing the risk of non-compliance and breaching data protection law.
Ways to meet our expectations:
- Include directions in staff training material, as well as in policies and procedures, on who to contact and how.
- Provide and monitor a general email inbox for information governance and data protection queries.
- Include guidance in awareness material on how to get information governance, data protection and information security advice.
Options to consider:
- Check staff can recognise who they should contact if they have any queries or advice requests about information governance, data protection or information security.
- Run regular staff awareness exercises or scenarios.
- Make these details available on the internal intranet.