The ICO exists to empower you through information.

Why is this important?

Good records management supports good data governance and data protection. Wider benefits include supporting information access, making sure that you can find information about past activities, and enabling the more effective use of resources. Some of the consequences of poor records management include poor decisions, failure to handle information securely and inefficiencies. Information security also supports good data governance, and is itself a legal data protection requirement. Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – it may even endanger lives in some extreme cases.

At a glance – what we expect from you

Creating, locating and retrieving records

You have minimum standards for the creation of records and effective mechanisms to locate and retrieve records.

Ways to meet our expectations:

  • You have policies and procedures to ensure that you appropriately classify, title and index new records in a way that facilitates management, retrieval and disposal.
  • You identify where you use manual and electronic record-keeping systems and maintain a central log or information asset register.
  • You know the whereabouts of records at all times, you track their movements, and you make attempts to trace records that are missing or not returned.
  • You index records stored off-site with unique references to enable accurate retrieval and subsequent tracking.

Have you considered the effectiveness of your accountability measures?

  • Do staff know how to classify and structure records appropriately?
  • Is the asset register kept up to date?
  • Have there been any issues locating records?

Security for transfers

You have appropriate security measures in place to protect data that is in transit, data you receive or data you transfer to another organisation.

Ways to meet our expectations:

  • You document rules to protect the internal and external transfer of records by post, fax and electronically, for example in a transfer policy or guidance.
  • You minimise data transferred off-site and keep it secure in transit.
  • When you transfer data off site, you use an appropriate form of transport (for example secure courier, encryption, secure file transfer protocol (SFTP) or Virtual Private Network (VPN)) and you make checks to ensure the information has been received.
  • You have agreements in place with any third parties used to transfer business information between your organisation and third parties.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the policies and procedures and do they follow them?
  • Do staff know how to send emails or information by post or fax securely?
  • Have they been using appropriate forms of transport?

Data quality

You have procedures in place to make sure that records containing personal data are accurate, adequate and not excessive.

Ways to meet our expectations:

  • You conduct regular data quality reviews of records containing personal data to make sure they are accurate, adequate and not excessive.
  • You make staff aware of data quality issues following data quality checks or audits to prevent recurrence.
  • Records containing personal data (whether active or archived) are 'weeded' periodically to reduce the risks of inaccuracies and excessive retention.

Have you considered the effectiveness of your accountability measures?

  • Could staff demonstrate the process for conducting data quality reviews?
  • Do staff understand their responsibilities and do they know what to do if they identify issues?

Retention schedule

You have an appropriate retention schedule outlining storage periods for all personal data, which you review regularly.

Ways to meet our expectations:

  • You have a retention schedule based on business need with reference to statutory requirements and other principles (for example the National Archives).
  • The schedule provides sufficient information to identify all records and to implement disposal decisions in line with the schedule.
  • You assign responsibilities to make sure that staff adhere to the schedule and you review it regularly.
  • You regularly review retained data to identify opportunities for minimisation, pseudonymisation or anonymisation and you document this in the schedule.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the retention schedule?
  • Do they adhere to it?
  • Could staff explain what their responsibilities are and how they carry them out effectively?

Destruction

You cover methods of destruction in a policy and they are appropriate to prevent disclosure of personal data prior to, during or after disposal.

Ways to meet our expectations:

  • For paper documents, you use locked waste bins for records containing personal data, and either in-house or third party cross shredding or incineration is in place.
  • For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) is in place.
  • You either hold, collect or send away securely confidential waste awaiting destruction.
  • You have appropriate contracts in place with third parties to dispose of personal data, and they provide you with appropriate assurance that they have securely disposed of the data, for example through audit checks and destruction certificates.
  • You have a log of all equipment and confidential waste sent for disposal or destruction.

Have you considered the effectiveness of your accountability measures?

  • Is there a secured location for waste collected daily until collected for disposal internally or by a third party?
  • Is there a secure storage area for equipment awaiting disposal?

Information asset register

You have an asset register that records assets, systems and applications used for processing or storing personal data across the organisation.

Ways to meet our expectations:

  • Your organisation has an asset register which holds details of all information assets (software and hardware) including:
  • asset owners;
    • asset location;
    • retention periods; and
    • security measures deployed.
  • You review the register periodically to make sure it remains up to date and accurate.
  • You periodically risk-assess assets within the register and you have physical checks to make sure that the hardware asset inventory remains accurate.

Have you considered the effectiveness of your accountability measures?

  • Is the register accurate – could you use it to find equipment around your office?
  • If we selected a sample of software, could you demonstrate that the details in the register are correct?

Rules for acceptable software use

You identify, document and implement rules for the acceptable use of software (systems or applications) processing or storing information.

Ways to meet our expectations:

  • You have Acceptable Use or terms and conditions of use procedures in place.
  • You have system operating procedures which document the security arrangements and measures in place to protect the data held within systems or applications.
  • Your organisation monitors compliance with acceptable use rules and makes sure that staff are aware of any monitoring.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the policies and procedures?
  • Are they well understood?

Access control

You limit access to personal data to authorised staff only and regularly review users’ access rights.

