The ICO exists to empower you through information.

Records management and security

Share Download options

Pages

Format

Control measure: There are minimum standards for the creation of records and effective mechanisms to locate and retrieve records.

Risk: If processes for creating records are not controlled and documented clearly, records may be created with inaccurate information or inappropriately communicated. This may breach articles 5(1)(d-f), 5(2), and 32 of the UK GDPR.

If records cannot be located or retrieved accurately due to ineffective indexing, statutory requirements and timeframes may not be met. This may breach articles 12-21 of the UK GDPR or FOI section 10.

Ways to meet our expectations:

  • Implement policies and procedures to ensure that you appropriately classify, title and index new records in a way that facilitates management, retrieval and disposal.
  • Identify where you use manual and electronic record-keeping systems and maintain a central log or information asset register.
  • Know the whereabouts of records at all times, track their movements, and make attempts to trace records that are missing or not returned.
  • Index records stored off-site with unique references to enable accurate retrieval and subsequent tracking.

Options to consider:

  • Check or sample newly created records.
  • Use unique barcodes that can be scanned electronically for ease.
  • Back up the referencing and indexing system.

Have you considered the effectiveness of your accountability measures?

  • Do staff know how to classify and structure records appropriately?
  • Is the asset register kept up to date?
  • Have there been any issues locating records?

 

Control measure: There are appropriate security measures in place to protect information that is in transit, information received or information transferred to another organisation.

Risk: If records are not secured during transfers, they may be lost or accessed inappropriately, resulting in a personal data breach. This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Document rules to protect the internal and external transfer of records by post, fax and electronically, for example in a transfer policy or guidance.
  • Minimise information transferred off-site and keep it secure in transit.
  • When you transfer information off site, use an appropriate form of transport (for example secure courier, encryption, secure file transfer protocol (SFTP) or Virtual Private Network (VPN)) and make checks to ensure the information has been received.
  • Have agreements in place with any third parties used to transfer business information between your organisation and third parties.

Options to consider:

  • Include information transfer processes in records management training and refresher training.
  • Restrict records with higher security classifications from leaving secure areas.
  • Run regular staff awareness exercises.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the policies and procedures and do they follow them?
  • Do staff know how to send emails or information by post or fax securely?
  • Have they been using appropriate forms of transport?

 

Control measure: There are procedures in place to make sure that records containing personal information are accurate, adequate and not excessive.

Risk: If the information processed is not checked regularly, it may be inadequate, excessive or poor quality. This may breach article 5(1)(c) and (d) of the UK GDPR.

Ways to meet our expectations:

  • Conduct regular data quality reviews of records containing personal information to make sure they are accurate, adequate and not excessive.
  • Make staff aware of data quality issues following data quality checks or audits to prevent recurrence.
  • Weed records containing personal information (whether active or archived) periodically to reduce the risks of inaccuracies and excessive retention.

Options to consider:

  • Document data quality reviews in your internal audit programme.
  • Use standard formats or system validation rules to ensure you collect quality information.
  • Set up automated alerts for information that doesn’t meet data quality requirements. 
  • Use system rules or automated alerts to highlight records for weeding.

Have you considered the effectiveness of your accountability measures?

  • Could staff demonstrate the process for conducting data quality reviews?
  • Do staff understand their responsibilities, and do they know what to do if they identify issues?

 

Control measure: There is an appropriate retention schedule outlining storage periods for all personal information, which is reviewed regularly.

Risk: Without a retention schedule, information may be retained for longer than necessary. This may breach articles 5(1)(a-f), 5 (2), and 32 of the UK GDPR.

Ways to meet our expectations:

  • Have a retention schedule based on business need with reference to statutory requirements and other principles (for example the National Archives).
  • Ensure the schedule provides sufficient information to identify all records and to implement disposal decisions in line with the schedule.
  • Assign responsibilities to make sure that staff adhere to the schedule and you review it regularly.
  • Regularly review retained information to identify opportunities for minimisation, pseudonymisation or anonymisation and document this in the schedule.

