Information Governance and Caldicott Guardian CPD Training
Quote HCUK10IRMS when booking
Update your knowledge and skills in information governance and management including the role of the Caldicott Guardian, to ensure effective handling and sharing of patient information.
For a full event listing visit: www healthcareconferencesuk co uk/conferenc es-masterclasses/subjects/informationgovernance
TKM_advert_72mm x 108mm.qxp_Layout 1 31/01/2020 09:49
Data Protection
Training:
Certificated Courses and Qualifications
Tkm offers data protection courses approved and certificated by the SQA and BCS
Coming soon: Auditing Data Protection Compliance Courses are scheduled across the UK and can be arranged in house.
See website for dates 10% discount on individual course fees for IRMS members.
Fees start from £350 for a one day course (excluding VAT)
For further information and booking please contact us
t. 01599 511277 or 07833 617462
e. liz@tkmconsulting.co.uk www.managingyourinformation.com
in this issue... bulletin JULY 2025
Information and Records Management Bulletin Issue 246 · July 2025
Bulletin Editor
Catherine Burton, G and C Media catherine@gandcmedia.co.uk
Production Editors
Visual Print & Design enquiries@visualprint.co.uk
Chris Callander, G and C Media chris@gandcmedia.co.uk
Publisher
Information and Records Management Society® St James House, Vicar Lane, Sheffield, S1 2EX Tel: 01625 664520 www.irms.org.uk
IRMS Executive Committee
Jaana Pinnick AMIRMS, FIRMS, Chair jaana.pinnick@irms.org.uk
Reynold Leming AMIRMS, FIRMS, Vice Chair · (External) reynold.leming@irms.org.uk
David Reeve AMIRMS,FIRMS, Vice-Chair · (Internal) david.reeve@irms.org.uk
Simon Ellis AMIRMS, FIRMS, Commercial Development Director simon.ellis@irms.org.uk
Jim Pittendrigh, Treasurer jim.pittendrigh@irms.org.uk
Nathan Bent, Secretary nathan.bent@irms.org.uk
Paulina Jedwabska, Conference Director paulina.jedwabska@irms.org.uk
Rob Bath, Digital Director rob.bath@irms.org.uk
Suzy Taylor AMIRMS, FIRMS Groups Director suzy.taylor@irms.org.uk
Jenny Obee, FIRMS, Membership Director jenny.obee@irms.org.uk
Roger Poole FIRMS, Professional Standards Director roger.poole@irms.org.uk
May Ladd, Training Director may.ladd@irms.org.uk
Marketing & Communications Director · (vacant) marketing.communications@irms.org.uk
IRMS Officers and Sub-committee Chairs
Maria Lim, Technology Partnerships Officer maria.lim@irms.org.uk
Rebekah Taylor, Finance Officer rebekah.taylor@irms.org.uk
Kamil Soree, Data & Digital Officer kamil.soree@irms.org.uk
Sian Astill, Data & Digital Officer sian.astill@irms.org.uk
David Reeve AMIRMS,FIRMS, Awards Sub-committee Chair david.reeve@irms.org.uk
Jane Proffitt, Accreditation Sub-committee Chair accreditation@irms.org.uk
Lauren Cook, Groups Officer groupsofficer@irms.org.uk
Content Officer · (vacant) contentofficer@irms.org.uk
Data Protection & Digital Officer · (vacant) dataprotection-digitalofficer@irms.org.uk
Marketing & Communications Officer · (vacant) marketing.communications@irms.org.uk
Jonathan Nott, General Manager jonathan.nott@irms.org.uk
IRMS Conference
Emma Turley, IRMS Delegate Enquiries emma@revolution-events.com
Deborah Ward Johnstone, IRMS Sponsorship Enquiries deborah@revolution-events.com
IRMS Group contacts
Ireland · Jenny Lynn jenny.lynn@irms.org.uk
Public Sector · Elizabeth Barber AMIRMS, FIRMS elizabeth.barber@irms.org.uk
Higher Education & Further Education · Anne Grzybowski anne.grzybowski@irms.org.uk
IM Tech · Maria Lim maria.lim@irms.org.uk
Information Rights · Craig Clark craig.clark@irms.org.uk
Legal · Iram Ditta iram.ditta@irms.org.uk
London · May Ladd may.ladd@irms.org.uk
Midlands · Mark Smith mark.smith@irms.org.uk
North · Georgina Lee georgina.lee@irms.org.uk
Wales/Cymru · Sarah Phillips sarah.phillips@irms.org.uk
South West · Lauren Cook lauren.cook@irms.org.uk
Schools · Lyn Rouse lyn.rouse@irms.org.uk
Scotland · Khopolo Jamangile khopolo.jamangile@irms.org.uk
Property · Beverley Cunningham beverley.cunningham@irms.org.uk
Financial Services · (vacant) financial@irms.org
How to join the IRMS Go to www.irms.org.uk/join
How to contribute
If you’d like to contribute to the Bulletin please send copy to the Editor at: catherine@gandcmedia.co.uk. The up and coming deadlines to submit copy are: 15 July for the September and 15 September for the November issue.
How to advertise
Deborah Ward Johnstone, IRMS Bulletin Advertising Enquiries Deborah@revolution-events.com
Published bi-monthly in January, March, May, July, September, November. ISSN 2045-6581
The Bulletin provides a wide spectrum of opinion on information and records management matters: the views of the contributors do not necessarily reflect the views of the Information and Records Management Society®
from the Chair
with Jaana Pinnick · IRMS Chair
Dear readers,
It has already been 10 days since the 2025 IRMS Conference, my second as the Chair. Before this main event of the society’s calendar year started in Birmingham, the Board and Executive Committee met in person to discuss our refreshed and streamlined strategy, to hear from our delightful and hardworking Group Chairs, and to meet our members at the AGM. The good news is that we are very much on the right track. It is a pleasure to work with this marvellous team and to support our members throughout their careers!
I have agreed to remain Chair of the Society for one more year before standing down, to comply with the implementation of the updated Articles of Association, which state that Board Directors are elected for a 3-year term. For Executive Directors, the term is 2 years.
The following director appointments were approved by the membership at the AGM held on Sunday afternoon in Birmingham:
Board Directors: Simon Ellis (Commercial Director), Nathan Bent (Secretary)
Executive Committee Directors: Jenny Obee (Membership Director), May Ladd (Training Director)
Recently appointed as Officer: Andrea Binding , Membership and Volunteer Officer
We only have one leaver this year –Neil Reeves, Marketing & Communications Officer. My heartfelt thanks to Neil for all your contributions in the many roles you have carried out over the last 10 years: Marketing & Communications Officer, Groups & Volunteers Officer, Digital Director, and eDirector. Your cheerful approach will be much missed, and you leave big boots to fill!
We are currently interviewing for a Conference Officer and looking for a Marketing & Communications Officer (or two). A little bird also told me that this week we recruited two new Group Chairs; more on that in due course…
And now let’s turn to the conference proper. It was the first one run by Paulina Jedwabska, and what an outstanding success she made of it too! It was a real pleasure for me to work with such an enthusiastic all-female team with Paulina, Debs, Emma, Eli and the rest of the Rev team. My heartfelt thanks to you all for your dedication and hard work on making the Peaky Path to Progress happen!
This year, IRMS sponsored two conference bursaries. We received 22 applications, which made the task of selecting the recipients a real challenge for Paulina and I, and we spent quite some time going through the individual stories of the applicants. We awarded the
New Generation Bursary to Anna Lisowska, and the Diversity and Inclusion Bursary went to Sukhvir Kaur. Congratulations to Anna and Sukhvir, who were able to join us at the conference and sat at the IRMS table for the Gala Dinner!
Kevin Parry, Information Commissioner’s Office (ICO) Director of Data and IRMS Conference first-timer, kicked off Monday’s proceedings with his keynote address “Navigating ICO’s Data Strategy and Data Governance Journey”. Next, it was the always enjoyable and energetic Vendor Showcase, hosted by who else but Ren Leming Congratulations to the winner Orinoco, who faced tough competition from the other entries! Monday’s second keynote was delivered by Kalpana Kothari, who shared her insights into why “It Is Not Always Blindingly Obvious Why Records Management Matters”.
For the rest of the day, the delegates were spoiled for choice between talks from five interesting strands, interspersed with lively discussions and networking, refreshments and food, and many exchanges with the vendors at the Information Market.
I want to express my big thanks to our two main sponsors. The OASIS Group generously supported the Conference Fringe and the feelgood Sunday Social event with bangers and mash at “The Information Arms”. On Monday, Iron Mountain PLC kindly sponsored the magnificent Gala Dinner and Industry Awards Ceremony.
My congratulations go to all this year’s IRMS Award winners and very worthy runners-up:
• Inaugural Digital Decarbonisation in Action Award – OASIS Group
• Information and Records Management Professional of the Year – Victoria Blyth (runner-up: Yagmur Sahin)
• Supplier of the Year – Rachel Mitchell, for her work with Leadership Through Data
• Information and Records Management Team of the Year – JISC and HE/FE Sector Team
• Innovation of the Year – Jaki Stockwell, for her work with Leadership Through Data
• Alison North Award for New Professionals – Carys Hardy
• Lifetime Achievement Award –Vicky Beddall (runner-up: Jane Marley)
Afterwards, we were brilliantly entertained by the Gatsby Band, who played 1920s period music whilst some of the delegates tried their luck at the very busy casino tables.