Ways to meet our expectations:

  • You have an Access Control policy which specifies that users must follow your organisation's practices in the use of secret authentication information, for example passwords or tokens.
  • You implement a formal user access provisioning procedure to assign access rights for staff (including temporary staff) and third-party contractors to all relevant systems and services required to fulfil their role, for example 'new starter process'.
  • You restrict and control the allocation and use of privileged access rights.
  • You keep a log of user access to systems holding personal data.
  • You regularly review users’ access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the organisation.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the policies and procedures?
  • Are third-party access rights assigned appropriately given what is required in a contract?
  • Are access rights correct and up to date?
  • Would a sample of new starters, movers and leavers show adherence to the policies and procedures?

Unauthorised access

You prevent unauthorised access to systems and applications, for example by passwords, technical vulnerability management and malware prevention tools.

Ways to meet our expectations:

  • You restrict access to systems or applications processing personal data to the absolute minimum in accordance with the principle of least privilege (for example read/write/delete/execute access rules are applied).
  • You apply minimum password complexity rules and limited log on attempts to systems or applications processing personal data.
  • You have password management controls in place, including default password changing, controlled use of any shared passwords and secure password storage (not in plain text).
  • Email content and attachment security solutions (encryption) appropriately protect emails containing sensitive personal data.
  • You log and monitor user and system activity to detect anything unusual.
  • You implement anti-malware and anti-virus (AV) protection across the network and on critical or sensitive information systems if appropriate.
  • Anti-malware and anti-virus protection is kept up-to-date and you configure it to perform regular scans.
  • Your organisation has access to and acts upon any updates on technical vulnerabilities to systems or software, for example vendor’s alerts or patches.
  • You regularly run vulnerability scans.
  • You deploy URL or web content filtering to block specific websites or entire categories.
  • You strictly control or prohibit the use of social media, or messaging apps such as WhatsApp to share personal data.
  • You have external and internal firewalls and intrusion detection systems in place as appropriate to ensure the security of information in networks and systems from unauthorised access or attack, for example denial of service attacks.
  • You do not have unsupported operating systems in use, for example Windows XP or Windows Server 2003.
  • You establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications.

Have you considered the effectiveness of your accountability measures?

  • Would a sample of systems access at various job levels confirm that you apply access levels appropriately?
  • Are the passwords complex?
  • Could staff demonstrate that anti-virus and anti-malware has been implemented on key information systems?
  • Do you install vendor updates in a timely manner?
  • Could we access a black-listed site or an unsupported operating system on-site?

Mobile devices, home or remote working and removable media

You have appropriate mechanisms in place to manage the security risks of using mobile devices, home or remote working and removable media.

Ways to meet our expectations:

  • You have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.
  • You have protections in place to avoid the unauthorised access to or disclosure of the information processed by mobile devices, for example, encryption and remote wiping capabilities.
  • You implement security measures to protect information processed when home or remote working, for example VPN and two-factor authentication.
  • Where you have a business need to store personal data on removable media, you minimise personal data and your organisation implements a software solution that can set permissions or restrictions for individual devices as well as an entire class of devices.
  • Your organisation uses the most up-to-date version of its remote access solution. You are able to support and update devices remotely.
  • You do not allow equipment, information or software to be taken off-site without prior authorisation and you have a log of all mobile devices and removable media used and who they are allocated to.

Have you considered the effectiveness of your accountability measures?

  • Can staff find the policies and procedures?
  • Are they aware of the main contents?
  • Would a sample of devices have appropriate encryption?
  • Could you demonstrate appropriate access arrangements for home or remote working?
  • Are staff working from home or remotely aware of the authorisation requirements?

Secure areas

You secure physical business locations to prevent unauthorised access, damage and interference to personal data.

Ways to meet our expectations:

  • You protect secure areas (areas that contain either sensitive or critical information) by appropriate entry controls such as doors and locks, alarms, security lighting or CCTV.
  • You have visitor protocols in place such as signing-in procedures, name badges and escorted access.
  • You implement additional protection against external and environmental threats in secure areas such as server rooms.
  • Office equipment is appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.
  • You securely store paper records and control access to them.
  • You operate a clear desk policy across your organisation where personal data is processed.
  • You have regular clear desk 'sweeps' or checks and issues are fed back appropriately
  • You operate a 'clear screen' policy across your organisation where personal data is processed.

Have you considered the effectiveness of your accountability measures?

  • Are printer/fax areas secure?
  • Do staff follow protocols and are they clearly communicated?
  • Would we see appropriate environmental controls in your secure areas?
  • Would a tour of your offices reveal an effective clear desk policy?
  • Are screens left unlocked?

Business continuity, disaster recovery and back-ups

You have plans to deal with serious disruption, and you back up key systems, applications and data to protect against loss of personal data.

Ways to meet our expectations:

  • You have a risk-based Business Continuity Plan to manage disruption and a Disaster Recovery Plan to manage disasters, which identify records that are critical to the continued functioning of the organisation.
  • You take back-up copies of electronic information, software and systems (and ideally store them off-site).
  • The frequency of backups reflects the sensitivity and importance of the data.
  • You regularly test back-ups and recovery processes to ensure they remain fit for purpose.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the plans and are they easy to access?
  • Could staff explain the effectiveness of the plans and how to test them?