My organisation has business targets relating to data protection compliance and information governance and we can access the relevant information to assess against them.
Ways to meet our expectations:
- You have KPIs regarding subject access request (SAR) performance (the volume of requests and the percentage completed within statutory timescales).
- You have KPIs regarding the completion of data protection and information governance training, including a report showing the percentage of staff who complete training.
- You have KPIs regarding information security, including the number of security breaches, incidents and near misses.
- You have KPIs regarding records management, including the use of metrics such as file retrieval statistics, adherence to disposal schedules and the performance of the system in place to index and track paper files containing personal data.
Can you answer yes to the following questions?
- Could staff explain any instances of non-compliance to statutory timescales highlighted in the reports and the actions taken to address the issue?