What is accountability?
Accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.
It’s a real opportunity to show that you set high standards for privacy and lead by example to promote a positive attitude to data protection across your organisation.
Accountability enables you to minimise the risks of what you do with personal data by putting in place appropriate and effective policies, procedures and measures. These must be proportionate to the risks, which can vary depending on the amount of data being handled or transferred, its sensitivity and the technology you use.
Regulators, business partners and individuals need to see that you are managing personal data risks if you want to secure their trust and confidence. This can enhance your reputation and give you a competitive edge, helping your business to thrive and grow.
For more information about accountability, please read our guidance on accountability and governance.
How can I use the framework?
The framework is an opportunity for you to assess your organisation’s accountability. Depending on your circumstances, you may use it in different ways. For example, you may want to:
- create a comprehensive privacy management programme;
- check your existing practices against the ICO’s expectations;
- consider whether you could improve existing practices, perhaps in specific areas;
- understand ways to demonstrate compliance;
- record, track and report on progress; or
- increase senior management engagement and privacy awareness across your organisation.
The framework is divided into 10 categories, for example ‘Leadership and oversight’. Selecting a category will display our key expectations and a bullet-pointed list of ways you can meet our expectations. These are the most likely ways to meet our expectations, but they are not exhaustive. You may meet our expectations in slightly different or unique ways.
You can demonstrate the ways you are meeting our expectations with documentation, but accountability is also about what you actually do in practice so you should also review how effective the measures are.
Accountability is not about ticking boxes. While there are some accountability measures that you must take, such as conducting a data protection impact assessment for high-risk processing, there isn’t a ‘one size fits all’ approach.
You will need to consider your organisation and what you are doing with personal data in order to manage personal data risks appropriately. As a general rule, the greater the risk, the more robust and comprehensive the measures in place should be.
To help you assess, report and improve your data protection compliance, you can complete our accountability self-assessment.
You can also use our accountability tracker if you want to record more detail and create an action plan to track your progress over time.
Introduction to the Accountability Framework
At a glance
Accountability is one of the key principles in data protection law – it makes you responsible for complying with the legislation and says that you must be able to demonstrate your compliance.
The Accountability Framework can help any organisation, whether small or large, with their obligations.
The framework is divided into 10 categories and contains expectations and examples of how your organisation can demonstrate your accountability.
As a starting point, we’d advise reading the Guide to the UK GDPR section on accountability first.
Who can use the framework?
You will find the Accountability Framework useful if you are responsible for putting appropriate measures in place to make sure that your organisation complies with data protection. You could be senior management, the data protection officer (DPO) or have records management or information security responsibilities.
The Accountability Framework can help to support any organisation, whether small or large, with their obligations. The key is that the measures you put in place must be appropriate, risk-based and proportionate. This depends on your organisation and what you are doing with personal data.
If you work for a smaller organisation you will most likely benefit, in the first instance, from the resources available on our SME hub, in particular the Assessment for small business owners and sole traders, and our Data protection self-assessment toolkit which has been created with smaller organisations in mind.
What is the scope of the framework?
This framework supports the foundations of an effective privacy management programme. It is not exhaustive and does not replace the need for you to comply with all applicable aspects of data protection, exercise your own judgement, and use other relevant guidance and materials such as the Guide to the UK General Data Protection Regulation (GDPR).
The framework is not sector-specific because we want it to be relevant to as broad an audience as possible. In time, we will include case studies to highlight practical experience across different sectors and differently sized organisations.
Take a self-assessment
The accountability self-assessment will help you to assess the extent to which your organisation is currently meeting the ICO’s expectations in relation to accountability.
Use the Tracker
The accountability tracker is a tool to help you record detail and track your progress over time.
Why is this important?
A fundamental building block of accountability is strong leadership and oversight. This includes making sure that staff have clear responsibilities for data protection-related activities at a strategic and operational level. Some organisations legally require a DPO; but everyone must allocate sufficient resources and make sure that data protection is a shared responsibility, rather than solely the task of someone working directly in a data protection role. You make senior management and the board accountable, and they must lead by example to promote the organised, proactive and positive approach to data protection that underpins everything else.
At a glance – what we expect from you
Organisational structure
There is an organisational structure for managing data protection and information governance, which provides strong leadership and oversight, clear reporting lines and responsibilities, and effective information flows.
Ways to meet our expectations:
- The board, or highest senior management level, has overall responsibility for data protection and information governance.
- Decision-makers lead by example and promote a proactive, positive culture of data protection compliance.
- You have clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.
- Policies clearly set out the organisational structure for managing data protection and information governance.
- Job descriptions clearly set out responsibilities and reporting lines to management.
- Job descriptions are up-to-date, fit for purpose and reviewed regularly.
- Data protection and information governance staff understand the organisational structure and their responsibilities.
Have you considered the effectiveness of your accountability measures?
- Do staff report that your organisational structure is effective?
- Is there a positive and proactive culture of data protection compliance across your organisation?
- Are staff aware of their responsibilities and those of others within the structure?
Whether to appoint a DPO
If it is necessary to appoint a DPO under Article 37 of the UK GDPR, your organisation makes sure that the DPO’s role is adequately supported and covers all the requirements and responsibilities.
Ways to meet our expectations:
- The DPO has specific responsibilities in line with Article 39 of the UK GDPR for data protection compliance, data protection policies, awareness raising, training and audits.
- The DPO has expert knowledge of data protection law and practices.
- The DPO has the authority, support and resources to do their job effectively.
- If your organisation is not required to appoint a DPO, you record the decision.
- If your organisation is not required to appoint a DPO, you appropriately assign responsibility for data protection compliance and you have enough staff and resources to manage your obligations under data protection law.
Have you considered the effectiveness of your accountability measures?
- Could your DPO explain their responsibilities and how to carry them out effectively?
- Does your DPO feel supported in their role?
Appropriate reporting
The DPO is independent and unbiased. They must report to the highest management level and staff must be clear about how to contact them.
Ways to meet our expectations:
- Staff know who the DPO is, what their role is and how to contact them.
- All data protection issues involve the DPO in a timely manner.
- Your organisation follows the DPO’s advice and takes account of their knowledge about data protection obligations.
- The DPO performs their tasks independently, without any conflicts of interest, and does not take any direct operational decisions about the manner and purposes of processing personal data within your organisation.
- The DPO directly advises senior decision-makers and raises concerns with the highest management level.
- The DPO provides senior management with regular updates about data protection compliance.
Have you considered the effectiveness of your accountability measures?
- Could your DPO explain their responsibilities and how they carry them out effectively?
- Does your DPO feel supported in their role?
- Is it easy for your DPO to get access to the highest level management?
- Can your staff explain what the DPO does and how to get in touch with them?
Operational roles
Your organisation’s operational roles support the practical implementation of data protection and information governance.
Ways to meet our expectations:
- Data protection and information governance staff have clear responsibilities for making sure that your organisation is data protection compliant.
- Your staff manage all records effectively and they keep information secure.
- A network of support or nominated data protection leads help implement and maintain data protection policies at a local level.
- Data protection and information governance staff have the authority, support and resources to carry out their responsibilities effectively.
Have you considered the effectiveness of your accountability measures?
- Are staff job descriptions accurate and up to date?
- Could staff explain their role and responsibilities in detail and how these are achieved in practice?
- Do they feel supported?
Oversight groups
An oversight group provides direction and guidance across your organisation for data protection and information governance activities.
Ways to meet our expectations:
- Key staff, eg the DPO, regularly attend the oversight group meetings.
- An appropriately senior staff member chairs the group, eg the DPO or senior information risk owner (SIRO).
- Clear terms of reference set out the group's aims.
- The group's meeting minutes record what takes place.
- The group covers a full range of data protection-related topics including key performance indicators (KPIs), issues and risks.
- The group has a work or action plan that is monitored regularly.
- The board or highest management level considers data protection and information governance issues and risks reported by the oversight group.
Have you considered the effectiveness of your accountability measures?
- Do group members report that the meetings are effective?
- Do they meet frequently enough and cover appropriate topics?
- Are senior management aware of the issues and risks?
Operational group meetings
In your organisation, operational level groups meet to discuss and coordinate data protection and information governance activities.
Ways to meet our expectations:
- The groups meet and are attended by relevant staff regularly.
- The groups produce minutes of the meetings and action plans.
- The agenda shows the groups discuss appropriate data protection and information governance issues regularly.
- Any data protection and information governance issues and risks that arise are report to the oversight group.
Have you considered the effectiveness of your accountability measures?
- Would the group members say that the meetings are effective?
- Do they meet frequently enough and cover appropriate topics?
- Is the oversight group aware of the issues and risks?
Further reading
ICO guidance:
ICO interactive tool:
External guidance:
Why is this important?
This makes sure that all employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date. Training and awareness is key to actually putting into practice your policies, procedures and measures by:
At a glance – what we expect from you
All-staff training programme
You have an all-staff data protection and information governance training programme.
Ways to meet our expectations:
- Your programme incorporates national and sector-specific requirements.
- Your programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.
- You consider the training needs of all staff and use this information to compile the training programme.
- You assign responsibilities for managing information governance and data protection training across your organisation and you have training plans or strategies in place to meet training needs within agreed time-scales.
- You have dedicated and trained resources available to deliver training to all staff.
- You regularly review your programme to ensure that it remains accurate and up to date.
- Senior management sign off your programme.