Options to consider:

  • Use an automated system that tags records with a retention date and automatically prompts for action at this date.
  • Publish the retention schedule.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the retention schedule?
  • Do they adhere to it?
  • Could staff explain what their responsibilities are and how they carry them out effectively?

 

Control measure: Methods of destruction are covered in a policy and they are appropriate to prevent disclosure of personal information prior to, during or after disposal.

Risk: If personal information in electronic records is not destroyed securely, it may be recoverable. This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • For paper documents, use locked waste bins for records containing personal information, and either in-house or third-party cross shredding or incineration is in place.
  • For information held on electronic devices, wiping, degaussing or secure destruction of hardware (shredding) is in place.
  • Hold, collect or send away securely confidential waste awaiting destruction.
  • Have appropriate contracts in place with third parties to dispose of personal information, that provide you with appropriate assurance that they have securely disposed of the information, for example through audit checks and destruction certificates.
  • Have a log of all equipment and confidential waste sent for disposal or destruction.

Options to consider:

  • Maintain an access log to show who has accessed electronic devices awaiting destruction.
  • Check areas with devices awaiting destruction on site walks.
  • Use a third-party secure hardware destruction provider.

Have you considered the effectiveness of your accountability measures?

  • Is there a secured location for waste collected daily until collected for disposal internally or by a third party?
  • Is there a secure storage area for equipment awaiting disposal?

 

Control measure: There is an asset register that records assets, systems and applications used for processing or storing personal information across the organisation.

Risk: Without an inventory or asset register, personal information may be processed without awareness or applying controls. This may breach articles 5(1)(f), 5(2), and 32 of the UK GDPR.

Ways to meet our expectations:

  • Have an asset register which holds details of all information assets (software and hardware) including:
    • asset owners;
    • asset location;
    • retention periods; and
    • security measures deployed.
  • Review the register periodically to make sure it remains up to date and accurate.
  • Periodically risk-assess assets within the register and have physical checks to make sure that the hardware asset inventory remains accurate.

Options to consider:

  • Use online forms to capture all relevant information about information assets.

Have you considered the effectiveness of your accountability measures?

  • Is the register accurate – could you use it to find equipment around your office?
  • If we selected a sample of software, could you demonstrate that the details in the register are correct?

 

Control measure: Identify, document and implement rules for the acceptable use of software (systems or applications) processing or storing information.

Risk: If staff are unaware how they should use the organisation’s software there is a risk that personal information may be accessed or shared inappropriately, lost, corrupted or vulnerable to attack. This may breach article 32 of the UK GDPR.

Ways to meet our expectations:

  • Have acceptable use or terms and conditions of use procedures in place.
  • Have system operating procedures which document the security arrangements and measures in place to protect the information held within systems or applications.
  • Monitor compliance with acceptable use rules and make sure that staff are aware of any monitoring.

Options to consider:

  • Check staff understanding of acceptable use policies and run awareness sessions on a regular basis.
  • Have system generated pop-up messages when using software or systems to remind staff of the rules of use.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the policies and procedures?
  • Are they well understood?

 

Control measure: Access to personal information is limited to authorised staff only and users’ access rights are regularly reviewed.

Risk: If access to personal information is not limited to authorised staff only and access rights are not reviewed there is a risk that personal information may be accessed inappropriately. If staff change role and retain all their previous access rights, they may keep access to personal information which is no longer relevant to their role. This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Have an access control policy which specifies that users must follow your organisation's practices in the use of secret authentication information, for example passwords or tokens.
  • Implement a formal user access provisioning procedure to assign access rights for staff (including temporary staff) and third-party contractors to all relevant systems and services required to fulfil their role, for example 'new starter process'.
  • Restrict and control the allocation and use of privileged access rights.
  • Keep a log of user access to systems holding personal information.
  • Regularly review users’ access rights and adjust or remove rights where appropriate, for example when an employee changes role or leaves the organisation.

