Information transfer
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Protect personal information when you are transferring it and prevent it being inappropriately disclosed.
Options to consider:
- Implement information transfer policies and procedures for transferring personal information electronically and manually.
- Communicate these policies and procedures to relevant staff.
- Include data transfer security requirements in contracts or transfer agreements with third parties.
- Complete a lessons learned exercise in the event of a personal data breach, update policies and procedures and provide further training, where required.
Protect incoming and outgoing communications using appropriate security measures.
Options to consider:
- Use encryption to protect the content of emails and their attachments, especially if they contain sensitive personal information.
- Use spam filters and various malware detection techniques to protect against receiving malicious emails.
- Automatically quarantine outgoing emails containing sensitive information.
- Provide social engineering training to staff, covering the different types of techniques that can be used.
- Conduct phishing tests on staff and feedback on the results.