Have you considered the effectiveness of your accountability measures?
- Are you meeting staff training needs effectively?
- Have your trainers received appropriate training?
- Are their responsibilities clear and could they explain how you implement their responsibilities in practice?
Induction and refresher training
Your training programme includes induction and refresher training for all staff on data protection and information governance.
Ways to meet our expectations:
-
Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
-
Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
-
Your staff receive induction training prior to accessing personal data and within one month of their start date.
-
Your staff complete refresher training at appropriate intervals.
Have you considered the effectiveness of your accountability measures?
- Could we observe your training delivery methods?
- Is it effective?
- Do you follow up on ‘no shows’?
- Could staff explain their training records?
Specialised roles
Specialised roles or functions with key data protection responsibilities (such as DPOs, subject access and records management teams) receive additional training and professional development beyond the basic level provided to all staff.
Ways to meet our expectations:
- You complete a training needs analysis for information governance and data protection staff to inform the training plan and to ensure it is specific to the individual’s responsibilities.
- You detail training and skills requirements in job descriptions.
- You have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development, and they are subject to proportionate refresher training.
- You keep on record copies of the training material provided as well as details of who receives the training.
Have you considered the effectiveness of your accountability measures?
- Do staff consider that you identify their training needs specifically?
- Are there appropriate plans to meet those needs?
- Are the training materials effective?
Monitoring
Your organisation can demonstrate that staff understand the training. You verify their understanding and monitor it appropriately eg through assessments or surveys.
Ways to meet our expectations:
- You conduct an assessment at the end of the training to test staff understanding and make sure that it is effective, which could include a minimum pass mark.
- You keep copies of the training material provided on record as well as details of who receives the training.
- You monitor training completion in line with organisational requirements at all levels of the organisation, and you follow up with staff who do not complete the training.
- Staff are able to provide feedback on the training they receive.
Have you considered the effectiveness of your accountability measures?
- Do staff react positively to the training?
- Is there an easy way to provide feedback?
- Does that process result in changes?
- Are senior managers aware of training monitoring outcomes?
Awareness raising
You regularly raise awareness across your organisation of data protection, information governance and associated policies and procedures in meetings or staff forums. You make it easy for staff to access relevant material.
Ways to meet our expectations:
- You have evidence that your organisation regularly uses a variety of appropriate methods to raise staff awareness and the profile of data protection and information governance, for example by emails, team briefings and meetings, posters, handouts and blogs.
- You make it easy for staff to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.
Have you considered the effectiveness of your accountability measures?
- Could we observe awareness-raising materials around your office?
- Would staff know who to contact?
- Do you make it easy for them to find and access relevant information?
Further reading
ICO guidance:
External guidance:
Why is this important?
Data protection law aims to empower individuals and give them greater control over their personal data through several rights, which you need to facilitate effectively. Compliance with individual rights minimises the privacy risks to individuals as well as to organisations. It will help you to comply with other data protection requirements, such as the principles. Good data protection compliance enhances your reputation and gives you a competitive edge because it increases the trust and confidence that people have in how you handle personal data.
At a glance – what we expect from you
Informing individuals and identifying requests
You inform individuals about their rights and all staff are aware of how to identify and deal with both verbal and written requests.
Ways to meet our expectations:
- You give individuals clear and relevant information about their rights and how to exercise them.
- Your policies and procedures set out processes for dealing with requests from individuals about their rights.
- All staff receive training and guidance about how to recognise a request and where to send them.
Have you considered the effectiveness of your accountability measures?
- Do all staff understand how to recognise a request and where to send them?
- Would individuals say that you provided useful materials to help them to exercise their rights?
Resources
You have appropriate resources in place to handle requests from individuals about their data.
Ways to meet our expectations:
- A specific person/s or team are responsible for managing and responding to requests.
- Staff receive specialised training to handle requests, including regular refresher training.
- You have sufficient resources to deal with requests.
- If a staff member is absent, you train other staff to carry out key tasks.
- Your organisation can deal with any increase in requests or reduction in staffing levels.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of their key responsibilities and how to deliver them in practice?
- Would your staff say that you have appropriate resources to deal with the volume of requests?
- In the case of staff absences, could key tasks in the request process be covered by more than one individual?
Logging and tracking requests
Your organisation logs receipt of all verbal and written requests from individuals and updates the log to track the handling of each request.
Ways to meet our expectations:
- You have processes in place to ensure the log is accurate and updated as appropriate.
- The log shows the due date for requests, the actual date of the final response and the action taken.
- A checklist records the key stages in the request handling process, eg which systems or departments have been searched. This is either part of the log or a separate document.
- You have records of your organisation's request responses, and any disclosed or withheld information from subject access requests.
Have you considered the effectiveness of your accountability measures?
- Could you locate relevant records easily?
- Are the records correct?
- Would a small sample of requests show that your staff follow the policies and procedures?
Timely responses
You deal with requests from individuals in a timely manner that meets individual expectations and statutory timescales.
Ways to meet our expectations:
- You action all requests within statutory timescales.
- The staff responsible for managing requests meet regularly to discuss any issues and investigate, prioritise or escalate any delayed cases.
- If you need an extension, you update individuals on the progress of their request and keep them informed.
- If a request is refused, you have records about the reasons why and you inform individuals about the reasons for any refusals or exemptions.
Have you considered the effectiveness of your accountability measures?
Monitoring and evaluating performance
Your organisation monitors how your staff handle requests and you use that information to make improvements.
Ways to meet our expectations:
- The staff responsible for managing requests meet regularly to discuss any issues.
- You produce regular reports on performance and case quality assessments to ensure that requests are handled appropriately.
- You share reports with senior management, that they review and action at appropriate meetings.
- Your organisation analyses any trends in the nature or cause of requests to improve performance or reduce volumes.
Have you considered the effectiveness of your accountability measures?
Inaccurate or incomplete information
Your organisation has appropriate systems and procedures to change inaccurate information, add additional information to incomplete records or add a supplementary statement where necessary.
Ways to meet our expectations:
- Your organisation takes proportionate and reasonable steps to check the accuracy of the personal data held and, if necessary, is able to rectify it.
- If your organisation is satisfied that the data is accurate, you have a procedure to explain this to the individual. You need to inform the individual of their right to complain, and as a matter of good practice, record on the system the fact that the individual disputes the accuracy of the information.
- If personal data has been disclosed to others, your organisation contacts each recipient to inform them about the rectification, unless this is impossible or involves disproportionate effort.
- If asked, the organisation tells the data subject which third parties have received the personal data.
Have you considered the effectiveness of your accountability measures?
- Would staff say there are effective processes in place to rectify inaccurate or incomplete personal data?
- Would requesters say they were given clear information about the steps you took?
Erasure
You have appropriate methods and procedures in place within your organisation to delete, suppress or otherwise stop processing personal data if required.
Ways to meet our expectations:
- You erase personal data from back-up systems as well as live systems where necessary, and you clearly tell the individual what will happen to their data.
- If the personal data is disclosed to others, your organisation contacts each recipient to inform them about the erasure, unless this is impossible or involves disproportionate effort.
- If asked to, your organisation tells the data subject which third parties have received the personal data.
- If personal data has been made public in an online environment, you take reasonable steps to tell other controllers, if they are processing it, to erase links to, copies or replication of that data.
- Your organisation gives particular weight to a request for erasure where the processing is or was based on a child’s consent, especially when processing any personal data on the internet.
Have you considered the effectiveness of your accountability measures?
Restriction
Your organisation has appropriate methods and procedures in place to restrict the processing of personal data if required.
Ways to meet our expectations:
- Your organisation restricts personal data in a way appropriate for the type of processing and the system, for example temporarily moving the data to another system or removing it from a website.
- If the personal data has been disclosed to others, your organisation contacts each recipient to tell them about the restriction, unless this is impossible or involves disproportionate effort.
- If asked to, your organisation tells the data subject which third parties have received the personal data.
Have you considered the effectiveness of your accountability measures?
Data portability
Individuals are able to move, copy or transfer their personal data from your organisation to another securely, without affecting the data.
Ways to meet our expectations:
- When requested, you provide personal data in a structured, commonly used and machine readable format.
- Where possible and if an individual requests it, your organisation can directly transmit the information to another organisation.
Have you considered the effectiveness of your accountability measures?
- Would staff say you have effective data portability processes in place?
- Would requesters say you gave them clear information?
Rights related to automated decision-making and profiling
Your organisation can protect individual rights related to automated decision-making and profiling, particularly where the processing is solely automated with legal or similarly significant effects.
Ways to meet our expectations:
- You complete additional checks for vulnerable groups, such as children, for all automated decision-making and profiling..
- Your organisation only collects the minimum data needed and has a clear retention policy for the profiles created.
- If your organisation uses solely automated decisions that have legal or similarly significant effects on individuals, you have a recorded process to ensure these decisions only occur in accordance with Article 22 of the UK GDPR. If this applies, your organisation must also carry out a data protection impact assessment (DPIA).
- Where the decision is solely automated and has legal or similarly significant effects on individuals, a recorded process allows simple ways for individuals to request human intervention, express their opinion and challenge a decision.
- You conduct regular checks for accuracy and bias to ensure that systems are working as intended, and you feed this back into the design process.
Have you considered the effectiveness of your accountability measures?
- Do staff and customers find your retention policy clear?
- Do staff say you have effective processes to protect rights relating to automated decision-making and profiling?
