Record creation
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: Processes for creating records or documented information are in place and outlined in policies.
Risk: If processes for creating records are not controlled and documented clearly, records may be created with inaccurate information or inappropriately communicated. This may breach UK GDPR articles 5(1)(d-f), 5(2), and 32.
Ways to meet our expectations:
- Document record creation processes in sufficient detail in policies, including document management protocols, metadata use, and record formatting and classification.
- Highlight changes to processes clearly in policies (eg in a change history).
- Communicate processes to staff who create records and make policies readily available for them to refer to.
Options to consider:
- Document clear step-by-step instructions or a process flow chart for creating records.
- Check or sample newly created records.
Control measure: Records are appropriately identified and classified.
Risk: Without clear identification and classification showing what a record contains, who should use it, and where it should be, they may be accessed inappropriately or subject to a personal data breach. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Assign appropriate security classification to records and personal information.
- Clearly identify and describe records and personal information (eg in file names and metadata).
- Document classification and identification processes in sufficient detail in policies, including document management protocols, metadata use, and record formatting.
Options to consider:
- Document clear step-by-step instructions or a process flow chart for how to classify and identify records.
- Set default security classifications for certain types of record or information.