Control measure: There is a process to identify and follow up on non-completion or non-attendance of data protection related training.
Risk: If there is no process in place to identify and follow-up when staff miss or fail to complete training, there is an increased risk of personal data breaches and non-compliance with data protection law.
Ways to meet our expectations:
- Allocate responsibility for identifying staff who have not completed or attended data protection training, and for ensuring the staff complete it.
- Implement procedures to ensure that a staff member completes or attends data protection training as soon as possible, if they have failed to do so.
- Consider removing access to personal information from staff who fail to undergo data protection training.
Options to consider:
- Allocate some specific ‘protected’ time for staff to complete training.