Control measure: There is an overarching, strategic, needs-based information governance training programme in place.
Risk: If staff training is not specific or appropriate for the level of information processing taking place and the role that each member performs, staff may not have the necessary competence to ensure compliance with legislation or properly protect personal information. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Include national and sector-specific requirements into the training programme.
- Include comprehensive information about key areas of data protection, such as handling requests, data sharing, information security, personal data breaches and records management.
- Regularly assess the training needs of all staff groups who have access to personal information, as well as specific data handling and security management responsibilities. This includes voluntary, temporary and contract staff.
- Produce a training needs analysis document.
- Ensure delivery timescales for training programmes and strategies meet the training needs of staff.
Options to consider:
- Assess the effectiveness of the information governance training programme.
- Monitor staff adherence to information governance requirements as a way of assessing staff knowledge and understanding.
- Make relevant training material available to staff, so they can easily access it at any time.
- Assess whether trainers have the appropriate knowledge and skills.
- Review the training needs analysis periodically to ensure it remains relevant and up-to-date.
- Give staff the opportunity and means to raise any additional training needs.
Control measure: There is support from senior level staff to provide an information governance training programme that is effectively resourced.
Risk: If staff go untrained for excessive periods of time and regard the training as unimportant due to the lack of senior level support and insufficient training resource, there is a risk of a breach. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Sign off information governance training programme content at senior management level.
- Assign responsibility for managing and co-ordinating information governance training for all staff.
- Assign dedicated staff resources to deliver the training programme.
- Ensure training is delivered by appropriately trained staff.
Options to consider:
- Encourage staff completion of information governance training through all-staff communications from senior staff members.
- Ask senior staff to attend information governance training with junior staff, where training is delivered face-to-face.