Refresher training
-
Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.
Control measure: Refresher training is sufficiently comprehensive, effective, kept up-to-date and delivered at appropriate intervals.
Risk: Insufficient or out-of-date refresher training substantially increases the risk of a personal data breach. Staff knowledge diminishes in value and effectiveness if staff do not undergo up-to-date refresher training. This may breach UK GDPR articles 5(1)(f) and 32.
Ways to meet our expectations:
- Include key areas of data protection in refresher training, such as handling requests, data sharing, information security, personal data breaches and records management.
- Assign the responsibility to oversee and approve refresher training to the DPO, information governance manager or equivalent.
- Require staff complete refresher training at appropriate intervals.
- Require all grades, including senior managers to complete refresher training.
- Deliver refresher training to all staff including voluntary, temporary and contract staff.
- Provide alternative refresher training to non-computer based staff, if the refresher training is primarily computer based.
- Document when staff last received refresher training by keeping complete and up-to-date records.
- Periodically review the refresher training material to ensure it remains up-to-date and fit for purpose.
- Assess staff understanding of the training using a knowledge check with a minimum pass mark. Support staff who need further training if they consistently do not achieve the minimum pass mark.
Options to consider:
- Implement a system which notifies staff and managers about upcoming refresher training.
- Periodically refresh training material to keep staff engaged.
- Periodically review and change assessment questions.
- Set a specified timeframe for staff to complete refresher training.
- Remove access to personal information if staff do not complete refresher training within the specified timeframe.
- Monitoring staff completion rates.
- Assign responsibility to heads of departments or managers to confirm staff have completed refresher training within a specified time frame.