Skip to main content
Hafan

Record creation

Contents

Control measure: Processes for creating records or documented information are in place and outlined in policies.

Risk: If processes for creating records are not controlled and documented clearly, records may be created with inaccurate information or inappropriately communicated. This may breach UK GDPR articles 5(1)(d-f), 5(2), and 32.

Ways to meet our expectations:

  • Document record creation processes in sufficient detail in policies, including document management protocols, metadata use, and record formatting and classification.
  • Highlight changes to processes clearly in policies (eg in a change history). 
  • Communicate processes to staff who create records and make policies readily available for them to refer to.

Options to consider:

  • Document clear step-by-step instructions or a process flow chart for creating records.
  • Check or sample newly created records.

Control measure: Records are appropriately identified and classified.

Risk: Without clear identification and classification showing what a record contains, who should use it, and where it should be, they may be accessed inappropriately or subject to a personal data breach. This may breach UK GDPR articles 5(1)(f) and 32.

Ways to meet our expectations:

  • Assign appropriate security classification to records and personal information.
  • Clearly identify and describe records and personal information (eg in file names and metadata).
  • Document classification and identification processes in sufficient detail in policies, including document management protocols, metadata use, and record formatting.

Options to consider:

  • Document clear step-by-step instructions or a process flow chart for how to classify and identify records.
  • Set default security classifications for certain types of record or information.