Training and awareness

This makes sure that all employees receive appropriate training about your privacy programme, including what its goals are, what it requires people to do and what responsibilities they have. The training must be relevant, accurate and up to date. Training and awareness is key to actually putting into practice your policies, procedures and measures by:

At a glance – what we expect from you

• All staff training programme
• Induction and refresher training
• Specialised roles
• Monitoring
• Awareness-raising

All-staff training programme

You have an all-staff data protection and information governance training programme.

Ways to meet our expectations:

• Your programme incorporates national and sector-specific requirements.
• Your programme is comprehensive and includes training for all staff on key areas of data protection such as handling requests, data sharing, information security, personal data breaches and records management.
• You consider the training needs of all staff and use this information to compile the training programme.
• You assign responsibilities for managing information governance and data protection training across your organisation and you have training plans or strategies in place to meet training needs within agreed time-scales.
• You have dedicated and trained resources available to deliver training to all staff.
• You regularly review your programme to ensure that it remains accurate and up to date.
• Senior management sign off your programme.

Have you considered the effectiveness of your accountability measures?

• Are you meeting staff training needs effectively?
• Have your trainers received appropriate training?
• Are their responsibilities clear and could they explain how you implement their responsibilities in practice?

Induction and refresher training

Your training programme includes induction and refresher training for all staff on data protection and information governance.

Ways to meet our expectations:

• Appropriate staff, such as the DPO or an information governance manager, oversee or approve induction training.
• Your staff receive induction and refresher training, regardless of how long they will be working for your organisation, their contractual status or grade.
• Your staff receive induction training prior to accessing personal data and within one month of their start date.
• Your staff complete refresher training at appropriate intervals.

Have you considered the effectiveness of your accountability measures?

• Could we observe your training delivery methods?
• Is it effective?
• Do you follow up on ‘no shows’?
• Could staff explain their training records?

Specialised roles

Specialised roles or functions with key data protection responsibilities (such as DPOs, subject access and records management teams) receive additional training and professional development beyond the basic level provided to all staff.

Ways to meet our expectations:

• You complete a training needs analysis for information governance and data protection staff to inform the training plan and to ensure it is specific to the individual’s responsibilities.
• You detail training and skills requirements in job descriptions.
• You have evidence to confirm that key roles complete up-to-date and appropriate specialised training and professional development, and they are subject to proportionate refresher training.
• You keep on record copies of the training material provided as well as details of who receives the training.

Have you considered the effectiveness of your accountability measures?

• Do staff consider that you identify their training needs specifically?
• Are there appropriate plans to meet those needs?
• Are the training materials effective?

Monitoring

Your organisation can demonstrate that staff understand the training. You verify their understanding and monitor it appropriately eg through assessments or surveys.

Ways to meet our expectations:

• You conduct an assessment at the end of the training to test staff understanding and make sure that it is effective, which could include a minimum pass mark.
• You keep copies of the training material provided on record as well as details of who receives the training.
• You monitor training completion in line with organisational requirements at all levels of the organisation, and you follow up with staff who do not complete the training.
• Staff are able to provide feedback on the training they receive.

Have you considered the effectiveness of your accountability measures?

• Do staff react positively to the training?
• Is there an easy way to provide feedback?
• Does that process result in changes?
• Are senior managers aware of training monitoring outcomes?

Awareness raising

You regularly raise awareness across your organisation of data protection, information governance and associated policies and procedures in meetings or staff forums. You make it easy for staff to access relevant material.

Ways to meet our expectations:

• You have evidence that your organisation regularly uses a variety of appropriate methods to raise staff awareness and the profile of data protection and information governance, for example by emails, team briefings and meetings, posters, handouts and blogs.
• You make it easy for staff to access relevant material, and find out who to contact if they have any queries relating to data protection and information governance.

Have you considered the effectiveness of your accountability measures?

• Could we observe awareness-raising materials around your office?
• Would staff know who to contact?
• Do you make it easy for them to find and access relevant information?

Further reading

ICO guidance:

External guidance:

• National Cyber Security Centre: 10 Steps to Cyber Security – User education and awareness