- Would individuals say you made it easy to request human intervention, express their opinion and challenge a decision?
Individual complaints
Your organisation has procedures to recognise and respond to individuals' complaints about data protection, and individuals are made aware of their right to complain.
Ways to meet our expectations:
- You have procedures to handle data protection complaints raised by individuals and you report their resolution to senior management.
- The DPO’s contact details or alternative contact points are publicly available if individuals wish to raise a complaint about the use of their data.
- You tell individuals about their right to make a complaint to the ICO in your privacy information.
Have you considered the effectiveness of your accountability measures?
- Would complainants say that they were clear about how to make complaints and how it would be handled?
Further reading
ICO guidance:
Why is this important?
Transparency is a key data protection principle which is fundamental to a ‘data protection by design and by default’ approach. It facilitates the exercise of individuals’ rights and gives people greater control. This is particularly important if the processing is complex or if it relates to a child. Proactively respecting people’s privacy can give you a competitive advantage by increasing the confidence of the public, regulators and business partners. Being open and honest about what you do with personal data will support contracting and data sharing with third parties.
At a glance – what we expect from you
Privacy notice content
Ways to meet our expectations:
- Privacy information includes all relevant contact information, eg the name and contact details of your organisation (and your representative if applicable) and the DPO’s contact details.
- Privacy information includes the purposes of the processing and the lawful bases (and, if applicable, the legitimate interests for the processing).
- Privacy information includes the types of personal data you obtain and the data source, if the personal data is not obtained from the individual it relates to.
- Privacy information includes details of all personal data that you share with other organisations and, if applicable, details of transfers to any third countries or international organisations.
- Privacy information includes retention periods for the personal data, or if that is not possible, the criteria used to determine the period.
- Privacy information includes details about individuals' rights including, if applicable, the right to withdraw consent and the right to make a complaint.
- Privacy information includes details of whether individuals are under a statutory or contractual obligation to provide the personal data (if applicable, and if you collect the personal data from the individual it relates to).
- You provide individuals with privacy information regarding the source of the processed personal data if you don’t obtain it from the individual concerned, eg if the data is from publicly accessible sources such as social media, the open electoral register or Companies House.
Have you considered the effectiveness of your accountability measures?
- Do your staff understand what privacy information is and what must be provided?
- Are individuals provided with clear information about the source of personal data, if you don’t obtain it from the individual concerned?
Timely privacy information
You have a recorded procedure to make sure that individuals receive privacy information at the right time, unless an exemption applies.
Ways to meet our expectations:
- Individuals receive privacy information when their data is collected (eg when they fill in a form) or by observation (eg when using CCTV or people are tracked online).
- If you obtain personal data from a source other than the individual it relates to, you provide privacy information to individuals, no later than one month of obtaining the data.
Have you considered the effectiveness of your accountability measures?
- Do your staff understand when and how privacy information should be provided?
Effective privacy information
Your organisation provides privacy information that is:
- concise;
- transparent;
- intelligible;
- clear
- in plain language; and
- communicated in a way that is effective for the target audience.
Ways to meet our expectations:
- You proactively make individuals aware of privacy information and have a free, easy way to access it.
- You provide privacy information to individuals in electronic and hard-copy form, using a combination of appropriate techniques, such as a layered approach, icons and mobile and smart device functionalities.
- You write privacy information in clear and plain language that the intended audience can understand, and offer it in accessible formats if required.
- You take particular care to write privacy information for children in clear, plain language, that is age-appropriate, and explains the risks involved in the processing and what safeguards are in place.
Have you considered the effectiveness of your accountability measures?
- Would customers say you proactively made them aware of privacy information?
- Did you use an appropriate form of communication?
- Was it easy to understand?
Automated decision-making and profiling
Your organisation is transparent about any processing relating to automated decision-making and profiling.
Ways to meet our expectations:
- You have procedures for individuals to access the personal data you use to create profiles, so they can review for accuracy and edit it if needed.
- If the decision is solely automated and has legal or similarly significant effects, your organisation tells individuals about the processing - including what information you are using, why and what the impact is likely to be.
- If the purpose is initially unclear, you give individuals an indication of what your organisation is going to do with their data, and you proactively update your privacy information as this becomes clearer.
- If the decision is solely automated and has legal or similarly significant effects, your organisation explains the processing in a meaningful way that enables individuals to exercise their rights including obtaining human intervention, expressing their point of view and contesting the decision.
Have you considered the effectiveness of your accountability measures?
- Would individuals say that you explained the processing to them in a meaningful way that helped them to exercise their rights?
- Is it easy for them to access the personal data you used to create profiles?
Staff awareness
Your organisation can demonstrate that any member of front-line staff is able to explain the necessary privacy information to data subjects and provide guidance.
Ways to meet our expectations:
- You arrange organisation-wide staff training about privacy information.
- Front-line staff receive more specialised or specific training.
- Staff are aware of the various ways in which the organisation provides privacy information.
Have you considered the effectiveness of your accountability measures?
- Do your staff have good general knowledge about privacy information and the ways it is provided?
- Do front-line staff have more detailed knowledge?
Privacy information review
Your organisation has procedures to review the privacy information provided to data subjects regularly to make sure that it is accurate, up to date and effective.
Ways to meet our expectations:
- You review privacy information against the records of processing activities, to ensure it remains up to date and that it accurately explains what happens with individuals’ personal data.
- You maintain a log of historical privacy notices, including the dates you made any changes, in order to allow a review of what privacy information you provided to data subjects and when.
- Your organisation carries out user testing to evaluate the privacy information’s effectiveness.
- Your organisation analyses complaints from the public about how you use their personal data, and in particular, any complaints about how you explain that use.
- If your organisation plans to use personal data for a new purpose, you have a procedure to update the privacy information and communicate the changes to individuals before starting any new processing.
Have you considered the effectiveness of your accountability measures?
Tools supporting transparency and control
You are open about how you use personal data, and offer tools to support transparency and control, especially when processing children's personal data.
Ways to meet our expectations:
- Privacy policies are clear and easy for members of the public to access.
- You provide individuals with tools, such as secure self-service systems, dashboards and just-in-time notices, so they can access, determine and manage how your organisation uses their personal data.
- Your organisation offers strong privacy defaults and user-friendly options and controls.
- Where relevant, you have processes in place to help children exercise their data protection rights in an easily accessible way that they understand.
- You implement appropriate measures to protect children using digital services.
Have you considered the effectiveness of your accountability measures?
- Would the public say that your policies are clear, easy to find and access?
- Do they feel appropriately supported in accessing, determining and managing how their data is used?
- Would children say the same?
Further reading
ICO guidance:
ICO template:
Why is this important?
It’s a legal requirement to document your processing activities. Taking stock of what information you have, where it is and what you do with it makes it much easier for you to improve your information governance and comply with other aspects of data protection law (such as creating a privacy notice and keeping personal data secure). It is a clear way to show what you are doing in line with the accountability principle and we may require you to provide these records to us. Your processing won’t be lawful without a valid lawful basis so you must justify your choice appropriately.
At a glance – what we expect from you
Data mapping
Your organisation frequently carries out comprehensive data mapping exercises, providing a clear understanding of what information is held and where.
Ways to meet our expectations:
- Your organisation carries out information audits (or data mapping exercises) to find out what personal data is held and to understand how the information flows through your organisation.
- You keep the data map up to date and you clearly assign the responsibilities for maintaining and amending it.
- You consult your staff to make sure that there is an accurate picture of processing activities, for example by using questionnaires and staff surveys.
Have you considered the effectiveness of your accountability measures?
- Would staff say that there was an effective process in place to identify what personal data is held across the organisation?
- Could staff explain their responsibilities and how they are carried out in practice?
- Would the record match what people were currently doing?
Record of processing activities (ROPA)
Your organisation has a formal, documented, comprehensive and accurate ROPA based on a data mapping exercise that is reviewed regularly.
Ways to meet our expectations:
- You record processing activities in electronic form so you can add, remove and amend information easily.
- Your organisation regularly reviews the record against processing activities, policies and procedures to ensure that it remains accurate and up to date, and you clearly assign responsibilities for doing this.
- You regularly review the processing activities and types of data you process for data minimisation purposes.
Have you considered the effectiveness of your accountability measures?
- Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
- Could staff explain their responsibilities and how they carry them out in practice?
ROPA requirements
Your ROPA contains all the relevant requirements set out in Article 30 of the UK GDPR.
Ways to meet our expectations:
- The ROPA includes (as a minimum):
- your organisation’s name and contact details, whether it is a controller or a processor (and where applicable, the joint controller, their representative and the DPO);
- the purposes of the processing;
- a description of the categories of individuals and of personal data;
- the categories of recipients of personal data;
- details of transfers to third countries, including a record of the transfer mechanism safeguards in place;
- retention schedules; and
- a description of the technical and organisational security measures in place.
- You have an internal record of all processing activities carried out by any processors on behalf of your organisation.
Have you considered the effectiveness of your accountability measures?
- Would staff say that you have effective processes in place to keep the record up to date, accurate and make sure that the data is minimised?
- Could staff explain their responsibilities and how they carry them out in practice?
Good practice for ROPAs
Your organisation’s ROPA includes links to other relevant documentation, such as contracts or records as a matter of good practice.
