Control measure: Staff can recognise verbal and written (including electronic) requests for access.
Risk: If staff do not recognise requests for access, statutory timeframes may not be met. This may breach UK GDPR Articles 12 and 15.
Ways to meet our expectations:
- Produce guidance for staff on how to recognise verbal, electronic and written requests.
- Make guidance easily accessible and available in electronic and paper formats for staff who do not regularly work on computers.
- Train all staff on recognising requests.
Options to consider:
- Produce anonymised examples of verbal, electronic and written requests as training aids or references for staff.
- Check staff can recognise and appropriately handle different types of requests, such as third party requests.
- Run regular staff awareness exercises.
Control measure: Staff direct requests to the person or team who handles them.
Risk: If staff do not know who handles requests, untrained staff may respond to requests incorrectly and statutory timeframes may not be met. This may breach UK GDPR articles 12 and 15.
Ways to meet our expectations:
- Produce guidance for staff on how to direct or channel requests to the person or team who handles them.
- Make guidance easily accessible and available in electronic and paper formats for staff who do not regularly work on computers.
- Train all staff on directing requests.
Options to consider:
- Run regular staff awareness exercises.
- Use email signatures or automatic replies to direct people making rights requests to the relevant team.
- Use phone switchboard systems to direct people making verbal rights requests to the relevant team.
- Run a test request exercise to identify any teams that need further training.