Risk Mitigation

The SIRO and IAO have a responsibility to identify and mitigate information risks, areas to consider are:

What can go wrong?

How could this happen?

How is it likely to happen?

What damage could it cause?

Know your risk areas

It’s important to be aware of where things are most likely to go wrong. In a school, some things to consider are emails, printers, envelopes, home working, portable media, unencrypted devices and most importantly, staff!

A parent’s information is not up to date on the school’s management information system because the school has not sent out data collection sheets since admission. Information relating to SEND is sent to an out of date address as a result. Confidentiality and integrity of data have not been maintained – this could have a huge impact and may well be reportable to the ICO depending on the content as this will include special category personal data and may potentially cause detriment to the data subject.

Ways to decrease the impact and likelihood of the risk materialising:

  • Training
  • Encryption
  • Passwords
  • Audit trails
  • Lockable storage
  • Monitoring
  • Policies and procedures
  • Two person checks
  • Diarising follow ups
  • Checklists
  • Maintaining an up to date information asset register