On Tuesday, Dr David Reeve, IRMS Vice Chair, introduced Gaynor Galton, who in her keynote discussed the “Role of Governance and Compliance in Unlocking the Full Potential of Data in Clinical Trials”. After Tuesday’s first breakout sessions, it was time for Timothy Quinney from Google to give his morning keynote on “Automating Data Classification with Artificial Intelligence in Google Workspace”.
The closing keynote on “Protecting your Sensitive Data with Microsoft Purview” was delivered by Nikki Chaple and Ryan John Murphy.
If you have already provided feedback on the conference, you will have received a link to the speakers’ slides, if they agreed to share them with the delegates. And believe it or not, the joint IRMS & Rev conference team have already started planning next year’s event at the Celtic Manor in Newport, Wales, on 17–19 May 2026 – no rest for the wicked! Do look out for early bird booking opening in the summer and the call for papers in due course.
This year, I was very pleased to meet so many conference first-timers, who told me they will return in 2026, both vendors and delegates.
“The route to senior decision-makers in the Information Management Industry - in public and commercial sectors.”
4,000 information managament professionals read each issue of the bulletin – They could be reading your message too.
For more details and to advertise in the bulletin contact Deborah Ward-Johnstone: � deborah@revolution-events.com � 01892 820 936
Wela i chi yn Cymru! I also felt quite humbled by the number of people who visited the IRMS stand to enquire about membership and joining the society. We must be doing something right.
So let me finish this column by whole-heartedly thanking you, the whole extended IRMS community – members, volunteers, partners, sponsors, vendors, and other suppliers – for your ongoing support and friendship. I wish you all a wonderful summer, until the next issue.
The silent peril of death by policy
BY BARRY MOULT AND YAGMUR SAHIN
We’re
all familiar with
the infamous phrase “Death by PowerPoint,” but let’s shine a spotlight on another critical issue that often flies under the radar: “death by policy.”
For years, I’ve emphasised during my training sessions that policies are not mere guidelines – they are essential “must do” and “must not do” directives for staff. Why? Because when a serious data breach occurs, regulatory bodies like the Information Commissioner’s Office (ICO) demand copies of relevant policies. These documents serve as a litmus test to determine what staff members were informed about. They play a crucial role in assessing whether an organisation had the necessary “organisational measures in place” (including procedures, training, and other safeguards).
But it doesn’t stop there. The impact of policies extends beyond data breaches. Consider HR and disciplinary matters: which policies did a staff member fail to comply with?
How can we expect our staff to align their practices with the policies when we’re unable to align the policies with each other?
These questions underscore the significance of robust policy implementation and enforcement.
So let’s not underestimate the power of policies – they’re not just words on paper; they’re the guardian of organisational integrity.
1 Purpose:
Why do we need a particular policy? What do we include to make sure this aim is met?
“Words carry power. Choose them wisely”
While this phrase can really be applied to any situation, it is doubly true when creating policies, as, in essence, that is all they are comprised of. Like a poet, we need to take extra care in how we want to carry a message across, and how we can do so in the most concise way with the most impact.
“Consistency is key”
Years ago, I faced a surprising situation. I received a Freedom of Information (FOI) request for copies of corporate and department policies. As I collated them, I was taken aback – they looked as if they had been written by different organisations. There was no consistency in format or layout.
How can we expect our staff to align their practices with the policies when we’re unable to align the policies with each other? It’s confusing and draining for staff, and simply put, bad practice.
Consistency is key in ensuring policies are read, understood and applied appropriately.
2 Review:
Are our policies being followed? Have they, perhaps, become outdated? Do they actually work?
You want me to read ALL OF THAT!?
A 30 page policy might seem a brilliant idea if we are only considering what content it’s meant to cover, but this falls short extremely quickly once we must account for who’s meant to read it. No one wants to read and memorise a drawn-out document; it’s simply a mundane and monotonous chore.
Have we made this clear to you?
We know why we have our policies, but do we know if they’re actually being followed? There are many ways to monitor this, but we don’t
want to act as babysitters when doing so. We want capable staff, not mindless robots who do our every bidding. Regular, but not constant, auditing and checks of staff practice in relation to our policies help us gauge, not only staff’s understanding of policies, but also any areas of confusion or vagueness within the policy that we can address.
It’s time for a change...
Organisations are constantly subject to major changes, whether it’s the law, our team members or even our practices. We can’t, however, let ourselves become victims of these changes and must take the reins. We must be prepared to address any new considerations that may arise, and update our policies promptly and accordingly.
3: Signing Off:
Actions we can employ to ensure a standardised approach, not just in developing policies, but in signing them off as well.
Far too often, I encounter policies within organisations that lack any formal check or sign-off process. To address this, I propose the establishment of a “policy review committee”.
Their role isn’t to create policies but to meticulously scrutinise them once they’ve been reviewed and updated. Here are the critical questions this committee should ask:
Correct Emphasis:
Does the policy convey the appropriate level of emphasis? Consider replacing vague terms like “should” with the stronger “must”.
Layout Consistency:
Is the policy formatted correctly, adhering to the agreed-upon structure? Uniformity in layout matters.
Consistency across Policies: Does the policy align with other existing policies? Inconsistencies confuse staff and lead to divergent practices.
Timely Updates:
Has the policy been recently updated? Ensure a new review date is added to keep it current.
Clarity and Precision:
Is the policy clear and concise? Avoid unnecessary duplication. Staff engagement improves when policies are succinct.
So lets not underestimate the power of policies – they’re not just words on paper; they’re the guardian of organisational integrity.
Well-crafted policies are the backbone of organisational clarity and consistency!
Compliance Monitoring:
How will compliance be monitored? Regular checks are essential. When was the last assessment carried out? Once the thorough review is complete, the policy returns to the owner for final sign-off by the organisational manager, relevant department head, or an appropriate committee. With this process in place, the policy is ready for dissemination across the entire organisation.
Remember!
• Well-crafted policies are the backbone of organisational clarity and consistency!
• Policies are the compass guiding organisations through the compliance maze!
• Well-structured policies are the bedrock of organisational effectiveness.
Do not let your organisation be a victim of Death by Policy
The Authors
Yagmur Sahin is an Information Governance and Data Protection Manager at Data Protection Simplified. She is a qualified lawyer with dual master’s degrees in cybersecurity, and her career reflects a strong passion for protecting people’s rights in the digital age. She is an IAPP Privacy Engineering Advisory Board member and actively contributes to key areas in data protection, including AI governance.
Barry is a well-known Privacy Consultant. He worked as an IG Manager in the NHS for 20 years and is also the founder of BJM IG Privacy Ltd. He is the former Chair of the NHS National Strategical Information Governance Network (SIGN) group and also initiated the Data Protection Practitioner Apprenticeship. He currently works as an Advisor to Data Privacy Simplified and is a Governor with The Specialist Skills Hub (Apprenticeship and Cyber Training)
<www.dataprivacysimplified.co.uk> <https://specialistskills.co.uk>
Do we really mean “responsibility”?
BY LEWIS EISEN
To make sure a house is sound, we periodically check the foundations for cracks. When we find one, we need to patch it up, because leaving it in place threatens the stability of the entire structure.
What if some of the most fundamental statements information management (IM) practitioners have been making until now are actually undermining our work? In this article, I’m going to challenge two long-standing practices. Brace yourself.
Firstly, I recommend that we remove the statement “Every employee is responsible for managing corporate information” from our policies. That’s right – let’s get rid of it completely!
Just between us colleagues – be honest here – how’s that policy statement working for you anyway? Has it ever made anyone step up to the plate? Do you find that employees actually
respond to that mandate? I’ll show you why – from where I sit – it’s next to useless as a policy statement.
Secondly, I suggest that we rethink our mantra “We help the organisation manage information”. We may think that explanation adequately clarifies our role, but I contend that it actually does us more harm than good.
POLICY BUY-IN
To see why, let’s start with the context. We approach our work intending to cooperate with other business areas. Our goal is to achieve full engagement with our policies, often needing to overcome resistance and non-compliance.
Our entire intellectual approach to managing corporate information is founded on the premise that the information is the property of the organisation, not the individual using it.
When people are presented with a corporate policy but don’t see the benefit, I don’t want them to ignore it. Personally, I aim for a response along the lines of “How does that apply in our situation?” That question signals a willingness to learn, understand, and collaborate, which is consistent with our goals: we want our working relationships to be cooperative, not adversarial.
To achieve this, policy wording matters. The language and tone of a policy set the stage for all our interactions, now and going forward.
PROPERTY OF THE ORGANISATION
Let’s return to the statement “Every employee is responsible for managing corporate information”. If the intent is to obligate people to take specific action, it falls way short.
Our entire intellectual approach to managing corporate information is founded on the premise that the information is the property of the organisation, not the individual using it. This information can become useless if not managed properly, being inaccessible for decision makers at critical times. Worse, this information can become a liability for the organisation when used in contravention either
of the law or of a contract with another entity, such as a partner or customer.
The problem is that assigning responsibility for an activity is not the same as mandating action.
To see why, consider some real-world examples, such as the following policy statement issued by an airline:
Passengers are responsible for providing their own food.
This statement doesn’t obligate passengers to bring food on the flight; it simply means that the airline won’t provide it. Some passengers will bring food and others won’t. As far as the airline is concerned, either choice is fine.
The following grocery store policy is another example:
Shoppers are responsible for supplying their own bags.
Again, the statement doesn’t obligate people to bring bags to the store; it simply clarifies that the store won’t provide them. Customers can
carry items home in their hands if they wish.
Finally, take the following municipal policy:
Homeowners are responsible for their own pest control.