Ways to meet our expectations:
- The ROPA also includes, or links to, documentation covering:
- information required for privacy notices, such as the lawful basis for the processing and the source of the personal data;
- records of consent;
- controller-processor contracts;
- the location of personal data;
- DPIA reports;
- records of personal data breaches;
- information required for processing special category data or criminal conviction and offence data under the Data Protection Act 2018 (DPA 2018); and
- retention and erasure policy documents.
Have you considered the effectiveness of your accountability measures?
- Do staff understand how to access other relevant documentation linked to the ROPA?
- Is it easy for staff to access relevant documentation from the ROPA?
- Could staff explain this process and how it impacts their role?
Documenting your lawful basis
You document and appropriately justify your organisation’s lawful basis for processing personal data in line with Article 6 of the UK GDPR (and Articles 9 and 10, if the processing involves special category or criminal offence data).
Ways to meet our expectations:
- Your organisation selects the most appropriate lawful basis (or bases) for each activity following a review of the processing purposes.
- You document the lawful basis (or bases) relied upon and the reasons why.
- If your organisation processes special category or criminal offence data, you identify and document a lawful basis for general processing and an additional condition for processing this type of data (or in the case of criminal offence data, you identify the official authority to process).
- In the case of special category or criminal offence data, you document consideration of the requirements of Article 9 or 10 of the UK GDPR and Schedule 1 of the DPA 2018 where relevant.
- Where Schedule 1 requires it, you have an appropriate policy document including:
- which Schedule 1 conditions you are relying upon;
- what procedures you have in place to ensure compliance with the data protection principle;
- how you will treat special category or criminal offence data for retention and erasure purposes;
- a review date; and
- details of an individual assigned responsibility for the processing.
- You identify the lawful basis before starting any new processing.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the need to identify a lawful basis for processing personal data?
- Can they identify an appropriate lawful basis?
- Are they aware of the additional requirements to protect special category and criminal offence data?
Lawful basis transparency
You make information about the purpose of the processing and the lawful basis publicly available. This is easy to locate, access and read.
Ways to meet our expectations:
- You make information about the purposes of the processing, your lawful basis and relevant conditions for processing any special category or criminal offence data publicly available in your organisation's privacy notice(s).
- You provide information in an easily understandable format.
- If there is a genuine change in circumstances, or if your lawful basis must change due to a new and unanticipated purpose, you inform individuals in a timely manner and record the changes.
Have you considered the effectiveness of your accountability measures?
- Would customers agree that your privacy notice is easy to find, access and understand?
Consent requirements
If your organisation relies on consent for the processing of personal data, you comply with the UK GDPR’s consent requirements of being:
- specific;
- granular;
- prominent;
- opt-in;
- documented; and
- easily withdrawn.
Ways to meet our expectations:
- Consent requests:
- are kept separate from other terms and conditions;
- require a positive opt-in and do not use pre-ticked boxes;
- are clear and specific (not a pre-condition of signing up to a service);
- inform individuals how to withdraw consent in an easy way; and
- give your organisation’s name as well as any third parties relying on consent.
- You have records of what an individual has consented to, including what they were told and when and how they consented. The records are thorough and easy for relevant staff to access, review and withdraw if required.
- You have evidence and examples of how consent is sought from individuals, for example online forms or notices, opt-in tick boxes or paper-based forms.
Have you considered the effectiveness of your accountability measures?
- Do staff agree that the records of consent are easy to access, understand and review?
- Do customers say that you make it easy to understand and manage consent?
Reviewing consent
You proactively review records of previously gathered consent, which demonstrates a commitment to confirming and refreshing the consents.
Ways to meet our expectations:
- You have a procedure to review consents to check that the relationship, the processing and the purposes have not changed and to record any changes.
- Your organisation has a procedure to refresh consent at appropriate intervals.
- Your organisation uses privacy dashboards or other preference management tools to help people manage their consent.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the process to review consents?
- Is the procedure easy to find, access and understand?
- Do individuals say it was easy to manage their consent preferences?
Risk-based age checks and parental or guardian consent
Your organisation has effective systems in place to conduct risk-based age checks and, where required, to obtain and record parental or guardian consent.
Ways to meet our expectations:
- Your organisation makes reasonable efforts to check the age of those giving consent, particularly where the individual is a child.
- You have a reasonable and effective procedure to determine whether the individual in question can provide their own consent, and if not, an effective way to gain and record parental or guardian consent.
- When providing online services to children, your organisation has risk-based age checking systems in place to establish age, with an appropriate level of certainty based on the risks to children's rights and freedoms.
- When providing online services to children, if the child is under 13, you have records of parental or guardian consent which are regularly reviewed, and you make reasonable efforts to verify that the person giving consent has parental responsibility. You give particular consideration when a child reaches the age of 13 and is able to provide their own consent.
Have you considered the effectiveness of your accountability measures?
- Do staff and individuals agree that you have a reasonable and effective way to conduct risk-based age checks, gain parental or guardian consent and review what’s in place?
Legitimate interest assessment (LIA)
If your organisation’s lawful basis is legitimate interests, you have completed an appropriate LIA prior to starting the processing.
Ways to meet our expectations:
- The LIA identifies the legitimate interest, the benefits of the processing and whether it is necessary.
- The LIA includes a 'balancing test' to show how your organisation determines that its legitimate interests override the individuals’ and considers the following issues:
- Not using people's data in intrusive ways or in ways which could cause harm, unless there is a very good reason.
- Protecting the interests of vulnerable groups such as people with learning disabilities or children.
- Whether you could introduce safeguards to reduce any potentially negative impact.
- Whether you can offer an opt-out.
- Whether you require a DPIA.
- You clearly document the decision and the assessment.
- You complete the LIA prior to the start of the processing.
- You keep the LIA under review and refresh it if changes affect the outcome.
Have you considered the effectiveness of your accountability measures?
- Do staff say that the LIAs are clear and comprehensive?
- Is the review process effective?
Further reading
ICO guidance:
External guidance:
Why is this important?
It is good practice for you to have written data sharing agreements when controllers share personal data. This helps everyone to understand the purpose for the sharing, what will happen at each stage and what responsibilities they have. It also helps you to demonstrate compliance in a clear and formal way. Similarly, written contracts help controllers and processors to demonstrate compliance and understand their obligations, responsibilities and liabilities.
At a glance – what we expect from you
Data sharing policies and procedures
Your organisation's policies and procedures make sure that you appropriately manage data sharing decisions.
Ways to meet our expectations:
- You have a review process, through a DPIA or a similar exercise, to assess the legality, benefits and risks of the data sharing.
- You document all sharing decisions for audit, monitoring and investigation purposes and regularly review them.
- Your organisation has clear policies, procedures and guidance about data sharing, including who has the authority to make decisions about systematic data sharing or one-off disclosures, and when it is appropriate to do so.
- Your organisation adequately trains all staff likely to make decisions about data sharing, and makes them aware of their responsibilities. You refresh this training appropriately.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of their responsibilities and how to carry them out effectively?
- Would staff say they have a clear process to follow?
- Is your organisation meeting their training needs?
Data sharing agreements
You arrange and regularly review data sharing agreements with parties with whom you regularly share personal data
Ways to meet our expectations:
- You agree data sharing agreements with all the relevant parties and senior management sign them off.
- The data sharing agreement includes details about:
- the parties' roles;
- the purpose of the data sharing;
- what is going to happen to the data at each stage; and
- the standards set (with a high privacy default for children).
- Where necessary, procedures and guidance covering each organisation’s day-to-day operations support the agreements..
- If your organisation is acting as a joint controller (within the meaning of Article 26 of the UK GDPR), you set out responsibilities under an arrangement or a data sharing agreement and you provide appropriate privacy information to individuals.
- You have a regular review process to make sure that the information remains accurate and up to date, and to examine how the agreement is working.
- You keep a central log of the current sharing agreements.
Have you considered the effectiveness of your accountability measures?
- Are staff with sharing responsibilities aware of the process?
- Is there contingency built into the process if something goes wrong or if people aren’t available to perform their role?
- Would staff say the decision-making is maintained or appropriately delegated?
Restricted transfers
Your organisation has procedures in place to make sure that restricted transfers are made appropriately.
Ways to meet our expectations:
- You consider whether the restricted transfer is covered by an adequacy decision or by 'appropriate safeguards' listed in data protection law, such as contracts incorporating standard contractual data protection clauses adopted by the Commission or Binding Corporate Rules (BCRs).
- If a restricted transfer is not covered by an adequacy decision nor an appropriate safeguard, you consider whether it is covered by an exemption set out in Article 49 of the UK GDPR.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the process and their responsibilities?
- Are you meeting their training needs?
- Do staff adhere to the policies and procedures?
Processors
You have appropriate procedures in place regarding the work that processors do on your behalf.
Ways to meet our expectations:
- You have written contracts with all processors.
- If using a processor, you assess the risk to individuals and make sure that these risks are mitigated effectively.
- An appropriate level of management approves the contracts and both parties sign. The level of management required for approval is proportionate to the value and risk of the contract.
- Each contract (or other legal act) sets out details of the processing, including the:
- subject matter of the processing;
- duration of the processing;
- nature and purpose of the processing;
- type of personal data involved;
- categories of data subject; and
- controller’s obligations and rights, in accordance with the list set out in Article 28(3) of the UK GDPR.
- You keep a record or log of all current processor contracts, which you update when processors change.
- You review contracts periodically to make sure they remain up to date.