Options to consider:

  • Keep records to demonstrate user access rights have been reviewed and appropriately adjusted if required.
  • Assign end dates to access permissions, particularly for temporary role changes or where access isn’t needed permanently.
  • Conduct audits of privileged accounts to ensure access isn’t misused.
  • Utilise security classifications to assess which roles should have access to certain types of information.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the policies and procedures?
  • Are third-party access rights assigned appropriately given what is required in a contract?
  • Are access rights correct and up to date?
  • Would a sample of new starters, movers and leavers show adherence to the policies and procedures?

 

Control measure: Unauthorised access to systems and applications is prevented, for example by passwords, technical vulnerability management and malware prevention tools.

Risk: If access to systems and applications is not controlled and monitored there is a risk of unauthorised access to personal information on these systems. This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Restrict access to systems or applications processing personal information to the absolute minimum in accordance with the principle of least privilege (for example read/write/delete/execute access rules are applied).
  • Apply minimum password complexity rules and limited log on attempts to systems or applications processing personal information.
  • Have password management controls in place, including default password changing, controlled use of any shared passwords and secure password storage (not in plain text).
  • Use email content and attachment security solutions (encryption) to appropriately protect emails containing sensitive personal information.
  • Log and monitor user and system activity to detect anything unusual.
  • Implement anti-malware and anti-virus (AV) protection across the network and on critical or sensitive information systems if appropriate.
  • Keep anti-malware and anti-virus protection up-to-date and configure it to perform regular scans.
  • Ensue your organisation has access to and acts upon any updates on technical vulnerabilities to systems or software, for example vendor’s alerts or patches.
  • Regularly run vulnerability scans.
  • Deploy URL or web content filtering to block specific websites or entire categories.
  • Strictly control or prohibit the use of social media, or messaging apps such as WhatsApp to share personal information.
  • Have external and internal firewalls and intrusion detection systems in place as appropriate to ensure the security of information in networks and systems from unauthorised access or attack, for example denial of service attacks.
  • Do not have unsupported operating systems in use, for example Windows XP or Windows Server 2003.
  • Establish special controls to safeguard the confidentiality and integrity of information passing over public networks or over wireless networks and to protect the connected systems and applications.

Options to consider:

  • Test how secure authentication information is by using password strength checkers and penetration testing.
  • Restrict access to system design and specification documents, that may contain information that highlights vulnerabilities.
  • Set expiration dates on passwords and send reminders to staff when their password is due to expire.
  • Implement lockout mechanisms after a certain number of failed log in attempts.
  • Conduct risk assessments to determine which anti-virus and anti-malware software is most suitable to your organisation.
  • Quarantine outgoing emails containing sensitive information automatically.
  • Enable alerts such as emails or push notifications to notify unusual activity.
  • Separate devices with unsupported software or operating systems on a separate network or air-gap them.

Have you considered the effectiveness of your accountability measures?

  • Would a sample of systems access at various job levels confirm that you apply access levels appropriately?
  • Are the passwords complex?
  • Could staff demonstrate that anti-virus and anti-malware has been implemented on key information systems?
  • Do you install vendor updates in a timely manner?
  • Could we access a black-listed site or an unsupported operating system on-site?

 

Control measure: There are appropriate mechanisms in place to manage the security risks of using mobile devices, home or remote working and removable media.

Risk: Without appropriate technical controls surrounding the deployment and use of mobile devices there is a risk of unauthorised access to, or loss of, a mobile device. 

If the use of removable media is not controlled, there is increased risk of a personal data breach as personal information may be stored on devices which are unsecure.

If suitable security measures are not in place, personal information may not be kept secure during remote working or working from home.