In no way does that rule obligate homeowners to eliminate the mice from their property; it simply declares that the city won’t do it for them. Like the other statements, allocating the responsibility does not in itself mandate or prohibit any particular course of action.
Let’s look at the store’s bagging policy one step further. It’s especially confusing when a store advertising the policy actually does provide bags. Why are they taking on an activity that they claim to be someone else’s responsibility? Talk about mixed messages!
ARE IM POLICIES SENDING MIXED MESSAGES?
Policies are of value only when they’re clear, so it’s easy to see why the statement “Every employee is responsible for managing corporate information” creates a problem.
It not only doesn’t obligate any specific action, but on the face of it, it suggests to employees
that the organisation won’t be managing the information for them. In the analogies of food on a plane and mice in a house, a person reading these policies could validly assume that the rule maker is leaving it to each individual to decide what to do.
In reality, we’re a little like the store that claims not to be responsible for providing bags, but does so anyway. “Every employee is responsible for managing corporate information” is a very strange message to promote when, to all appearances, the organisation does in fact manage the information. The organisation takes responsibility for classification structures, storage technology, privacy requirements, security, life-cycle processes… I could go on and on, but the point seems obvious: if we’re trying to send a clear message about who is responsible for what, this statement doesn’t do it.
WHAT AND WHEN?
Beyond its ambiguity around responsibility, the statement is vague about its intended scope and timing.
Taken literally, the statement makes it sound like every employee is responsible for managing the entirety of the organisation’s information holdings all the time. Clearly, that’s not what’s intended, so why are we expecting the employees to figure out the what and when?
Narrowing the scope with a qualifier like “their own,” as in “Every employee is responsible for managing their own information”, doesn’t help us. After all, we start with the premise that the organisation owns the information, not the individual. In that scenario, what does “their own information” even mean? Which information becomes the “employee’s information,” and at what point in its life cycle does it do that? And while we’re on the subject – looking at it through the employee’s eyes – if
it’s my information and I am responsible for managing it, why should I listen to you about what to do?
I raise these questions, but I don’t recommend spending a lot of time answering them. From my perspective, the question is moot because the information never becomes “the employee’s information.” Instead, we should be focussed on specifying which activities we want the employee to do and when we want them done.
THE IMPORTANCE OF PROCEDURES
Effective IM practices rely on clear processes supported by sound authorities. These authorities may include a few policy statements, but more importantly, they include
• clear standards on what well-managed information holdings look like, and
• explicit procedures supporting a variety of activities.
It is only in those procedures where assigning responsibility for specific tasks to specific individuals has any meaning. For example, we may want to impose requirements on individuals involved in a given procedure, such as
• saving a document,
• managing a client file, or
• using a particular piece of software.
These specific requirements are useful because they clarify obligations in a given situation. Generalising them to statements like “Everyone is responsible for managing information” not only removes the requirements from the employee’s reality, but it does the opposite: it dilutes the obligation to take action by
In reality, we’re a little like the store that claims not to be responsible for providing bags, but does so anyway.
“Every employee is responsible
spreading it around. The bystander effect, a well-documented psychological phenomenon, explains why people are less likely to help in a situation where they see other potential participants. The more participants around to take responsibility, the more people assume someone else is taking action, reducing their own sense of obligation.
In other words, insisting that everyone is responsible diffuses that responsibility, discouraging rather than motivating action.
ACCOUNTABILITY FOR OUTCOMES
The brings me to the second common statement, which is almost a mantra of the profession. We help manage the organisation’s information.
While not incorrect, this explanation understates our role and thereby makes it more confusing, because it focusses on process rather than outcome. Perhaps a sample of claims made by a professional chef
will show this distinction more clearly.
Compare these:
A. I’m responsible for preparing meals.
B. I’m responsible for the quality of the food served.
That’s quite a difference! Which inspires more confidence? The first invokes a process; the second one, an outcome. Anyone can claim to prepare a meal, but that’s not the same as being accountable for the result.
Other statements of responsibility around the food that I’d want to hear from a professional chef are:
C. I’m responsible for the taste.
D. I’m responsible for the nutritional value.
E. I’m responsible for the freshness.
The same applies to IM professionals. As you well know, anyone can claim that they manage information; in fact, many in the organisation claim to do just that, whether or not their approach has any basis in best practices.
It would bring credibility to the IM professionals’ claim of responsibility if we could clarify exactly which attributes of well-managed information we are taking responsibility for. We could raise our profile in the organisation if we were prepared to make statements such as the following:
We are responsible for the accuracy of the information.
We are responsible for the quality of the information holdings.
We are responsible for the elimination of information that puts the organisation at risk.
Not “We are responsible for the life cycle of the information”, because that harkens back to describing a process, not an outcome. Since the vast majority of employees in an organisation don’t understand the process, it has no value to them. On the other hand, people do understand information accuracy, currency, integrity, and so on – even if only at a very basic level – so they can understand what it means when someone lays claim to responsibility for them.
Our colleagues in the other information domains do just that: the security group takes responsibility for safety; the freedom of information group takes responsibility for release, and so on. These groups explain their roles by emphasising the outcome, not the process by which they reach that outcome.
A SEAT AT THE ARTIFICIAL INTELLIGENCE (AI) GOVERNANCE TABLE
This distinction is more than just theoretical. We are experiencing a time when IM professionals are fighting for a seat at the table, where decisions are made around the use of AI in the organisation. Many groups want to be at that table, and we will need to justify our presence.
It would bring credibility to the IM professionals’ claim of responsibility if we could clarify exactly which attributes of well-managed information we are taking responsibility for.
If we merely claim to be “responsible for managing the information”, we’re going to be met with blank stares. After all, we’ve spent years telling people that “everyone is responsible for managing information”. If that’s true, then why are we claiming now to be special?
We will have a much better chance of participating if we can stake a claim to responsibility for specific attributes, for example:
We are responsible for the accuracy of the output of generative AI.
We are responsible for the preservation and standardisation of the prompts.
We are responsible for the integrity of the metadata schema and the precision of controlled vocabularies.
Which attributes should we be looking at?
IM professionals, like chefs, would do much better to describe their responsibilities in terms of outcomes – not processes. Let’s stop telling people that we are responsible for “preparing meals” and start focussing on the quality, freshness, and nutritional value of the food.
Which aspects are the best to lay claim to? At the moment, I’m not completely sure, and I defer to the experience of those who are more in touch with the implementation aspects of IM policy.
I do know, however, that we if don’t move in this direction, we are closer to becoming superfluous in the organisation… especially if we continue to claim that “everyone is responsible for managing information”.
The Author
Lewis Eisen, JD CIP, is the developer of the Perfect Policies™ approach to using respectful language in policy drafting, which has been adopted in organisations around the world. His Amazon international bestseller is in its 4th edition, now titled RULES: Powerful Policy Wording to Maximize Engagement. Lewis draws on 40 years’ experience as a practising lawyer, business consultant, and federal civil servant. He was awarded the 2024 Best iQ Article from RIMPA Global and the 2020 Britt Literary Award from ARMA International.
<https://lewiseisen.com> <www.linkedin.com/in/lewiseisen>
The psychology of records management: Energise compliance with auditing
BY CRAIG GRIMESTAD
I can hear some of you saying: “Did you really have to go there? I cannot stand audits. They are time consuming, expensive and the business just won’t tolerate the intrusion for information governance (IG) and records and information management (RIM)”. Sorry, the answer is yes. Without auditing, you are not able to assure that the workforce is actually doing what they are required to do.
I digress, but back in my youth, there was a popular cartoon character named Mr Magoo (you can still watch him on YouTube) with very bad eyesight (although he thought it was perfect) and was therefore always making his surroundings into his own alternate reality. He happened to have a bald head, and one day, he walks into a barber shop and requests a haircut. When he takes his hat off, the barber
finds a single hair standing up in the middle of his bald head. The barber dutifully clacks the scissors over his head – forward; backward; left; right; and finally, after some period of time, actually cuts the single hair on his head. He then pronounces the haircut complete. Mr Magoo pays him and walks out, believing that he has had a full haircut.
FACING REALITY
For IG/RIM, we cannot live in our own little world, our own reality, thinking that the workforce has performed activities to become and maintain compliance when it is possible (perhaps even likely) that they are not compliant. Audits help to assure we are all in the same reality, actually accomplishing and performing as required.
The good news is that the audit for IG/RIM does not have to follow the traditional path of financial audits. In fact, if you do, you may once again find yourself in your own reality, like Mr Magoo, because you are getting a representative
view – not a comprehensive view. You are not just looking for evidence of processes and the performance of those processes; you are looking for evidence that each individual, from the executive suite to individual contributor (employees and contractors) across the company, is actually doing what your policy and procedures say they are to do.
This is good news because you do not need to engage in time-consuming interviews to establish a view of workforce compliance. What is needed is to develop a list of the IG/RIM requirements of each individual for each individual, turn them into questions, and have them respond – Yes, No, or In Process. This list of questions will need to be tailored based on area of responsibility and level of responsibility, and there needs to be departmental questionnaires as well. This does require some good work upfront to identify the requirements and turn them into questions, but for the workforce, the questionnaire they are required to answer is minimally intrusive –resulting in minimal pushback. This is simple, straightforward, and very powerful.
So, where do these IG/RIM requirements come from? Your policies and procedures. That is why it is important that your policies and procedures have “requirements language”, such as must, shall, and will. The use of words like should, might, or could provides the opportunity for variation of activity, including no activity at all. You don’t want to spend any time on non-productive discussions on definition and intent. Much better to preclude all of that with clear, non-negotiable requirements language.