- If a processor uses a sub-processor to help with the processing it is doing on your behalf, they have written authorisation from your organisation and a written contract with that sub-processor.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the need for a written contract when using a processor?
- How do they make sure the contracts are kept up to date?
- Are the risks of using a processor mitigated effectively?
- Do you have an appropriate approval process for contracts?
- Is it easy for staff to find existing contracts where appropriate?
Controller-processor contract requirements
All of your controller-processor contracts cover the terms and clauses necessary to comply with data protection law.
Ways to meet our expectations:
- The contract or other legal act includes terms or clauses stating that the processor must:
- only act on the controller’s documented instructions, unless required by law to act without such instructions;
- ensure that people processing the data are subject to a duty of confidence;
- help the controller respond to requests from individuals to exercise their rights; and
- submit to audits and inspections.
- Contracts include the technical and organisational security measures that the processor must adopt (including encryption, pseudonymisation, resilience of processing systems and backing up personal data in order to be able to reinstate the system).
- The contract includes clauses to make sure that the processor either deletes or returns all personal data to the controller at the end of the contract. The processor must also delete existing personal data unless the law requires its storage.
- The contract includes clauses to make sure that the processor assists the controller in meeting its UK GDPR obligations regarding the security of processing, the notification of personal data breaches and DPIAs.
Have you considered the effectiveness of your accountability measures?
- Was the International Organisation for Standardization (ISO) consulted on the appropriateness of security measures detailed within contracts?
Processor due diligence checks
You carry out due diligence checks to guarantee that processors will implement appropriate technical and organisational measures to meet UK GDPR requirements.
Ways to meet our expectations:
- The procurement process builds in due diligence checks proportionate to the risk of the processing before you agree a contract with a processor.
- The due diligence process includes data security checks, eg site visits, system testing and audit requests.
- The due diligence process includes checks to confirm a potential processor will protect data subjects’ rights.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of what they need to do?
- Is there a clear and effective process?
- Are due diligence checks proportionate to the risks?
Processor compliance reviews
Your organisation reviews data processors’ compliance with their contracts.
Ways to meet our expectations:
- Contracts include clauses to allow your organisation to conduct audits or checks, to confirm the processor is complying with all contractual terms and conditions.
- You carry out routine compliance checks, proportionate to the processing risks, to test that processors are complying with contractual agreements.
Have you considered the effectiveness of your accountability measures?
- Is there any follow-up where you identify non-compliance to contract terms or a Service Level Agreement?
- Are the checks proportionate to the risks?
Third-party products and services
Your organisation considers ‘data protection by design’ when selecting services and products to use in data processing activities.
Ways to meet our expectations:
- When third parties supply products or services to process personal data, you choose suppliers that design their products or services with data protection in mind.
Have you considered the effectiveness of your accountability measures?
- Do staff consider suppliers’ approach to data protection when using third-party products or services to process personal data?
- Is there a clear way for them to do this?
Purpose limitation
Your organisation proactively takes steps to only share necessary personal data with processors or other third parties.
Ways to meet our expectations:
- Your organisation only shares the personal data necessary to achieve its specific purpose.
- When information is shared, it is pseudonymised or minimised wherever possible. You also consider anonymisation so that the information is no longer personal data.
Have you considered the effectiveness of your accountability measures?
- Do staff understand what they should consider when sharing data to make sure it is limited appropriately?
Further reading
ICO guidance:
External guidance:
Why is this important?
The need to identify, assess and manage privacy risks is an integral part of accountability. Understanding the risks of the way you use personal data specifically is central to creating an appropriate and proportionate privacy management framework. A DPIA is a key risk management tool, and an important part of integrating ‘data protection by design and by default’ across your organisation. It helps you to identify, record and minimise the data protection risks of projects. DPIAs are mandatory in some cases and there are specific legal requirements for content and process. If you cannot mitigate a high risk, you must have a process for reporting this to the ICO.
At a glance – what we expect from you
Identifying, recording and managing risks
Your organisation has appropriate policies, procedures and measures to identify, record and manage information risks.
Ways to meet our expectations:
- An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.
- You have a process to help staff report and escalate information governance or data protection concerns and risks to a central point, for example staff forums.
- You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.
- You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.
- If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.
- You put measures in place to mitigate the risks identified within risk categories, and you test these regularly to make sure that they remain effective.
Have you considered the effectiveness of your accountability measures?
- Do staff know how to report and escalate concerns and risks?
- Could staff explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register?
Data protection by design and by default
You take a data protection by design and by default approach to managing risks, and, as appropriate, you build DPIA requirements into policies and procedures.
Ways to meet our expectations:
- You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.
- Your procedures state that, if required, a DPIA should begin at the project's outset, before processing starts, and that the DPIA must run alongside the planning and development process.
- You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the:
- intended processing activities;
- risks that these may pose to the rights and freedoms of individuals; and
- possible measures available to mitigate the risks.
Have you considered the effectiveness of your accountability measures?
- Would staff working on personal data processing projects be able to explain how they manage the risks as part of the project?
DPIA policy and procedures
You understand whether a DPIA is required, or where it would be good practice to complete one. There is a clear DPIA policy and procedure.
Ways to meet our expectations:
- You have a DPIA policy which includes:
- clear procedures to decide whether you conduct a DPIA;
- what the DPIA should cover;
- who will authorise it; and
- how you will incorporate it into the overall planning.
- You have a screening checklist to consider if you need a DPIA, including all the relevant considerations on the scope, type and manner of the proposed processing.
- If the screening checklist indicates that you do not need a DPIA, you document this.
- Your procedure includes the requirement to seek advice from the DPO and other internal staff as appropriate.
- Your procedure includes consultation with controllers, data processors, individuals, their representatives and any other relevant stakeholders as appropriate.
- Staff training includes the need to consider a DPIA at the early stages of any plan involving personal data and, where relevant, you train staff in how to carry out a DPIA.
- You assign responsibility for completing DPIAs to a member of staff, who has enough authority over a project to effect change, eg a project lead or manager.
Have you considered the effectiveness of your accountability measures?
- Are your policies and procedures easy to locate?
- Are staff aware of the process?
- Do they consider it effective?
- Have they had adequate training?
- Are DPIAs conducted by those with appropriate authority to effect change?
DPIA content
DPIAs always include the appropriate information and are comprehensively documented.
Ways to meet our expectations:
- Your organisation has a standard, well-structured DPIA template which is written in plain English.
- DPIAs:
- include the nature, scope, context and purposes of the processing;
- assess necessity, proportionality and compliance measures;
- identify and assess risks to individuals; and
- identify any additional measures to mitigate those risks.
- DPIAs clearly set out the relationships and data flows between controllers, processors, data subjects and systems.
- DPIAs identify measures that eliminate, mitigate or reduce high risks.
- You have a documented process, with appropriate document controls, that you review periodically to ensure it remains up to date.
- You record your DPO’s advice and recommendations and the details of any other consultations.
- Appropriate people sign off DPIAs, such as a project lead or senior manager.
Have you considered the effectiveness of your accountability measures?
- Do staff use the DPIA template and find it easy to understand?
- Is the process effective?
- Is the DPO satisfied that their advice is taken into account?
- Are they satisfied with any consultation that has taken place and how that you reflect any feedback in the outcome?
DPIA risk mitigation and review
You take appropriate and effective action to mitigate or manage any risks a DPIA identifies, and you have a DPIA review process.
Ways to meet our expectations:
- You have a procedure to consult the ICO if you cannot mitigate residual high risks.
- You integrate outcomes from DPIAs into relevant work plans, project action plans and risk registers.
- You do not start high risk processing until mitigating measures are in place following the DPIA.
- You have a procedure to communicate the outcomes of DPIAs to appropriate stakeholders, eg through a formal summarised report.
- You consider actively publishing DPIAs where possible, removing sensitive details if necessary.
- You agree and document a schedule for reviewing the DPIA regularly or when the nature, scope, context or purposes of the processing changes.
Have you considered the effectiveness of your accountability measures?
- Do staff understand when to consult the ICO?
- Do you effectively integrate outcomes from DPIAs into projects?
- Are appropriate stakeholders aware of the outcomes of DPIAs?
Further reading
ICO guidance:
External guidance:
Why is this important?
Good records management supports good data governance and data protection. Wider benefits include supporting information access, making sure that you can find information about past activities, and enabling the more effective use of resources. Some of the consequences of poor records management include poor decisions, failure to handle information securely and inefficiencies. Information security also supports good data governance, and is itself a legal data protection requirement. Poor information security leaves your systems and services at risk and may cause real harm and distress to individuals – it may even endanger lives in some extreme cases.
At a glance – what we expect from you
Creating, locating and retrieving records
You have minimum standards for the creation of records and effective mechanisms to locate and retrieve records.
Ways to meet our expectations:
- You have policies and procedures to ensure that you appropriately classify, title and index new records in a way that facilitates management, retrieval and disposal.
- You identify where you use manual and electronic record-keeping systems and maintain a central log or information asset register.
- You know the whereabouts of records at all times, you track their movements, and you make attempts to trace records that are missing or not returned.
- You index records stored off-site with unique references to enable accurate retrieval and subsequent tracking.
Have you considered the effectiveness of your accountability measures?
- Do staff know how to classify and structure records appropriately?
- Is the asset register kept up to date?
- Have there been any issues locating records?
