Control measure: Processes for creating records or documented information are in place and outlined in policies.
Risk: If processes for creating records are not controlled and documented clearly, records may be created with inaccurate information or inappropriately communicated. This may breach UK GDPR articles 5(1)(d-f), 5(2), and 32.
Ways to meet our expectations:
- Document record creation processes in sufficient detail in policies, including document management protocols, metadata use, and record formatting and classification.
- Highlight changes to processes clearly in policies (eg in a change history).
- Communicate processes to staff who create records and make policies readily available for them to refer to.
Options to consider:
- Document clear step-by-step instructions or a process flow chart for creating records.
- Check or sample newly created records.
Control measure: Records are appropriately identified and classified.
Risk: Without clear identification and classification showing what a record contains, who should use it, and where it should be, they may be accessed inappropriately or subject to a personal data breach. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Assign appropriate security classification to records and personal information.
- Clearly identify and describe records and personal information (eg in file names and metadata).
- Document classification and identification processes in sufficient detail in policies, including document management protocols, metadata use, and record formatting.
Options to consider:
- Document clear step-by-step instructions or a process flow chart for how to classify and identify records.
- Set default security classifications for certain types of record or information.