HOW DO YOU DEVELOP THE QUESTIONS?
Each requirement from the policies and procedures should be the subject matter for at least one detailed compliance question. Not so much “Are you aware of the policy for the disposal of confidential records?”, but rather “At the proper time, do you dispose of all confidential records in the shred bins or by shredding yourself?” The answers are multiple choice: Yes, No, or In Process.
Yes means, yes, the department or individual is in compliance.
No is a red flag; it means there is a problem. The department or individual is non-compliant and doesn’t intend to become compliant.
In Process means the department or individual is not yet compliant, but is committed to becoming compliant and is working on it.
Those are all the answers you need to develop a comprehensive view of compliance!
Clearly, once you have taken the survey, your work isn’t over; it is always an ongoing process. You will need to follow up with those who say “No” (and also potentially their management) to help them change their answer to “Yes” or “In Process”. For the “In Process” answers, you will want to do some analysis. Are there questions for which there was an “epidemic” of In Process responses, indicating the need for a deeper dive and possible corrective action? Or is it that they just need a little more time before they can say
So, where do these IG/RIM requirements come from? Your policies and procedures. That is why it is important that your policies and procedures have “requirements language”, such as must, shall, and will.
“Yes”? You always have the option of following up at any time.
What about evidence of compliance and interviews? For evidence, use the “trust but verify” approach. Let the user respond without producing evidence, but be on notice that the evidence may be required at any time. This way, the user is responsible for having evidence, but you only request it as situations warrant. Interviews are also important, but conducted only on an as-needed basis, as the data identifies a need for follow-up. Therefore, the intrusions into the business are kept to a minimum and only occur as driven by the data. This technique may be unconventional, but it provides a lot of information with minimal investment, provides for comparative analysis of progress with subsequent audits, and provides flexibility in how and when to conduct follow-ups.
Regardless of the technique you choose for performing an audit, performing an audit will energise compliance.
Regardless of the technique you choose for performing an audit, performing an audit will energise compliance. People respond to actions more than words, and holding individuals accountable by checking their IG/RIM performance with an audit will not only energise compliance, but it will also provide valuable feedback for improvements and modifications to your program.
The audit is such a strong energiser for compliance that even just the notice of a coming audit will energise compliance. Give the workforce advance notice of the audit, even to the point of sharing the audit questions in advance, and your audit results will be better for it. After all, your objective is compliance, not to identify those who may otherwise have overstated their performance.
Yes, you really want and need to do this.
Craig Grimestad is a senior consultant with Iron Mountain Consulting. His specialty is designing RIM core components with subspecialties for RIM auditing and change management. He holds an MSc in engineering and was the Records Manager for the Electro Motive Division of General Motors, where he participated in the development of the GM Corporate RIM program, and implemented and managed Electro Motive Division’s RIM program.
<www.ironmountain.com/uk/resources> <www.linkedin.com/in/craig-grimestad2214b37>
Do you know what’s next for your professional development?
Have you considered IRMS accreditation yet? If not, what’s stopping you?
Are you:
• A member of the IRMS
• Someone that works with the management of information in any way?
• Possessing 5+ years experience in the profession or 3+ years with a relevant qualification?
• Someone that can demonstrate an understanding and practical application of the principles and practice of managing and governing information and records?
Then why not apply?
- You’ll be assessed by written or verbal assessment (your choice)
- We can offer you guidance, support and an application buddy
- Regardless of outcome, you’ll have a professional development plan we’ll help you with
irms.org.uk/accreditation
Data definitions: What is master data?
BY NIELS LADEMARK
This paper is the first in a series that looks at data management and what is meant by terms such as “master data”, “reference data”, “transaction data” and “aggregated data” – terms that information and records management professionals may come across but may not use on a daily basis. The final paper in the series will look at “data as an asset”.
When I talk about data, and I do that a lot, I refer to master data (MD), reference data, transaction data and aggregated data without blinking. But that is not so for everybody and, more often than not, I find myself explaining the difference. So, I’ll throw my explanation out there. If you find it useful, feel free to share it.
MD DEFINITION
MD can usually be described with a noun that cannot be turned into a verb:
• Customer, product, employee, part, etc (you cannot say “to customer”).
• MD is referenced by all the other types of data.
• MD may be labelled “dimensions”, just to confuse the layperson.
• MD entities are usually very complex and are described by hundreds and sometimes thousands of properties (aka attributes).
A MD record is unique and (should) only exist in one authoritative version that is reused across the organisation.
• It is the same customer, regardless of the business area or process that interacts with the customer.
• There is no upper limit to MD records; you can always add a new customer.
EXAMPLE OF A MD ENTITY
The product entity is a typical example of a MD entity. Depending upon the business area, a product can be perceived very differently, even though it is the exact same item or service that people refer to.
A resellers product definition typically is much simpler than what, eg, a production facility uses. Heavy regulation of a business tends to drive complexity up.
A full product MD record for a physical product can include a lot of information; examples include:
• materials used in production;
• information about the supplier of said material/part;
• bill of materials and other production details, eg, picking lists;
• physical dimensions, storage and transportation requirements;
• certifications, documentation, and authorisations needed;
• pricing, marketing, and distribution information;
• special regulations (GxP, General Data Protection Regulation, customs, disposal);
• documentation, safety, handling;
• customer identification if the product is bespoke.
All of the above, and more, may be part of a “complete” MD record.
There is no single part of an organisation that uses all the attributes.
WHY IS THIS RELEVANT
One of the key problems (pun intended) is that different parts of the business refer to different sub-sets of the product information in different ways.
• Production refers a particular product as “123-ABX-FGS-3FV”.
• Logistics calls it 1GY_MRK-GE.
• The reseller calls it Gyro no 1. Version 1.31.
This causes a LOT of confusion and extra work.
When product “123-ABX-FGS-3FV” through “123-ABX-FGS-9KL” has to be recalled because part number 123-838-050-03409 has an error in production batch 92345G. That was shipped to 1GY_MRK-UK.
What is a reseller to recall?
Can you relate to this?
The Author
A MD record is unique and (should) only exist in one authoritative version that is reused across the organisation.
Niels Lademark began his career as a Master of Agriculture but soon realised his mistake and changed to the IT industry. The first stop was working with data governance back in 1997, before the term was coined. As the master data manager at the University of Copenhagen, he was responsible for collecting and reporting the total research and conveyance of science done, from papers to museum exhibitions, in one unambiguous format. After a 5-year tenure at the Danish State Railways as information and enterprise architect, he joined a dedicated information management consultancy in 2007, and later Deloitte after a merger. The project tally as a management consultant ended at 28, after 14 years of consulting. All these projects revolved around enterprise architecture or information management. Currently, he works as an enterprise architect at the Nordic Resource Coordination Centre (Nordic RCC), which calculates the electric grid capacity across Scandinavia to maximise the utilisation of green electricity production capacity.
<nlh@nordic-rcc.net> <linkedin.com/in/nielsheegaard>
Reuse of Gift Aid data for postal marketing
BY SUZE PHILLIPS
Can a UK charity repurpose a physical address used for verification of Gift Aid status, for marketing purposes, especially 3.5 years after it was obtained?
I recently received a charity direct debit form in the post. One of those old-fashioned forms where you’re asked to fill in all your bank details and send it back to the recipient in a prepaid envelope.
My first thoughts centred around security concerns, especially knowing how many scammers and criminals are on the lookout for personal data – and these forms are perfect for a raft of financial and ID fraud if they end up in the wrong hands.
My next thought was “Who is this charity? I’ve never even heard of them. Where and when did they obtain my address for their marketing campaign?”
I popped off a data subject access request to find out where my details had come from, and to check if another charity had shared a marketing list with the charity in question.
It transpired that all the way back in June 2021, I had sponsored a friend online and provided my address in the online donation form for Gift Aid purposes. The only purpose for providing my address was to verify my status as a UK taxpayer.
I’m fastidious about ticking the ‘no further comms’ and ‘don’t share with similar charities’ boxes too –no marketing means no marketing.
At the time, I didn’t make a note of the charity, but did amend my first name to ‘namecharity initials’ so that I could track any further unwanted comms. I’m fastidious about ticking the ‘no further comms’ and ‘don’t share with similar charities’ boxes too – no marketing means no marketing.
Fast forward 3.5 years, and it turns out that the charity’s marketing team decided to repurpose the data I’d given as proof of my tax status for their postal fundraising efforts. They’d also spotted my data-tracking efforts (the amended name) and changed my name in their CRM by removing the charity initials. Naughty naughty.
That the data would be repurposed wasn’t mentioned in their privacy notice, and as someone who’s careful about ticking ‘no further contact’ and ‘don’t share my info with similar charities’, I was surprised that the marketing team had decided it was acceptable to send postal marketing to (A) a no-further-contact list, and (B) addresses that were never provided for marketing.
This behaviour is a breach of the purpose limitation principle under UK General Data Protection Regulation (GDPR), and a breach of Article 21, my right to object to marketing. Under Article 5(1)(b), personal data must be “collected
They’d also spotted my data-tracking efforts (the amended name) and changed my name in their CRM by removing the charity initials. Naughty naughty.
for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”. Verifying taxpayer status for Gift Aid is a one-off statutory activity; by contrast, postal marketing is an entirely different purpose, requiring its own lawful basis.