Security for transfers
You have appropriate security measures in place to protect data that is in transit, data you receive or data you transfer to another organisation.
Ways to meet our expectations:
- You document rules to protect the internal and external transfer of records by post, fax and electronically, for example in a transfer policy or guidance.
- You minimise data transferred off-site and keep it secure in transit.
- When you transfer data off site, you use an appropriate form of transport (for example secure courier, encryption, secure file transfer protocol (SFTP) or Virtual Private Network (VPN)) and you make checks to ensure the information has been received.
- You have agreements in place with any third parties used to transfer business information between your organisation and third parties.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the policies and procedures and do they follow them?
- Do staff know how to send emails or information by post or fax securely?
- Have they been using appropriate forms of transport?
Data quality
You have procedures in place to make sure that records containing personal data are accurate, adequate and not excessive.
Ways to meet our expectations:
- You conduct regular data quality reviews of records containing personal data to make sure they are accurate, adequate and not excessive.
- You make staff aware of data quality issues following data quality checks or audits to prevent recurrence.
- Records containing personal data (whether active or archived) are 'weeded' periodically to reduce the risks of inaccuracies and excessive retention.
Have you considered the effectiveness of your accountability measures?
- Could staff demonstrate the process for conducting data quality reviews?
- Do staff understand their responsibilities and do they know what to do if they identify issues?
Retention schedule
You have an appropriate retention schedule outlining storage periods for all personal data, which you review regularly.
Ways to meet our expectations:
- You have a retention schedule based on business need with reference to statutory requirements and other principles (for example the National Archives).
- The schedule provides sufficient information to identify all records and to implement disposal decisions in line with the schedule.
- You assign responsibilities to make sure that staff adhere to the schedule and you review it regularly.
- You regularly review retained data to identify opportunities for minimisation, pseudonymisation or anonymisation and you document this in the schedule.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the retention schedule?
- Do they adhere to it?
- Could staff explain what their responsibilities are and how they carry them out effectively?
Destruction
You cover methods of destruction in a policy and they are appropriate to prevent disclosure of personal data prior to, during or after disposal.
Ways to meet our expectations:
- For paper documents, you use locked waste bins for records containing personal data, and either in-house or third party cross shredding or incineration is in place.
- For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) is in place.
- You either hold, collect or send away securely confidential waste awaiting destruction.
- You have appropriate contracts in place with third parties to dispose of personal data, and they provide you with appropriate assurance that they have securely disposed of the data, for example through audit checks and destruction certificates.
- You have a log of all equipment and confidential waste sent for disposal or destruction.
Have you considered the effectiveness of your accountability measures?
- Is there a secured location for waste collected daily until collected for disposal internally or by a third party?
- Is there a secure storage area for equipment awaiting disposal?
Information asset register
You have an asset register that records assets, systems and applications used for processing or storing personal data across the organisation.
Ways to meet our expectations:
- Your organisation has an asset register which holds details of all information assets (software and hardware) including:
- asset owners;
• asset location;
• retention periods; and
• security measures deployed.
- You review the register periodically to make sure it remains up to date and accurate.
- You periodically risk-assess assets within the register and you have physical checks to make sure that the hardware asset inventory remains accurate.
Have you considered the effectiveness of your accountability measures?
- Is the register accurate – could you use it to find equipment around your office?
- If we selected a sample of software, could you demonstrate that the details in the register are correct?
Rules for acceptable software use
You identify, document and implement rules for the acceptable use of software (systems or applications) processing or storing information.
Ways to meet our expectations:
- You have Acceptable Use or terms and conditions of use procedures in place.
- You have system operating procedures which document the security arrangements and measures in place to protect the data held within systems or applications.
- Your organisation monitors compliance with acceptable use rules and makes sure that staff are aware of any monitoring.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the policies and procedures?
- Are they well understood?
Access control
You limit access to personal data to authorised staff only and regularly review users’ access rights.
Ways to meet our expectations:
- You have an Access Control policy which specifies that users must follow your organisation's practices in the use of secret authentication information, for example passwords or tokens.
- You implement a formal user access provisioning procedure to assign access rights for staff (including temporary staff) and third-party contractors to all relevant systems and services required to fulfil their role, for example 'new starter process'.
- You restrict and control the allocation and use of privileged access rights.
- You keep a log of user access to systems holding personal data.
- You regularly review users’ access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the organisation.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the policies and procedures?
- Are third-party access rights assigned appropriately given what is required in a contract?
- Are access rights correct and up to date?
- Would a sample of new starters, movers and leavers show adherence to the policies and procedures?
Unauthorised access
You prevent unauthorised access to systems and applications, for example by passwords, technical vulnerability management and malware prevention tools.
Ways to meet our expectations:
- You restrict access to systems or applications processing personal data to the absolute minimum in accordance with the principle of least privilege (for example read/write/delete/execute access rules are applied).
- You apply minimum password complexity rules and limited log on attempts to systems or applications processing personal data.
- You have password management controls in place, including default password changing, controlled use of any shared passwords and secure password storage (not in plain text).
- Email content and attachment security solutions (encryption) appropriately protect emails containing sensitive personal data.
- You log and monitor user and system activity to detect anything unusual.
- You implement anti-malware and anti-virus (AV) protection across the network and on critical or sensitive information systems if appropriate.
- Anti-malware and anti-virus protection is kept up-to-date and you configure it to perform regular scans.
- Your organisation has access to and acts upon any updates on technical vulnerabilities to systems or software, for example vendor’s alerts or patches.
- You regularly run vulnerability scans.
- You deploy URL or web content filtering to block specific websites or entire categories.
- You strictly control or prohibit the use of social media, or messaging apps such as WhatsApp to share personal data.
- You have external and internal firewalls and intrusion detection systems in place as appropriate to ensure the security of information in networks and systems from unauthorised access or attack, for example denial of service attacks.
- You do not have unsupported operating systems in use, for example Windows XP or Windows Server 2003.
- You establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications.
Have you considered the effectiveness of your accountability measures?
- Would a sample of systems access at various job levels confirm that you apply access levels appropriately?
- Are the passwords complex?
- Could staff demonstrate that anti-virus and anti-malware has been implemented on key information systems?
- Do you install vendor updates in a timely manner?
- Could we access a black-listed site or an unsupported operating system on-site?
Mobile devices, home or remote working and removable media
You have appropriate mechanisms in place to manage the security risks of using mobile devices, home or remote working and removable media.
Ways to meet our expectations:
- You have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.
- You have protections in place to avoid the unauthorised access to or disclosure of the information processed by mobile devices, for example, encryption and remote wiping capabilities.
- You implement security measures to protect information processed when home or remote working, for example VPN and two-factor authentication.
- Where you have a business need to store personal data on removable media, you minimise personal data and your organisation implements a software solution that can set permissions or restrictions for individual devices as well as an entire class of devices.
- Your organisation uses the most up-to-date version of its remote access solution. You are able to support and update devices remotely.
- You do not allow equipment, information or software to be taken off-site without prior authorisation and you have a log of all mobile devices and removable media used and who they are allocated to.
Have you considered the effectiveness of your accountability measures?
- Can staff find the policies and procedures?
- Are they aware of the main contents?
- Would a sample of devices have appropriate encryption?
- Could you demonstrate appropriate access arrangements for home or remote working?
- Are staff working from home or remotely aware of the authorisation requirements?
Secure areas
You secure physical business locations to prevent unauthorised access, damage and interference to personal data.
Ways to meet our expectations:
- You protect secure areas (areas that contain either sensitive or critical information) by appropriate entry controls such as doors and locks, alarms, security lighting or CCTV.
- You have visitor protocols in place such as signing-in procedures, name badges and escorted access.
- You implement additional protection against external and environmental threats in secure areas such as server rooms.
- Office equipment is appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.
- You securely store paper records and control access to them.
- You operate a clear desk policy across your organisation where personal data is processed.
- You have regular clear desk 'sweeps' or checks and issues are fed back appropriately
- You operate a 'clear screen' policy across your organisation where personal data is processed.
Have you considered the effectiveness of your accountability measures?
- Are printer/fax areas secure?
- Do staff follow protocols and are they clearly communicated?
- Would we see appropriate environmental controls in your secure areas?
- Would a tour of your offices reveal an effective clear desk policy?
- Are screens left unlocked?
Business continuity, disaster recovery and back-ups
You have plans to deal with serious disruption, and you back up key systems, applications and data to protect against loss of personal data.
Ways to meet our expectations:
- You have a risk-based Business Continuity Plan to manage disruption and a Disaster Recovery Plan to manage disasters, which identify records that are critical to the continued functioning of the organisation.
- You take back-up copies of electronic information, software and systems (and ideally store them off-site).
- The frequency of backups reflects the sensitivity and importance of the data.
- You regularly test back-ups and recovery processes to ensure they remain fit for purpose.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the plans and are they easy to access?
- Could staff explain the effectiveness of the plans and how to test them?
Further reading
ICO guidance:
External guidance:
The National Archives:
National Cyber Security Centre:
Why is this important?
You need to be able to detect, investigate, risk-assess and record any breaches. You must report them as appropriate. Having effective processes in place helps you to do this. A personal data breach can have a range of adverse effects on individuals. There can be serious repercussions for organisations, their employees and customers, such as financial penalties (failure to notify a breach when required can result in a fine up to 10 million Euros or 2% of your global turnover), reputational damage, loss of business and disciplinary action.
