The ICO exists to empower you through information.

Control measure: Specific data protection training is provided to specialist roles, functions and staff that handle a large volume of personal information on a regular basis. 

Risk: If staff in specialist roles do not receive additional specialised training, there is a heightened risk of a personal data breach or non-compliance with data protection law. 

Ways to meet our expectations:

  • Complete a training needs analysis to identify roles that require specialist information governance and data protection knowledge or expertise.
  • Include wider information governance based roles in the training plan. For example, staff with responsibility for: 
  • records management; 
  • information security; 
  • data sharing; 
  • handling individual rights requests; or 
  • exemptions and disclosures.
  • Detail training and skills requirements within role profiles.
  • Assign responsibility to oversee, or approve procurement of, specialist training.
  • Ensure staff in specialist information governance and data protection roles complete the specialist training before they begin work relating to their specialised role.
  • Ensure staff who receive specialised information governance and data protection training periodically receive appropriate refresher training.
  • Document that staff have attended required specialist training by keeping complete and up-to-date records. Obtain certificates to evidence the completion of any specialist external training.
  • Assess staff understanding of the training using a knowledge check with a minimum pass mark. Support staff who need further training if they consistently do not achieve the minimum pass mark.

Options to consider:

  • Seek specialist external training for staff.
  • Ask the DPO, information governance manager or equivalent, to help develop any in-house training and periodically review the content.