Article 21 of the UK GDPR gives individuals an absolute right to object to direct marketing at any time. Once that right is exercised, the charity had no lawful basis to send me marketing material, regardless of how or when the data was collected. In practice, this means that any entry marked ‘do not contact’ must be excluded from all subsequent campaigns.
Currently, if you make a one-off donation, charities can’t reuse your details for further marketing under soft opt-in rules, and if they are going to repurpose data that’s outside of the scope of Privacy and Electronic Communications Regulations for postal marketing, they absolutely should make this clear in privacy notices. Also, bear in mind that this data had been collected over 3.5 years ago – so even if it had been in the privacy notice, I would have forgotten!!
The upcoming Data Use and Access (DUA) Bill, due to come into force in the UK in the next few months, looks set to relax the rules around charities and political parties using the soft opt-in for marketing.
I appreciate that not everyone will share my concerns around how this relaxation of current rules could be abused.
From my time in the third sector, I’ve seen charities hold on to data far longer than needed for Gift Aid or financial reporting. Even the idea of cleansing aged data is met with massive resistance, regardless of the fact that quality is far more profitable than quantity when it comes to data. My spidey senses tell me that aged lists of one-off donors may well be in receipt of marketing from charities they’ve long forgotten they donated to in the belief by marketing teams that this will regenerate interest and not generate complaints.
That proposed relaxation carries both opportunity and risk. On one hand, charities under financial pressure may welcome the ability to reconnect with lapsed donors. On the other, older data quickly becomes stale – addresses change, people move on and preferences shift. Sending appeals to someone who gave a single gift 3, 5 or 10 years ago can feel intrusive, damaging goodwill and prompting complaints to the Information Commissioner’s Office or Fundraising Regulator for nuisance marketing.
There are, happily, many charities that will approach these changes responsibly. Best-inclass organisations will:
• carry out data protection impact assessments for any reuse of existing donor data;
• build privacy by design into their CRM workflows, so consent and objection preferences are enforced automatically;
• offer clear-choice architecture at the donation stage, with separate tick boxes for different types of communications; and
• conduct regular data audits to delete records once they no longer serve a lawful purpose.
Maintaining public trust is vital: donors give only when they believe their personal information will be handled respectfully. Misusing Gift Aid
My spidey senses tell me that aged lists of oneoff donors may well be in receipt of marketing from charities they’ve long forgotten they donated to in the belief by marketing teams that this will regenerate interest and not generate complaints.
data for marketing not only breaches data protection principles, but chips away at the very foundation of charitable generosity.
If you work in fundraising or data protection within the third sector, how are you preparing for the DUA Bill and safeguarding the purpose limitation and Article 21 rights of your supporters? I’d genuinely welcome your thoughts and examples of best practice. Are you purging your lists and going for quality over quantity, or are you determined to reuse data that has been sitting in a database unused for over a decade?
Misusing Gift Aid data for marketing not only breaches data protection principles, but chips away at the very foundation of charitable generosity.
The Author
Suze Phillips is the founder and director of Garden City Assurance Ltd (GCA), a North Hertfordshire based consultancy specialising in cyber resilience, data protection and privacy compliance for UK organisations. GCA offers data protection and information security consultancy, including risk assessments and vendor due diligence, on a retained (or ad hoc) basis, to strengthen your organisation’s defences and minimise exposure. Suze is a Fellow of Information Privacy (FIP) and holds ECPC B (Maastricht University DPO), CIPM and CIPP/E, ITIL Expert, and CISMP qualifications.
<Hello@gardencityassurance.co.uk> <https://gardencityassurance.co.uk>
Advanced computer software fine: Are poor procurement processes really to blame?
BY JESS PEMBROKE
The recent £3.07 million fine imposed on Advanced Computer Software Group Ltd (Advanced) by the Information Commissioner’s Office (ICO)[1] has sparked significant concerns about the NHS’s role in this data breach. While Advanced is responsible for failing to implement adequate security measures, a deeper issue remains: why did it take a data breach to expose these shortcomings?
As a Data Protection Officer (DPO), my role involves scrutinising suppliers to ensure they have robust security controls. This includes assessing technical security measures and verifying compliance with frameworks such as the Data Security and Protection Toolkit (DSPT). Advanced had completed the DSPT assessment, which should have signalled its commitment to data security. However, this breach suggests that mere completion of the DSPT may not be sufficient proof of adequate security.
This incident raises critical questions. Did NHS trusts conduct thorough due diligence before engaging Advanced? Did they take the supplier’s DSPT assessment at face value? The DSPT is a key assurance measure across the NHS, but is it fair to expect individual trusts to conduct separate due diligence on suppliers?
The DSPT outlines essential security requirements, including:
• 4.5.3: IT suppliers must enforce multi-factor authentication for all remote access and privileged user accounts.
• 9.2.1: Regular vulnerability scans must be undertaken.
• Supported systems must be kept up to date with the latest security patches.
The ICO identified all these as failings by Advanced in this breach. This raises further questions:
• How did Advanced self-assess as “exceeding expectations”[2] for several years?
• Is NHS Digital, which oversees the DSPT, exerting sufficient oversight to validate supplier submissions?
• The DSPT mandates an independent audit of submissions, yet these security failings were only exposed after the breach. Why weren’t they identified earlier?
Another key concern is whether DPOs have adequate influence over procurement decisions. Ensuring that data protection is central to supplier selection is crucial, yet, in practice, DPOs often lack the authority to veto engagements with non-compliant suppliers. Furthermore, the ICO’s policy of not fining public sector organisations[3] removes a key incentive for senior leaders to prioritise cybersecurity over other pressures.
While this ICO action may serve as a warning to data processors, real change will only come when DPOs, procurement teams, and regulatory bodies collectively push suppliers to prioritise security. Without this, procurement processes will continue to favour convenience over robust cybersecurity.
The cyberattack, widely reported at the time, disrupted critical services such as NHS 111 and blocked healthcare staff from accessing vital patient records. This incident serves as a stark reminder of the shared responsibility between suppliers and NHS trusts in safeguarding patient data. The question remains: will procurement practices change before the next major breach?
[1] advanced-penalty-notice-20250327.pdf
[2] YGM65 ADVANCED COMPUTER SOFTWARE GROUP PLC
[3] Statement on the public sector approach | ICO
The Author
Jess Pembroke is Head of Data Protection for Naomi Korn Associates. Her team provides outsourced data protection services, as well as mentoring and consultancy. Jess has been instrumental in developing Naomi Korn Associates’ unique offering of practical affordable live online training modules, including CPD-accredited intermediate and advanced certificates in data protection. As a training partner, Naomi Korn Associates offers IRMS members 10% off all courses.
<jess@naomikorn.com> <www.naomikorn.com>
A Director’s journey: Reflections on Birmingham 2025
BY PAULINA JEDWABSKA
As I write this reflection on what was my first conference as a director, I’m struck by the incredible journey that brought us to Birmingham and the phenomenal team effort that made it such a resounding success.
The work began even as we were delivering last year’s conference in Brighton – from that moment, my mind was already turning to Birmingham, envisioning the venue, considering layouts, and beginning to shape what would become our 2025 theme and programme strands.
THE CHALLENGE OF CURATION
Perhaps the most challenging aspect of my role was developing the conference programme. This began with defining entry criteria and evolved into the delicate task of speaker selection – determining not only who would present, but, equally importantly, who wouldn’t, and why. The lesson learned is to keep the selection process under constant review based on the feedback we receive. The wealth of talent within our community meant we had an abundance of speakers with fantastic ideas and remarkable progress to share.
THE DREAM TEAM DELIVERS
When the time finally arrived, our conference power-women-led dream team stepped up magnificently. We commenced with the AGM on Sunday, seamlessly transitioning into our fringe events and social, generously sponsored by the Oasis Group. A particularly encouraging observation was the year-on-year growth in our Sunday social attendance. This year’s information arm pub theme, complete with silent quiz, live singer, and board games, proved to be a tremendous success, creating exactly the welcoming atmosphere we’d hoped for.
I found myself embracing every aspect of the role, including practicing and improving my pointing and directional skills – no job was too small when it came to ensuring our delegates had the best possible experience.
MONDAY’S INSIGHTS
Monday opened with Kevin Parry delivering a compelling keynote, sharing insights about how the Information Commissioner’s Office is preparing to implement its data strategy. His emphasis on the fundamental need for understanding what data we have, where it
The wealth of talent within our community meant we had an abundance of speakers with fantastic ideas and remarkable progress to share.
resides, and how we should utilise it going forward set the tone perfectly for the days ahead.
The subsequent sessions, panels, and presentations maintained this high standard throughout the day, culminating in our gala dinner and awards ceremony. The evening provided an opportunity to celebrate the achievements within our community, and I’d like to extend heartfelt thanks to everyone who nominated colleagues, cast their votes, and joined us in celebrating the successes of our nominees, runners-up, and winners.
We’re enormously grateful to Iron Mountain for its generous sponsorship of the gala dinner, which helped make the evening such a memorable occasion
TUESDAY’S MOMENTUM
Tuesday proved equally dynamic, opening with a keynote on clinical trials and the critical importance of data, delivered by Gaynor Dalton from Protas. This was followed by another thought-provoking keynote from Tim Quinney of Google, who addressed automation and the essential need for governance in the age of artificial intelligence.
The Microsoft sessions appeared particularly popular on Tuesday, from Brend Vellguth’s presentation through to our closing keynote featuring Nikki Chapple and Ryan John Murphy, who drew fascinating parallels between their Mount Everest expedition and data strategy. Their message was clear and compelling: you wouldn’t attempt to climb an 8,000-metre mountain without a strategy, so why would you tackle data without one?
