Control measure: Specific data protection training is provided to specialist roles, functions and staff that handle a large volume of personal information on a regular basis.
Risk: If staff in specialist roles do not receive additional specialised training, there is a heightened risk of a personal data breach or non-compliance with data protection law.
Ways to meet our expectations:
- Complete a training needs analysis to identify roles that require specialist information governance and data protection knowledge or expertise.
- Include wider information governance based roles in the training plan. For example, staff with responsibility for:
- records management;
- information security;
- data sharing;
- handling individual rights requests; or
- exemptions and disclosures.
- Detail training and skills requirements within role profiles.
- Assign responsibility to oversee, or approve procurement of, specialist training.
- Ensure staff in specialist information governance and data protection roles complete the specialist training before they begin work relating to their specialised role.
- Ensure staff who receive specialised information governance and data protection training periodically receive appropriate refresher training.
- Document that staff have attended required specialist training by keeping complete and up-to-date records. Obtain certificates to evidence the completion of any specialist external training.
- Assess staff understanding of the training using a knowledge check with a minimum pass mark. Support staff who need further training if they consistently do not achieve the minimum pass mark.
Options to consider:
- Seek specialist external training for staff.
- Ask the DPO, information governance manager or equivalent, to help develop any in-house training and periodically review the content.