At a glance – what we expect from you
Detecting, managing and recording incidents and breaches
You have procedures in place to make sure that you detect, manage and appropriately record personal data incidents and breaches.
Ways to meet our expectations:
- You have appropriate training in place so that staff are able to recognise a security incident and a personal data breach.
- A dedicated person or team manages security incidents and personal data breaches.
- Staff know how to escalate a security incident promptly to the appropriate person or team to determine whether a breach has occurred.
- Procedures and systems facilitate the reporting of security incidents and breaches.
- Your organisation has a response plan for promptly addressing any security incidents and personal data breaches that occur.
- You centrally log/record/document both actual breaches and near misses (even if they do not need to be reported to the ICO or individuals).
- The log documents the facts relating to the near miss or breach including:
- its causes;
- what happened;
- the personal data affected;
- the effects of the breach; and
- any remedial action taken and rationale.
Have you considered the effectiveness of your accountability measures?
- Could staff explain what constitutes a personal data breach?
- Do they know how to report incidents?
- Would a sample of how you manage incidents demonstrate adherence to the policy and procedures?
Assessing and reporting breaches
You have procedures to assess all security incidents and then report relevant breaches to the ICO within the statutory time frame.
Ways to meet our expectations:
- You have a procedure to assess the likelihood and severity of the risk to individuals as a result of a personal data breach.
- You have a procedure to notify the ICO of a breach within 72 hours of becoming aware of it (even when all the information is not yet available) and you notify the ICO on time.
- The procedure includes details of what information must be given to the ICO about the breach.
- If you consider it unnecessary to report a breach, you document the reasons why your organisation considers the breach unlikely to result in a risk to the rights and freedoms of individuals.
Have you considered the effectiveness of your accountability measures?
- Are staff aware of the policies and procedures and are they easy to find?
- Do staff understand how to conduct the risk assessment?
- Do they know when a breach needs to be reported to the ICO?
Notifying individuals
You have procedures to notify affected individuals where the breach is likely to result in a high risk to their rights and freedoms.
Ways to meet our expectations:
- You have a procedure setting out how you will tell affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms.
- You tell individuals about personal data breaches in clear, plain language without undue delay
- The information you provide to individuals includes the DPO’s details, a description of the likely consequences of the breach and the measures taken (including mitigating actions and any possible adverse effects).
- You provide individuals with advice to protect themselves from any effects of the breach.
Have you considered the effectiveness of your accountability measures?
- Would individuals say that they were told about personal data breaches in a helpful and timely way?
- Did they get the information they needed?
- Were they satisfied with the steps you took to mitigate the impact?
Reviewing and monitoring
You review and monitor personal data breaches.
Ways to meet our expectations:
- You analyse all personal data breach reports to prevent a recurrence.
- Your organisation monitors the type, volume and cost of incidents.
- You undertake trend analysis on breach reports over time to understand themes or issues, and outputs are reviewed by groups with oversight for data protection and information governance.
- Groups with oversight for data protection and information governance review the outputs.
Have you considered the effectiveness of your accountability measures?
- Could we see an example of how you handled an incident that required lessons to be learned?
- Were the steps you took to prevent a recurrence of the incident effective?
External audit or compliance check
Your organisation arranges an external data protection and information governance audit or other compliance checking procedure.
Ways to meet our expectations:
- Your organisation completes externally-provided self-assessment tools to provide assurances on data protection and information security compliance.
- Your organisation is subject to or employs the services of an external auditor to provide independent assurances (or certification) on data protection and information security compliance.
- Your organisation adheres to an appropriate code of conduct or practice for your sector (if one exists).
- You produce audit reports to document the findings.
- You have a central action plan in place to take forward the outputs from data protection and information governance audits.
Have you considered the effectiveness of your accountability measures?
- Do staff adhere to the external standards as claimed?
- Are they aware of a range of suitable external tools?
- Are senior managers aware?
Internal audit programme
If your organisation has an internal audit programme, it covers data protection and related information governance (for example security and records management) in sufficient detail.
Ways to meet our expectations:
- You monitor your own data protection compliance and you regularly test the effectiveness of the measures you have in place.
- Your organisation regularly tests staff adherence to data protection and information governance policies and procedures.
- You routinely conduct informal ad-hoc monitoring and spot checks.
- You ensure your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.
- You have a central audit plan/schedule in place to show the planning of data protection and information governance internal audits.
- You produce audit reports to document the findings.
- You have a central action plan in place to take forward the outputs from data protection and information governance audits.
Have you considered the effectiveness of your accountability measures?
- Could staff explain a sample of actions from the action plan including how they were identified, progressed and closed?
- Do senior management have oversight of the Action Plan?
- Are there appropriate links to a risk management process and register?
Performance and compliance information
Your organisation has business targets relating to data protection compliance and information governance, and you can access the relevant information to assess against them
Ways to meet our expectations:
- You have KPIs regarding subject access request (SAR) performance (the volume of requests and the percentage completed within statutory timescales).
- You have KPIs regarding the completion of data protection and information governance training, including a report showing the percentage of staff who complete training.
- You have KPIs regarding information security, including the number of security breaches, incidents and near misses.
- You have KPIs regarding records management, including the use of metrics such as file retrieval statistics, adherence to disposal schedules and the performance of the system in place to index and track paper files containing personal data.
Have you considered the effectiveness of your accountability measures?
- Could staff explain any instances of non-compliance to statutory timescales highlighted in the reports and the actions taken to address the issue?
Use of management information
All relevant management information and the outcomes of monitoring and review activity are communicated to relevant internal stakeholders, including senior management as appropriate. This information informs discussions and actions.
Ways to meet our expectations:
- You have a dashboard giving a high-level summary of all key data protection and information governance KPIs.
- The group(s) providing oversight of data protection and information governance regularly discuss KPIs and the outcomes of monitoring and reviews.
- Data protection and information governance KPIs and the outcomes of monitoring and reviews are discussed regularly by groups at operational level, for example in team meetings.
Have you considered the effectiveness of your accountability measures?
- Could you give examples of information flowing between operational levels and senior management?
- Are staff given appropriate information?
- Do they understand it and are the actions taken clear?
Further reading
ICO guidance:
External guidance:
Click to toggle details
Latest update - 10 November 2023
10 November 2023 - We have added a new case study example to the ‘Case studies’ section of the Accountability Framework. This case study has been submitted by His Majesty’s Revenue and Customs and concerns the accountability challenge of ‘Records management and security
Our Accountability Framework provides a number of examples of the different ways you can demonstrate your compliance with the accountability principle. To help you even further, we’ve worked with organisations to capture real-world examples and case studies of different approaches to accountability.
We’re always interested to hear from other organisations who have used the Accountability Framework. You can get in touch here.
Leadership and Oversight
Organisation: Macmillan Cancer Support
Role: Information governance and security
Accountability challenge: Roles and responsibilities
Macmillan’s purpose is to help people affected by cancer. Our staff are aware that an important part of this is to respect their privacy, freedoms, and preferences.
We built the Keeping Data Safe (KDS) framework as part of our information security management system (ISO 27001:2013) to minimise data protection risk. We put in place a clearly-defined accountability programme that protects the personal data we collect. It also ensures we use the data appropriately. Our framework creates accountability by establishing clear roles and responsibilities using the following three groups:
Each directorate has a group which data owners, data managers and data protection leads attend. Each KDS group also has representation from Information Governance, Information Security, and Risk and Compliance. The group’s aim to review locally how we work with each other, our partners, and our customers. This supports Macmillan’s operational and strategic data protection and information security requirements at the directorate level.
- Information governance group (IGG)
The IGG has operational responsibility with oversight and management over all information governance and information security plans and their delivery across Macmillan. The IGG aims to ensure that Macmillan effectively manages any risks or issues, including ones that the KDS groups identify. This ensures that all operational functions are efficient and in line with Macmillan policies, procedures, legal obligations and best practice requirements.
- Information governance board (IGB)
The IGB has strategic responsibility. It provides governance, decision-making and oversight of all information governance plans and activities within Macmillan. The IGB allocates proper resource to these activities and can initiate projects with budget allocation. The IGB reports to the Performance and Risk Board, and has access to Macmillan’s senior leadership. This makes sure that senior staff understand data protection and information security risks and can add momentum to decision making.
How have these groups worked for us?
These groups allow for upward and downward communication regarding information risk between the Keeping Data Safe groups, IGG and IGB. For example, we use these groups to communicate other accountability measures, such as our DPIA process and the integration with Microsoft Forms. We implemented our updated DPIA process in a short time frame, since the KDS groups meet every six weeks. All directorates across Macmillan have successfully adopted the new process. Communicating this new process through the KDS groups brought consistency in approach, application, and training, as all groups received the same messaging. The DPIA process has benefited from the KDS groups, as the groups provide a space where we can learn about impending projects coming through the DPIA process.
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Leadership and oversight
Before implementing the Accountability Framework, we had difficulty involving the Senior Responsible Owners (SROs) directly. They were typically more senior than our data protection managers. Data protection managers found it difficult to attain the necessary momentum to implement data protection measures.
Using the Accountability Framework enabled us to make a hierarchical structure that works. We’ve explained to the SROs that they ‘own’ the residual data protection risk. We use the framework to highlight areas that need attention. This helped our SROs make informed decisions about resourcing when considering requirements from other business areas. This hierarchical structure with clear involvement from the SROs increased the number of colleagues with direct, reportable responsibility for data protection. It also provided an escalation route for me as the DPO.