Between these anchor sessions, we enjoyed more practical presentations and panels that addressed everything from soft-skills development to information security –demonstrating the breadth and depth of expertise within our community.
PERSONAL REFLECTIONS AND THANKS
On a personal note, this experience has been transformative. Leading the conference has provided invaluable insights into our community’s needs, aspirations, and the remarkable expertise that exists within our membership. The collaborative spirit demonstrated by speakers, sponsors, and attendees alike reinforced why IRMS remains such a vital organisation for information and records management professionals.
I sincerely hope you found the Birmingham conference valuable and engaging. Your feedback is crucial, as we continue to evolve and improve our offerings. Please do share your thoughts and experiences – they help shape future conferences and ensure we continue to meet your professional development needs.
Finally, please save the date for our next conference at the Celtic Manor next May. I’m confident it will build upon the success of Birmingham, whilst offering new insights and opportunities for professional growth.
Thank you for making Birmingham 2025 such a memorable and successful event.
The Author
Paulina Jedwabska is a data, information governance and knowledge management specialist with a proven track record of engaging at multiple levels within complex organisations in UK and internationally recognised bodies.
<paulina.jedwabska@irms.org.uk>
An exceptional event: IRMS25
BY SUKH KAUR
BY PAULINA JEDWABSKA
I am truly honoured and grateful to IRMS for selecting me as one of this year’s bursary winners. Without this support, I wouldn’t have been able to attend the conference, and I’m incredibly thankful for the opportunity.
From start to finish, the event was exceptional. It was clear how much thought, care, and effort had gone into planning. Communication throughout was seamless, and the entire IRMS team was approachable and helpful, especially Emma Turley (Marketing Manager), who was a fantastic point of contact. I particularly appreciated the IRMS booklet and dedicated event app. The app was incredibly useful, helping me plan my 3 days, stay informed, and connect with other professionals through its chat feature.
Attending an event alone can be daunting, but for anyone new to the IRMS Conference, especially if you’re attending solo, there’s no need to worry. The atmosphere was warm and welcoming, and I never once felt alone. The IRMS staff were always on hand to offer support, which helped me settle in quickly. Within minutes of arriving at the keynote theatre, I was already networking with others, some first timers like me, and others who had attended before.
I met so many inspiring individuals, including Anna Lisowska (Data Governance Officer at Citizens Advice Scotland), Dr Amarjit Lahel, Beth Summerfield, Iram Ditta, and many more. A special thank you to Sallie from the Cabinet Office, who immediately made me feel
welcome and took the time to explain how everything worked.
Each session I attended was thoughtfully organised and featured inspiring professionals from across the information governance and risk sector. I found every session valuable and relevant; it was genuinely difficult to choose between them because they all resonated with my work.
Some standout sessions for me included:
• “Moving mountains” (HM Land Registry)
– Roger Petty, Kathy Abruzzese, and Joanne Ruff delivered a fantastic presentation on tackling the digital heap. Their approach to creating a business-asusual process to manage digital records gave me hope for addressing similar challenges at NHS Blood and Transplant (NHSBT).
• “Emails in context” (Cabinet Office)
– Kelcey Swain introduced recordsin-context ontology (RiC-O), a concept I hadn’t encountered before. It offers a powerful way to describe and connect complex records through their associated
IRMS Conference 2025 special
data. Seeing real-world examples helped me understand its potential, especially for managing subject access requests. I’m eager to explore how this could be implemented at NHSBT.
• “The latest innovations and what to expect for the future” (Microsoft EMEA) – Bernd Vellguth shared exciting updates from Microsoft, many of which were developed in response to client feedback. It was reassuring to see how client voices are shaping the future of Microsoft’s services.
The gala dinner and industry awards were a true highlight of the conference.
I had the pleasure of dining with fellow bursary winner Anna, IRMS Chair Jaana Pinnick, Conference Director Paulina Jedwabska, and several other industry leaders. Everyone was so kind and welcoming, which made the evening even more memorable. It was wonderfully organised and full of energy. A fantastic opportunity to celebrate the achievements of professionals within the industry while enjoying a lovely meal and meaningful conversations.
Visiting the vendor stalls between sessions was another valuable part of the experience. The vendors were friendly, informative, and generous with both their time and their merchandise. I left with a wealth of information and potential contacts that could benefit NHSBT in the future.
The IRMS bursary scheme is a brilliant initiative that promotes inclusion by enabling professionals from organisations with limited budgets to attend such impactful events. Being able to discuss the challenges I face in records management with others in the field was incredibly beneficial. The shared experiences and practical advice gave me renewed confidence and ideas to take back to my team.
I also had the chance to talk about the vital work NHSBT does in the UK, which sparked engaging conversations about blood donation, eligibility, and the records generated from each donation. These discussions reinforced the importance of having robust records management systems in place.
I hope that by sharing my experience, others can see just how valuable this event is. I would highly recommend attending, especially if you work in information governance or risk. IRMS truly understands the field and knows how to deliver an informative, supportive, and enjoyable event. I sincerely hope I have the opportunity to attend again in 2026.
The Author
Sukh Kaur is the Records and Disclosure Manager at NHSBT. Based in Wiltshire, she began her career in information governance in 2016 at Wiltshire Council. She quickly discovered a passion for the field, progressing to Senior Information Governance Officer before joining NHSBT. In her current role, she leads on records and disclosure, with a strong focus on simplifying processes and promoting best practices. She especially enjoys helping others understand the value of effective records management by making complex topics relatable and practical.
<sukhvir.kaur@nhsbt.nhs.uk>
Finding your gang: IRMS25
BY ANNA LISOWSKA
I had not long started in my role as Data Governance Officer at Citizens Advice Scotland when my manager sent me the IRMS Conference under-30 bursary application. But even in those few months I’d been in the job, I already had an idea that there was a real community out there in the world of records and information management. I knew I’d joined an industry full of passionate people, and I wanted all their records management (RM) wisdom! Having been lucky enough to secure a place at the conference, I’d now love to tell you about my experience.
BY PAULINA JEDWABSKA
FIRST IMPRESSIONS
As an IRMS Conference first timer, I think it helps to just throw yourself into the experience. Everyone was approachable and many people were in the same boat of solo attendance, so it was easy to find others looking for someone to chat to. The buzz of being there all together was infectious, and there really is something about this type of event making you excited about your job. From the energetic and friendly atmosphere to talks that really make you think, it was a brilliant couple of days.
It really stood out to me how open people were in talking about the challenges they’re facing in their day-to-day work (getting non-informationgovernance (IG) colleagues on side, anyone?). This really helps in giving others the confidence to speak up and share their own experience. So, if you’re building up to ask a question after a session – do it. Chances are someone else is
thinking the same, or they might just turn around to you and say, “but have you thought about it this way?” It also feels good to be that person for someone else, too.
THE SESSIONS
You can very much make the IRMS Conference experience your own. I mostly chose sessions that focussed on personal and professional development and knowledge building. And I’m glad I did! I took a lot from Adele Redhead and Neil Reeves’ session about navigating the industry as a newcomer and Eleanor Blore’s talk on how to find your place in the team as a specialist. I’ll echo what I said in my bursary application – this kind of development content often gets overlooked by employers, and the conference was a unique opportunity to hear from people who take this type of career advice seriously. They both really encouraged us to advocate for our development, which was very motivating.
Then, I have to mention Vanessa Hodge’s and Marcus Stewart’s talks. They both gave tactical, and very practical, advice on how to convince the rest of your organisation of the value of good IG. Vanessa Hodge gave an interesting spin on how to ‘steal your way’ onto projects and use them as case studies for good RM. Her tip to build your gang was a fresh take on relationship-building that really stuck with me.
In a similar vein, Marcus Stewart spoke of giving people ownership over data and the importance of language when speaking IG with colleagues across your workplace. It feels important to realise that it’s not just leadership teams you might need to convince to work with you, though that will often be the first step. It was a good reminder to think of it as a collective responsibility and that we’re just helping each other do our jobs better.
WHY SHOULD YOU APPLY NEXT YEAR?
My advice to anyone considering applying for a bursary next year is to go for it. You may be new to your role, or your field, and you may have less experience than other people there – but this is the point. You’re there to develop your knowledge and build your network, so why not try and take advantage of a rare face-to-face opportunity to do this? Yes, you’ll get to hear from industry experts from all over the world, but you’ll also meet other newbies to bond with. Getting to hear people talking about their own career paths was one of my favourite elements, as it can really get you thinking differently. And remember, you get to help others as well: you bring a fresh perspective with your individual background and experiences, and you might inspire someone too!
CONCLUSION
In her great talk, Vanessa Hodge spoke about finding your ‘gang’ to help you on your way to good information management, and the IRMS Conference is, in fact, a brilliant place to do this. Meeting people and feeling part of a community was my highlight – the IRMS is a good gang to belong to! I’d like to thank IRMS for giving me a chance to see it all first hand; it was a truly unique experience.
The Author
Anna Lisowska is a Data Governance Officer at Citizens Advice Scotland (CAS). She has worked in the Scottish Citizens Advice Network for the past 7 years in various roles in CAS and Citizens Advice Bureau, including advising, project management and standards. She studied law and worked in Aberdeen before moving to Edinburgh. In her free time, she plays volleyball, walks around the city or knits – or tries her hand at baking.
<anna.lisowska@cas.org.uk> <www.cas.org.uk>
The IRMS award winners 2025!
