The ICO exists to empower you through information.

Control measure: The whereabouts of physical records are known at all times and the movement of records between storage and office areas is logged and tracked to help control and provide an audit trail of all record transactions.

Risk: If records are not controlled and tracked during transit, personal information may be lost or misplaced. This may breach UK GDPR articles 5(1)(f), 5(2), and 32.

Ways to meet our expectations:

  • Have a process or system to log the current locations of all physical records.
  • Track the movement, transfer, and access to any physical records.

Options to consider:

  • Use barcodes, access cards, or key fobs to scan records when leaving one location and again when arriving at another location.

 

Control measure: Records stored off-site are indexed with unique references to enable accurate retrieval and subsequent tracking.

Risk: If records cannot be located or retrieved accurately due to ineffective indexing, statutory requirements and timeframes may not be met. This may breach UK GDPR articles 12-21 or FOI section 10.

Ways to meet our expectations:

  • Document what referencing or indexing system is used.
  • Log the location of records stored off-site using the index reference.

Options to consider:

  • Use unique barcodes that can be scanned electronically for ease.
  • Back up the referencing and indexing system.

 

Control measure: Retrieval and tracking mechanisms are checked to ensure they remain effective.

Risk: If records cannot be located or retrieved quickly, statutory requirements and timeframes may not be met. This may breach UK GDPR articles 12-21 or FOI section 10.

Ways to meet our expectations:

  • Measure performance metrics or key performance indicators for record retrieval and tracking mechanisms (eg the time taken to retrieve records or the number of records away from their assigned location for an extended time).
  • Check or periodically audit that record locations are accurate.

Options to consider:

  • Operate a sign-in and sign-out process for records taken from their assigned location.
  • Have automated alerts if records are not returned to their assigned location or are in transit for an extended time.
  • Add oversight of retrieval and tracking mechanisms as a standing agenda item on relevant team and senior management meetings.

 

Control measure: Systems have the functionality to easily locate and retrieve electronic records.

Risk: If records cannot be located or retrieved quickly and accurately, statutory requirements and timeframes may not be met. This may breach UK GDPR articles 12-21 or FOI section 10.

Ways to meet our expectations:

  • Embed search functionality into system design from the outset.
  • Use naming conventions, metadata, and data labels so staff can easily locate and retrieve electronic records.

Options to consider:

  • Document naming conventions, metadata, and data labels in a policy or staff guidance.
  • Use system rules to force compliance with naming conventions, metadata, and data labels, or to flag where staff don’t follow these.
  • Run regular staff awareness exercises.

 

Control measure: Records are stored securely when being transported, held off-site and when remote or home-working.

Risk: If records are not transported and stored securely off-site, they may be lost or accessed inappropriately, resulting in a personal information breach. This may breach UK GDPR articles 5(1)(f) and 32.

Ways to meet our expectations:

  • Document security arrangements for physical records taken off-site in records management and remote working policies.
  • Log records that are taken off-site and who by.
  • Ensure physical records are unmarked, transported securely in a locked case or bag, and not left unattended on public transport or in hotel rooms.
  • Assess the risks of records being routinely taken off-site before they are removed.
  • Ensure records created off-site or at home are kept secure, returned, or destroyed.
  • Document how staff should securely keep and destroy records when working from home.
  • Implement appropriate security measures for records transported on mobile and remote media devices.

Options to consider:

  • Restrict records with higher security classifications from leaving site premises.
  • Run regular staff awareness exercises.
  • Document the process for staff to follow if records are lost in a personal data breach or incident management process.
  • Implement remote wiping technology for mobile devices.

 

Control measure: Records are transferred securely internally or externally to third parties.

Risk: If records are not secured during transfers, they may be lost or accessed inappropriately, resulting in a personal data breach. This may breach UK GDPR articles 5(1)(f) and 32.

Ways to meet our expectations:

  • Secure physical records that are transferred externally by post or courier.
  • Secure electronic records that are transferred internally or externally (eg by using encryption, secure file transfer protocol or online secure file sharing areas).
  • Document information transfer policies or rules in policies and communicate them clearly to all staff.

Options to consider:

  • Include information transfer processes in records management training and refresher training.
  • Restrict records with higher security classifications from leaving secure areas.
  • Run regular staff awareness exercises.