Policies and Procedures
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Policies and procedures
The Accountability Framework gave us the idea to add an ownership column to our policies. This created a more robust process for creating and reviewing policies. The ownership column allowed us to develop a two-tier approach. In this approach, senior roles govern common business areas (eg security and finance) and we assign junior colleagues more specific tasks.
We also used the steps in the Accountability Framework to develop a better system for identifying where policies need improving. It also allows us to act efficiently by developing policies jointly across business areas or by having areas sign up to pre-existing policies.
Organisation: Newry Mourne and Down District Council
Accountability challenge: Policies and procedures
The UK GDPR coming into force gave us an opportunity to really ‘take stock’ of how we do data protection across our council. We planned a programme of work to improve our policies, procedures and training.
To help us to focus on what we needed to do, we started by conducting an audit. From this, we created short, medium and long term targets, which we aligned with the ICO’s accountability framework.
Our audit included reviewing existing relevant policies and procedures and making improvements to link them together. For example, we created:
- an information strategy group with an overall vision aligned with the data principles;
- a new process to investigate breach reports; and
- a new retention and disposal schedule incorporating the ICO’s records management retention schedule guidance.
Organisation: The Office of Intercollegiate Services (OIS), University of Cambridge
The Office of Intercollegiate Services (OIS) was created by the 31 Colleges in the University of Cambridge to support their common activities and interests. Each College is a legal entity and registered data controller in its own right, and each is separate from the University.
Role: Data protection officer
Accountability challenge: Consistent compliance reviews
In my role, I advise and support the colleges, each with their own operational and governance structures. It is challenging to help them review their data protection compliance consistently.
Over the years, I tried different approaches, including a granular self-assessment that was not widely used. I revised this in 2020 and created a new ‘toolkit’, using broader statements from the ICO’s online self-assessment. This was flexible enough for each college to take account of their own unique circumstances. For example, each college could describe their individual governance structure and the data protection impact assessments they carried out.
Crucially, I also explained the regulatory and business benefits of completing the compliance review. This increased engagement substantially, to an unprecedented 80% response rate.
I reviewed each college’s submission and produced individual summary reports. The reports included recommendations to help them improve and an overall accountability assurance rating.
Many of the colleges submitted the report to their governing bodies for formal approval. This allowed local data protection champions at the colleges to obtain the resources they needed to address any gaps identified through action plans. I could also now benchmark their compliance and track progress.
More recently, I adapted the ICO’s accountability framework tracker for my in-house toolkit. The dashboard is particularly useful for management reporting.
While the colleges already had some excellent practices in place, they are now in a better position. They can demonstrate their accountability, and their commitment to continuous improvement, in a clear and consistent way.
Training and Awareness
Organisation: Department for Work and Pensions (DWP)
Role: Data Protection Officer
Accountability challenge: Advanced training
Staff from both the fraud teams and the wider DWP need to understand and apply the correct data protection regime . We wanted to have the correct training measures in place, such as guidance, so that our staff could identify which regime applied to their specific processing activities. To address this, we developed a tool which explained the practical implications of the differences between the two regimes. It also gave the criteria for determining which one applies.
A good deal of thought and preparation went into the development and delivery of the product. We wanted to make it practical and easy to understand so colleagues without a deep data protection knowledge could use it. We used the ICO guidance for the technical content and worked with business colleagues to tailor the material to the audience.
We showcased the new tool to over 900 staff and feedback was extremely positive. We gained feedback at the end of each presentation through the Microsoft Teams chat facility and also by issuing a feedback form. A large majority of attendees felt that the awareness sessions improved both their knowledge and overall confidence.
This work also led to further improvements to our guidance and products. We updated our guidance to clearly define the different regimes that could apply to DWP’s processing activities. We also identified additional products that needed further clarification. We have subsequently updated several products, including draft customer letters from within the Counter Fraud and Compliance Division and the right of access request internal guidance.
Organisation: Information Commissioner’s Office (ICO)
Role: Group Manager, Information Management and Compliance
Accountability challenge: Communicating across different departments
I’m responsible for making sure that the ICO itself complies with the accountability principle. It is easy to forget that, as well as a regulator, the ICO is also a controller of personal data!
Despite my initial uncertainty, in reality, the accountability principle wasn’t so mysterious. I simply focused on the two key elements: to make sure that we have appropriate measures in place and that we can demonstrate what we do.
The ICO already had processes and teams in place to support accountability. However, the Accountability Framework presented a great opportunity to review our practices and think about where we might improve.
The Framework’s suite of tools made my job much easier, enabling me to identify priority areas and take steps to address them. Although it took time to complete this review, consulting with different departments, it was well worth the effort to get the results.
For example, to improve our cross-office engagement, we:
- supported and followed up with departments about their processing. This helped us to get timely information about our processing and to put in place the necessary foundations for our accountability review;
- put in place a clear, easy to use process for updating and signing off our privacy notice. This helps us be clear about responsibilities and to keep track of updates;
- reviewed our systems and considered how we would demonstrate our accountability. We used a communications plan to highlight at the right time, to the right people, what information they needed to store and where; and
- established a community of local information management officers who meet regularly. We use this feedback to make our processes easier for staff to understand and use.
Organisation: Newry Mourne and Down District Council
Accountability challenge: Training
The UK GDPR coming into force gave us an opportunity to really ‘take stock’ of how we do data protection across our council. We planned a programme of work to improve our policies, procedures and training.
We used the ICO’s training materials to give all staff and councillors face-to-face training and we also developed e-learning modules. We engage with external organisations and reflect on our experiences to help us continually improve. By adapting the ICO’s training materials rather than creating our own, we saved resources and money.
Transparency
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Transparency
The Accountability Framework encouraged us to review the layout of our privacy notices and evaluate how our organisation interacts with our personal information charter. As a result, we are seeing an increase in staff members using our privacy notice. The data protection team are also using it as a reference point and guide when engaging with colleagues in other business areas.
Records of processing and lawful basis
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Record of Processing Activities (ROPA) and lawful basis
Implementing the Accountability Framework highlighted that we were using different methods to complete the ROPA across our organisation. This meant we did not complete areas of the ROPA in line with best practice, and created inefficiencies. We developed a ‘house style’ of ROPA template that introduces more uniformity and makes it easier to produce training material and workshops on ROPA requirements. The uniformity allows us to embed a ‘DEFRA style’ approach to data protection. We use this to create communities of colleagues with common responsibilities. These communities are cost-effective for developing technical solutions to the assets they manage.
Risks and DPIAs
Organisation: Department for Environment, Food and Rural Affairs (DEFRA)
Role: Data protection officer
Accountability challenge: Risks and DPIAs
We previously used several different versions of the DPIA template. This created confusion when colleagues completed different templates. In particular, it was inefficient to review different templates and bring them all to the same standard. It was also difficult to provide training on how to complete a DPIA. The Accountability Framework helped us to demonstrate to the organisation the benefits of developing a single DPIA template, which we implemented. We used this template to create a self-service system, improving efficiency. In particular, colleagues now find it easier to familiarise themselves with our DPIA guidance and single DPIA template. As a result, we can see an improvement in the standard of DPIA completion. Staff find it easier to complete DPIAs without seeking advice from data protection colleagues.
DPIA completion is important as it helps to improve understanding of policies and projects. It also provides an opportunity for our data protection community to link up with policy colleagues in other areas of the business and share experiences.
Organisation: Macmillan Cancer Support
Role: Information governance and security
Accountability challenge: Risk management
Macmillan’s purpose is to help people affected by cancer. Our staff are aware that an important part of this is to respect their privacy, freedoms, and preferences.
We built the Keeping Data Safe (KDS) framework as part of our information security management system (ISO 27001:2013) to minimise data protection risk. We put in place a clearly-defined accountability programme that protects the personal data we collect. It also ensures we use the data appropriately.
We used our Keeping Data Safe accountability framework to introduce standardised and measurable definitions of information risks. For example, terms like ‘impact’ and ‘likelihood’ have a set of defined criteria, which makes them easier to apply. This helped us to remove subjectivity in risk assessments, creating consistency across the directorates. This consistency helps us to identify high priority risks and allocate our resources accordingly. This also helps our organisation’s risk monitoring activities, as we can create actions and controls that are relevant and measurable now that we have clearly defined our information risks.
Records management and security
Organisation: His Majesty’s Revenue and Customs (HMRC)
Role: Data protection officer
Accountability challenge: Records management and security
We carried out a comprehensive Risk Discovery Programme within HMRC using the Accountability Framework and split category 9 of ‘Records management and security’ into two to bring greater focus to each topic. We separated categories 9.2, 9.7, 9.8, 9.10, 9.11 and 9.12 into a separate security topic.
We worked with business risk co-ordinators in all ten of our business groups to identify data protection risks using the topic-based approach. We delivered workshops based on ‘what good looks like’ from the Accountability Framework. This prompted effective conversations around how we are already meeting expectations in some areas and where we could improve compliance in others.
We engaged with central Security & Information Business Partner teams and other teams responsible for the creation of enterprise-wide policies to determine how many records management and security improvements could be delivered centrally.
Having completed the Risk Discovery Programme, we have identified the need to coordinate risk articulation and control design due to similar themes existing across business groups. We intend to continue using the ICO’s Accountability Framework to review progress over the coming months.