BY PAULINA JEDWABSKA
We are delighted to announce the winners of the IRMS Awards 2025 recognising excellence, innovation, and dedication in our sector. The awards were presented on Monday 19 May at the Gala Dinner, held during the during the IRMS Conference in Birmingham. Seven prestigious awards were presented.
The winners of the IRMS 2025 Awards are:
• The Digital Decarbonisation Award: The Oasis Group
• Professional of the Year Award: Victoria Blyth
• IRMS Supplier of the Year: Rachel Mitchell, Leadership Through Data
• Team of the Year Award: Jisc and the HE/FE Sector Team
• Innovation of the Year Award: Jaki Stockwell, Leadership Through Data
• Alison North Award for New Professionals: Carys Hardy
In addition, we awarded the IRMS Lifetime Achievement Award to Vicky Beddall in recognition of a career spanning more than 30 years, building a remarkable career in the nuclear industry, rising to become the Information Management Lead at Cavendish Nuclear, where she’s now been leading the function for over two decades.
But her impact doesn’t stop there. She is a STEM Ambassador, a mentor, and a passionate advocate for our profession—shining a light on the often unsung but critical roles of information management and document control.
Her knowledge is vast. Her leadership is inspiring. Her contribution is profound.
For more information about all our awards and award winners, please visit the award pages About Us - Information and Records Management Society.
Chair of the Awards Committee, David Reeve states: ‘The awards ceremony is one of the highlights of the IRMS calendar and I would like to offer a huge congratulations to the worthy winners this year, as well as the runners up and all who were nominated. All should be proud for the inspiring work that they are carrying out. There are many more in the profession who continue to inspire, and I look forward to hearing about them, when we open the nominations process again in the autumn, for the 2026 IRMS Awards.”
IRMS Conference 2025 special
The UK Data Use and Access Act (DUAA) 2025
BY CHRISTOPHER BEVERIDGE
The Data Use and Access Bill, which received Royal Assent from the King on 19 June 2025 and as a result, the newly approved Act has now been enacted into UK law. This article reviews the new legislation and its potential impact for UK businesses and organisations.
WHAT ARE THE KEY CHANGES IN THE UK DATA USE AND ACCESS ACT?
It is important to stress that the Act still requires organisations to assess whether an individual’s rights override their business interests when relying on legitimate interests for marketing.
The UK Data Use and Access Act introduces nuanced adjustments to the current regime rather than completely overhauling it. Nonetheless, certain changes could affect data handling, sharing and compliance obligations for UK businesses.
INTRODUCTION OF RECOGNISED LEGITIMATE INTERESTS
The Act introduces ‘Recognised Legitimate Interests’ as a new legal basis for data processing, specifically allowing certain security-related activities such as fraud prevention, public safety, and national security to be considered legitimate interests by default, potentially without requiring a legitimate interests assessment (LIA). The Act simplifies the process for organisations to rely on legitimate interests but, crucially, it does not eliminate the need for an LIA in all cases.
Currently, this new legal basis explicitly applies to private organisations and does not appear to extend to public authorities. This potentially excludes NHS organisations and further clarification will be needed regarding the impact on NHS-held health data.
Additionally, the Act recognises direct benefits for organisations involved in direct marketing, intra-group administrative purposes and ensuring network security by making it clearer that such processing activities may qualify under legitimate interests.
It is important to stress that the Act still requires organisations to assess whether an individual’s rights override their business interests when relying on legitimate interests for marketing. This process is known as the balancing test. This means that data controllers must evaluate the impact on individuals before using legitimate interests as a legal basis to ensure that it does not override fundamental rights and freedoms.
Finally, the Act does not override existing Privacy and Electronic Communications Regulations (PECR), which still requires consent for certain marketing channels such as email and SMS marketing. The rules for general commercial
direct marketing remain unchanged, meaning that in many cases explicit consent will still be required under PECR.
CHANGES TO DATA SUBJECT ACCESS REQUESTS (DSARS)
Processing DSARs can be costly and timeconsuming due to the large volume of data typically involved. Under the existing UK General Data Protection Regulation (GDPR) framework, organisations were required to respond to DSARs without undue delay and within one calendar month of receipt. The Data Use and Access Act retains this timeframe but introduces the “reasonable and proportionate” search principle for responses.
The Act clarifies that organisations are required to conduct “reasonable and proportionate” searches when responding to DSARs. This means that while organisations must make genuine efforts to locate and provide the requested personal data, they are not obligated to conduct exhaustive searches that would impose an excessive burden. This clarification aligns with the guidance of the Information Commissioner’s Office (ICO), which states that organisations should perform a reasonable search for the requested information.
The Act also allows organisations to pause the response period in certain circumstances:
• When verifying the identity of the data subject
• When requesting additional information necessary to process the request
• When dealing with complex requests or multiple requests from the same individual
Once the necessary information is provided, the response timeframe resumes. Organisations must notify the individual of the delay and provide reasons for the extension within the original one-calendar month period.
CLARIFICATION ON AUTOMATED DECISION-MAKING
Article 22 of the existing UK GDPR restricts solely automated decision-making (ADM) that has a significant legal effect on individuals, requiring meaningful human oversight for all such processes.
The Act clarifies that ‘meaningful human intervention’ necessitates a competent person reviewing automated decisions. This ensures that human oversight in ADM processes is substantive and informed. Organisations using AI-driven processes must uphold transparency and accountability in decision-making. They are also required to inform individuals and comply with non-discrimination laws such as the Equality Act 2010.
The Act further specifies that ADM processes involving any type of personal data must still be subject to appropriate safeguards.
CHANGES TO THE PROTECTION OF CHILDREN’S PERSONAL DATA
The Data Use and Access Act introduces several provisions aimed at strengthening the protection of children’s personal data. It defines children’s ‘higher protection matters’ as considerations for how best to safeguard and support children when using services. The Act also acknowledges that children may be less aware of the risks and consequences of data processing and
have different needs at various stages of development.
Recent developments highlight ongoing efforts to enhance children’s data protection:
• The ICO has launched investigations into platforms such as TikTok, Reddit, and Imgur regarding their handling of children’s data, focusing on content recommendations and age verification methods
• The ICO introduced the Age-Appropriate Design Code, also known as the Children’s Code, a UK code of practice requiring online services likely to be accessed by children to be designed with their safety and privacy in mind
• The Online Safety Act is broader in scope and improves online safety for all users but also includes a focus on protecting children. Regulated by Ofcom, the Act introduces stricter content moderation requirements for platforms to prevent harm to minors. In December 2024, Ofcom issued its first codes of practice under the Act targeting illegal harms such as child sexual abuse and incitement to suicide. The Act also mandates age verification measures to prevent children from accessing harmful content, including the use of AI facial checks and email analysis
These initiatives reflect a broader effort to create
a safer digital environment for children and ensuring that their personal data is handled with due care and consideration.
COOKIES AND OTHER SIMILAR TRACKING TECHNOLOGIES
The Act expands the scope for implementing cookies and similar tracking technologies without requiring user consent, under certain conditions.
It specifies that cookies used solely for statistical purposes, such as improving services or websites, will be exempt from the consent requirement. However, users will need to be informed of their purpose and be able to opt out easily. The exemptions also cover service improvement, security purposes and emergency assistance. This change aims to reduce compliance burdens for organisations managing cookie regulations.
The Act also seeks to standardise enforcement across the UK GDPR, the Data Protection Act 2018, and the PECR. Organisations are advised to ensure compliance with PECR, particularly regarding cookie usage and direct marketing.
REVISED INTERNATIONAL DATA TRANSFER MECHANISMS
The Act places a strong emphasis on only allowing international data transfers to countries where the protection standard
The ICO has launched investigations into platforms such as TikTok, Reddit, and Imgur regarding their handling of children’s data, focusing on content recommendations and age verification methods
is “not materially lower” than the UK’s. This change is intended to enhance flexibility for businesses engaging in global data exchanges. This could streamline cross-border business operations, but concerns may remain regarding its potential impact on the EU-UK adequacy decision.
Additionally, the Act restricts the Secretary of State’s ability to amend existing transfer safeguards. Any modifications will require secondary legislation to take effect.
DIGITAL VERIFICATION SERVICES (DIGITAL ID)
The Act establishes a Digital ID Trust Framework to drive innovation and broader adoption of digital identities. This framework aims to streamline regulations for digital verification services, enhance national security measures for provider registration and increase oversight and consultation. Key provisions of the framework include simplifying regulations to make digital verification services more efficient and accessible.
RESTRUCTURING THE ICO
The Act introduces a structural and strategic reform of the ICO. Under the new framework, the ICO will transition from its status as a corporation sole to a corporate body formally established as the Information Commission led by a Chair and supported by a non-executive board.
Importantly, the Commission will now be required to consider the public interest in driving innovation and supporting competitive markets. This will be in addition to its core responsibilities for safeguarding privacy and upholding data protection standards. The reform is designed to enable more commercially balanced regulatory outcomes and enhance the ICO’s ability to respond effectively to the evolving data economy.
PENALTIES FOR NON-COMPLIANCE
The Act enhances PECR enforcement powers, bringing penalties in line with UK GDPR. It permits fines of up to 4% of global turnover or £17.5 million, whichever is greater, significantly raising potential penalties for non-compliance.
It is important for UK organisations to begin assessing the Act’s potential impact on their data management and compliance frameworks. It is important to note that the Act amends the current UK legislation under UK GDPR, the Data Protection Act 2018 and PECR and it is therefore important that organisations continue to adhere to the already existing requirements in addition to the these amendments – most of the new provisions are expected to come into force either 2 or 6 months after Royal Assent but some may take up to 12 months.
