Control measure: Policies and procedures provide staff with enough direction to understand their data protection and information governance roles and responsibilities.
Risk: If there is no reference material or guidance for staff to check, there may be an inconsistent approach or breaches may occur because of incorrect assumptions. This may breach article 5(2) of the UK GDPR and DPA 2018 sections 34(3) and 71(2).
Ways to meet our expectations:
- Ensure the policy framework stems from strategic business planning for data protection and information governance, which the highest level of management endorses.
- Implement policies that cover data protection, records management and information security.
- Make operational procedures, guidance and manuals readily available to support data protection policies and provide direction to operational staff.
- Ensure policies and procedures clearly outline roles and responsibilities.
Options to consider:
- Outline roles and responsibilities for applying the policies.
- Identify within individual policies who staff should raise any queries with.
- Put in place tailored operational guidance for those staff undertaking specialised roles in data protection compliance.
- Put in place a mechanism to ensure that staff have read and will follow the policy content.
- Make policies readily available to staff (eg on the staff intranet).
Have you considered the effectiveness of your accountability measures?
- Do staff know where to find relevant policies and are they easy to find?
- Could your staff explain their role and responsibilities and how the policies and procedures help them?
Control measure: There is a review and approval process in place to make sure that policies and procedures are consistent and effective.
Risk: If policies are not reviewed and updated periodically, or when changes to process are agreed, they will become out of date and ineffective. If policies are not approved and endorsed at an appropriate level they may be inaccurate or not meet business needs or strategic aims. This may breach article 5(2) of the UK GDPR.
Ways to meet our expectations:
- Ensure all policies and procedures follow an agreed format and style.
- Ensure an appropriately senior staff member reviews and approves all new and existing policies and procedures.
- Review existing policies and procedures in line with documented review dates, so they are up-to-date and fit for purpose.
- Update policies and procedures without undue delay when they require changes, eg because of operational change, court or regulatory decisions or changes in regulatory guidance.
- Show document control information, including version number, owner, review date and change history in all policies, procedures and guidelines.
Options to consider:
- Make policy and procedure updates readily available to staff.
- Include a document control table within each policy which contains a version number, owner, review date and change history.
Have you considered the effectiveness of your accountability measures?
- Is the highest level of management aware of the strategic business plan for information governance?
- Are policies consistent?
- Is the approval process appropriate?
Control measure: Staff are fully aware of the data protection and information governance policies and procedures that are relevant to their role.
Risk: If staff are unable to find or reference relevant policies, they will be unaware or unsure what process to follow when processing personal information. There is also a risk that they will have access to personal information without fully understanding their responsibilities in its protection and security. This may result a breach of articles 5(1) and 5(2) of the UK GDPR.
Ways to meet our expectations:
- Ensure staff read and understand the policies and procedures, including why they are important to implement and comply with.
- Tell staff about updated policies and procedures.
- Make policies and procedures readily available for all staff on your organisation’s intranet site (or equivalent shared area) or provide them in other formats.
- Use guidelines, posters or publications to help to emphasise key messages and raise staff awareness of policies and procedures.
Options to consider:
- Put in place a mechanism to ensure that staff have read and will follow the policy content.
Have you considered the effectiveness of your accountability measures?
- Could your staff easily find policies on the intranet or equivalent shared area?
- Are they aware of the main content?
- Would we see any data protection awareness-raising materials available or on display around your office, such as posters?
Control measure: Policies and procedures foster a ‘data protection by design and by default’ approach across the organisation.
Risk: Without this approach, there may be a risk of ignoring the privacy rights of people and accepting the trade-off of functionality over privacy. This may breach article 25 of the UK GDPR.
Ways to meet our expectations:
- Where relevant, consider policies and procedures across your organisation with data protection in mind.
- Implement policies and procedures to ensure data protection issues are considered when systems, services, products and business practices involving personal information are designed and implemented, and that personal information is protected by default.
- Set out your organisation’s approach to implementing the data protection principles and safeguarding people’s rights, such as data minimisation, pseudonymisation and purpose limitation, in policies and procedures.
- Give the personal information of vulnerable groups, eg children, extra protection in policies and procedures.
Options to consider:
- Evidence in policies the consideration, where appropriate, of privacy-enhancing technologies (PETs) to assist in complying with data protection-by-design obligations.
- Carry out dip sampling and cold case reviews to ensure that staff are following data minimisation and pseudonymisation policies.
Have you considered the effectiveness of your accountability measures?
- Do staff consider data protection for all relevant policies and do they understand why it’s important?
- Are staff aware of the requirement to consider data protection when any new system, product or business practice involving personal information is designed and implemented?