Specialised training
-
The Data (Use and Access) Act 2026 got Royal Assent on 19 June 2025. All the provisions affecting data protection law and the Privacy and Electronic Regulations Communications are now in force. The Department for Science and Innovation (DSIT) has set out the commencement plans. You can find more details on the Gov.uk website.
Control measure: Specific data protection training is provided to specialist roles, functions and staff that handle a large volume of personal information on a regular basis.
Risk: If staff in specialist roles do not receive additional specialised training, there is a heightened risk of a personal data breach or non-compliance with data protection law.
Ways to meet our expectations:
- Complete a training needs analysis to identify roles that require specialist information governance and data protection knowledge or expertise.
- Include wider information governance based roles in the training plan. For example, staff with responsibility for:
- records management;
- information security;
- data sharing;
- handling individual rights requests; or
- exemptions and disclosures.
- Detail training and skills requirements within role profiles.
- Assign responsibility to oversee, or approve procurement of, specialist training.
- Ensure staff in specialist information governance and data protection roles complete the specialist training before they begin work relating to their specialised role.
- Ensure staff who receive specialised information governance and data protection training periodically receive appropriate refresher training.
- Document that staff have attended required specialist training by keeping complete and up-to-date records. Obtain certificates to evidence the completion of any specialist external training.
- Assess staff understanding of the training using a knowledge check with a minimum pass mark. Support staff who need further training if they consistently do not achieve the minimum pass mark.
Options to consider:
- Seek specialist external training for staff.
- Ask the DPO, information governance manager or equivalent, to help develop any in-house training and periodically review the content.