This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Have a mobile device and a home/remote working policy that demonstrates how your organisation will manage the associated security risks.
  • Have protections in place to avoid the unauthorised access to or disclosure of the information processed by mobile devices, for example, encryption and remote wiping capabilities.
  • Implement security measures to protect information processed when home or remote working, for example VPN and two-factor authentication.
  • Where you have a business need to store personal information on removable media, minimise personal information and implement a software solution that can set permissions or restrictions for individual devices as well as an entire class of devices.
  • Use the most up-to-date version of your remote access solution. Support and update devices remotely.
  • Do not allow equipment, information or software to be taken off-site without prior authorisation and have a log of all mobile devices and removable media used and who they are allocated to.

Options to consider:

  • Ensure all information stored on removable media is encrypted.
  • Utilise technologies that prevent unauthorised information transfers to removable media.
  • Provide training to staff on their responsibilities for keeping personal information secure when working remotely or at home.
  • Develop guidance for staff to follow when working in a public place.
  • Risk assess the use of mobile devices before it is implemented.

Have you considered the effectiveness of your accountability measures?

  • Can staff find the policies and procedures?
  • Are they aware of the main contents?
  • Would a sample of devices have appropriate encryption?
  • Could you demonstrate appropriate access arrangements for home or remote working?
  • Are staff working from home or remotely aware of the authorisation requirements?

 

Control measure:  Physical business locations are secured to prevent unauthorised access, damage and interference to personal information.

Risk: A lack of physical controls greatly increases the risk of unauthorised access to personal and special category information. This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Protect secure areas (areas that contain either sensitive or critical information) by appropriate entry controls such as doors and locks, alarms, security lighting or CCTV.
  • Have visitor protocols in place such as signing-in procedures, name badges and escorted access.
  • Implement additional protection against external and environmental threats in secure areas such as server rooms.
  • Ensure office equipment is appropriately placed and protected to reduce the risks from environmental threats and opportunities for unauthorised access.
  • Securely store paper records and control access to them.
  • Operate a clear desk policy across your organisation where personal information is processed.
  • Have regular clear desk 'sweeps' or checks and issues are fed back appropriately.
  • Operate a 'clear screen' policy across your organisation where personal information is processed.

Options to consider:

  • Regularly test physical controls to gain assurances of their effectiveness.
  • Ensure entry points include a mixture of controls to maximise security, for example perimeter security and electronic access control systems.
  • Maintain a log of all attempts to access secure areas to assess whether they are authorised.
  • Utilise additional electronic controls such as CCTV in secure areas.

Have you considered the effectiveness of your accountability measures?

  • Are printer areas secure?
  • Do staff follow protocols and are they clearly communicated?
  • Would we see appropriate environmental controls in your secure areas?
  • Would a tour of your offices reveal an effective clear desk policy?
  • Are screens left unlocked?

 

Control measure: There are plans to deal with serious disruption, and back up key systems, applications and information to protect against loss of personal information.

Risk: Sensitive information could be exposed or disclosed without data loss measures, which could cause reputational damage or impact on peoples’ rights and privacy. If no backups are available, then there is a risk of permanently losing the personal information that they hold. This may breach articles 5(1)(f) and 32 of the UK GDPR.

Ways to meet our expectations:

  • Have a risk-based Business Continuity Plan to manage disruption and a Disaster Recovery Plan to manage disasters, which identify records that are critical to the continued functioning of your organisation.
  • Take back-up copies of electronic information, software and systems (and ideally store them off-site).
  • Ensure the frequency of backups reflects the sensitivity and importance of the information.
  • Regularly test back-ups and recovery processes to ensure they remain fit for purpose.

Options to consider:

  • Test backup and recovery processes to ensure they remain fit for purpose.
  • Use a variety of backup types and methods depending on the criticality of the personal information processed.
  • Limit access to backups to authorised personnel only.

Have you considered the effectiveness of your accountability measures?

  • Are staff aware of the plans and are they easy to access?
  • Could staff explain the effectiveness of the plans and how to test them?