The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Internal audit programme

If your organisation has an internal audit programme, it covers data protection and related information governance (for example security and records management) in sufficient detail.

Ways to meet our expectations:

  • You monitor your own data protection compliance and you regularly test the effectiveness of the measures you have in place.
  • Your organisation regularly tests staff adherence to data protection and information governance policies and procedures.
  • You routinely conduct informal ad-hoc monitoring and spot checks.
  • You ensure your monitoring of policy compliance is unbiased by keeping it separate from those who implement the policies.
  • You have a central audit plan/schedule in place to show the planning of data protection and information governance internal audits.
  • You produce audit reports to document the findings.
  • You have a central action plan in place to take forward the outputs from data protection and information governance audits.

Can you answer yes to the following questions?

  • Could staff explain a sample of actions from the action plan including how they were identified, progressed and closed?
  • Do senior management have oversight of the Action Plan?
  • Are there appropriate links to a risk management process and register?