The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Identifying, recording and managing risks

Your organisation has appropriate policies, procedures and measures to identify, record and manage information risks.

Ways to meet our expectations:

  • An information risk policy (either a separate document or part of a wider corporate risk policy) sets out how your organisation and its data processors manage information risk, and how you monitor compliance with the information risk policy.
  • You have a process to help staff report and escalate information governance or data protection concerns and risks to a central point, for example staff forums.
  • You identify and manage information risks in an appropriate risk register, which includes clear links between corporate and departmental risk registers and the risk assessment of information assets.
  • You have formal procedures to identify, record and manage risks associated with information assets in an information asset register.
  • If you identify information risks, you have appropriate action plans, progress reports and a consideration of the lessons learnt to avoid future risk.
  • You put in place measures to mitigate the risks identified within risk categories and you test these regularly to maintain effectiveness.

Can you answer yes to the following questions?

  • Do staff know how to report and escalate concerns and risks?
  • Could staff explain the links between the information risk register, the risk assessment of information assets, departmental risk registers and the corporate risk register?