Staff awareness-raising
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: Various communication methods are used on a regular basis to raise staff awareness of information governance, data protection and information security, and the associated policies and procedures.
Risk: If staff are not made aware of important messages effectively, as limited types of communication are used, some key messaging may not reach staff in a timely manner. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Use a variety of types of communication to raise staff awareness generally, not just in the information governance department.
- Periodically communicate information governance, data protection and information security policy updates to all staff.
- Feature information governance, data protection and information security messages in communications sent on a regular basis to staff (eg newsletters).
Options to consider:
- Display awareness raising posters around the premises.
- Use screensavers to help raise staff awareness.
Control measure: Staff are given the opportunity at team and department meetings to discuss information governance, data protection and information security, and associated issues.
Risk: If staff do not have a regular opportunity to discuss issues or raise questions, they will fail to ensure compliance with legislative requirements.
Ways to meet our expectations:
- Give staff an opportunity to raise questions or concerns about information governance, data protection and information security at team, department, or equivalent meetings.
- Invite information governance, data protection and information security staff to team, department, or equivalent meetings to provide more detail or focused briefings.
Options to consider:
- Add information governance, data protection and information security as standing agenda items in team briefs or meetings.
- Have a data protection champion in various key departments.
Control measure: Staff know who to contact about any information governance, data protection or information security related queries or advice.
Risk: Queries may go unasked or unanswered if staff do not know who to contact, therefore increasing the risk of non-compliance and breaching data protection law.
Ways to meet our expectations:
- Include directions in staff training material, as well as in policies and procedures, on who to contact and how.
- Provide and monitor a general email inbox for information governance and data protection queries.
- Include guidance in awareness material on how to get information governance, data protection and information security advice.
Options to consider:
- Check staff can recognise who they should contact if they have any queries or advice requests about information governance, data protection or information security.
- Run regular staff awareness exercises or scenarios.
- Make these details available on the internal intranet.