THE UK DATA USE AND ACCESS ACT
The Labour Government introduced the Data Use and Access Bill in the House of Lords in October 2024. The Act’s progression was marked by extensive legislative scrutiny, including nine rounds of exchanges, commonly referred to as “ping pong” between the House of Commons and the House of Lords.
The Act’s final stages were delayed due to prolonged discussions concerning the use of copyrighted material in AI training. Despite these debates, the legislation retained broad cross-party support. In the final debate, held on 11 June 2025, the House of Lords chose not to insist on its previous amendment, which would have imposed further legislative obligations on the Government regarding copyright infringement and AI transparency; however, it is worth noting that the Government has indicated plans to introduce a separate AI Bill, which may address the concerns raised during these discussions. Furthermore, the Act does require the
Now is an opportune moment to assess internal practices, particularly in areas such as legitimate interests and the handling of DSARs and to reinforce the robustness of your data governance framework.
Secretary of State to lay a progress statement before Parliament within 6 months of enactment.
The new legislation does not constitute as significant a departure from the UK existing data protection framework as had been proposed under earlier Conservativeled reforms. The Act amends rather than replaces the UK GDPR, the Data Protection Act 2018 and PECR. It has been drafted to maintain alignment with the core principles of European Union data protection law and the jurisprudence of the European Court of Justice. This alignment is critical to preserving the UK’s adequacy status, which allows the continued flow of personal data from the EU to the UK. Only time will tell if the new Act will be viewed positively by the EU in this regard.
For UK organisations, the proposed changes may signal a shift in data management policies, requiring adjustments to compliance frameworks and operational processes and organisations are encouraged to liaise closely with their Data Protection Officers and monitor forthcoming guidance from the ICO. Now is an opportune moment to assess internal practices, particularly in areas such as legitimate interests and the handling of DSARs and to reinforce the robustness of your data governance framework.
The Author
Christopher Beveridge is a Managing Director in Risk Advisory Services and is the National Head of Privacy and Data Protection for BDO LLP. Christopher’s practice delivers a range of privacy and data protection services to clients across internal audit and advisory in the UK and globally, including acting as DPO for several organisations. Specialising in advising and assisting clients on data protection and privacy issues which includes the UK Data Protection Act and the EU General Data Protection Regulation (GDPR), Christopher also sits on the BDO Global Privacy Group and has a strong knowledge of ever-changing privacy regulatory requirements across the Globe.
<Christopher.Beveridge@bdo.co.uk> <www.bdo.co.uk>
International Archives Week 2025
The seventh edition of International Archives Week (#IAW2025) took place during the week commencing 9 June. This year’s theme, #ArchivesAreAccessible –Archives for Everyone, was chosen through a global survey completed by over 300 participants
As archives continue to evolve in the digital age, expanding access to archival content has become more important than ever. Accessibility is not just about digitisation—it’s about breaking down barriers, fostering inclusion, and ensuring that archives serve and represent diverse communities worldwide. The theme #ArchivesAreAccessible highlights the need for accessible archives for all individuals, regardless of background, ability, or digital access. This year’s focus centred around four key subthemes:
• Overcoming Barriers to Archive Access: Tackling obstacles like limited resources, lack of awareness, and technical
challenges that hinder full participation in archival work.
• Harnessing Technology to Enhance Access: Exploring how digital innovations, including AI, are transforming the way archives are navigated and made accessible to a wider audience.
• Archives in Society: Changing Perceptions: Shifting the narrative to recognise archives as key players in shaping cultural identity, governance, and accountability.
• Inclusion and Representation in Archival Practices: Ensuring that historically underrepresented communities’ voices are included in archival collections, promoting diversity and inclusivity.
#ArchivesAreAccessible highlights the many ways archives are embracing accessibility, whether by removing physical, digital, linguistic, or cultural obstacles. Through technological advancements, inclusive cataloguing, and community-driven initiatives, archives are becoming more connected and relevant to people everywhere.
With this central purpose in mind, International Archives Week brings together professionals, researchers, and the public to showcase innovative approaches to accessibility and engage in meaningful discussions on making archives a shared resource for everyone. These activities reflect the diverse ways in which archives are making an impact within their local and regional contexts.
EDPB publishes final version of guidelines on data transfers to authorities and training material on AI and data protection
During its June plenary, the European Data Protection Board (EDPB) adopted the final version of its guidelines on Art.48 General Data Protection Regulation (GDPR) about data transfers to third-country authorities, after public consultation. In addition, the Board presented two new Support Pool of Experts (SPE) projects providing training material on AI and data protection. Finally, the Board discussed the European Commission’s request for a joint EDPB-EDPS opinion on the draft proposal on the simplification of recordkeeping obligation under the GDPR.
Data transfers to third-country authorities
Following public consultation, the EDPB has adopted the final version of the guidelines on data transfers to third country authorities. In its guidelines, the EDPB zooms in on Art. 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities (ie, authorities from non-European countries).
The EDPB explains that judgements or decisions from third-country authorities cannot automatically be recognised or enforced in Europe. As a general rule, an international agreement may provide for both a legal basis and a ground for transfer. In case there is no international agreement, or if the agreement does not provide for an appropriate legal basis or safeguards, other legal bases or other grounds for transfer could be considered, in exceptional circumstances and on a case-by-case basis.
The modifications introduced in the updated guidelines do not change their orientation, but they aim to provide further clarifications on different aspects that were brought up in the consultation. For example, the updated guidelines address the
situation where the recipient of a request is a processor. In addition, they provide additional details regarding the situation where a mother company in a third country receives a request from that third-country authority and then requests the personal data from its subsidiary in Europe.
Upskilling and reskilling on AI and data protection
During its June plenary, the EDPB also presented two new SPE projects: Law & Compliance in AI Security and Data Protection and Fundamentals of Secure AI Systems with Personal Data. The two projects, which have been launched at the request of the Hellenic Data Protection Authority (HDPA), provide training material on AI and data protection.
The report “Law & Compliance in AI Security & Data Protection” is addressed to professionals with a legal focus like Data Protection Officers or privacy professionals.
The second report, “Fundamentals of Secure AI Systems with Personal Data”, is oriented toward professionals with a technical focus like cybersecurity professionals, developers or deployers of high-risk AI systems.
The main aim of these projects is to address the critical shortage of skills on AI and data protection, which is seen as a key obstacle to the use of privacy-friendly AI. The training material will help equip professionals with essential competences in AI and data protection to create a more favourable environment for the enforcement of data protection legislation.
The Board decided to publish both documents as PDF files.
Keeping East Lancashire in the Picture by Lancashire Archives named as winner of ARA Archive Volunteering Award 2025
The Archives and Records Association (ARA) has announced that the Keeping East Lancashire in the Picture (KELP) project by Lancashire Archives has won the national ARA Archive Volunteering Award 2025.
The award was presented at Lancashire Archives on Tuesday 3 June by the President of the Archives and Records Association UK and Ireland. The award presentation is part of a wider celebration of Lancashire Archives’ volunteers.
The ARA Archive Volunteering Award is given each year to projects which demonstrate how archives have supported volunteers in the previous 12 months. The awards are supported by the Archives and Records Association (which also administers the awards), the UK National Archives, the National Records of Scotland, the Public Record Office of Northern Ireland and the Welsh Government.
The judging panel (drawn from employees of the supporting organisations) said:
“This is an ambitious and impressive project with real local significance, reaching groups that are under-represented as users of archives and heritage collections. It is also a good example of archive services working with colleagues in libraries to increase access to collections and improve the standard of care.”
About KELP
KELP has brought together volunteers, of different ages and backgrounds, to make the historic photographs stored in four Lancashire libraries (and managed by Lancashire Archives) more accessible, inclusive and sustainable. The project was funded by: The National Lottery Heritage Fund (£192k funding)
and The Friends of Lancashire Archives (£30k funding).
75 volunteers across four libraries, supported by a project archivist and project assistant, had (at the time of submitting the award nomination) given 5,489 hours of time and scanned 47,500+ images. These will be made available to people to view free via Lancashire Archives’ Red Rose Collections
KELP has also worked closely with eight primary schools (working with 448 pupils), one secondary school (working with 30 pupils) and two South Asian heritage community groups to create new photographic content for the collections and new digital images are being added with significant collections of local photographs donated by local voluntary photographic societies, families and other community projects.
The project aims to improve access to photographic collections in East Lancashire with an additional focus on developing audiences for volunteering within South Asian heritage community, younger people and people interested in the history of their local area.
Sharing the project with the people of the area, historic photographs provided to a local newspaper during 2024, resulted in 92,902 views and over 8,300 people engaged with the exhibitions held in the four participating libraries. Over 6,900 people attended KELP events. Lancashire Archives’ collaboration with Aawaz (South Asian Heritage Women’s Group) involved 337 visits from volunteers to contribute their time over 278 hours and a joint engagement project with Hyndburn District Council in the Enlighten
project resulted in 5,000 attendees over the weekend event.
The project has significantly increased the number of volunteers for Lancashire Archives and introduced archive volunteering in East Lancashire. Volunteers include people of South Asian heritage, two younger volunteers have secured full-time work since finishing a volunteering role, and volunteers have enjoyed organised trips to Lancashire Archives, Queen Street Mill and had the opportunity to meet the Lord Lieutenant of Lancashire.
Volunteers said:
“As a genuinely computer illiterate, I feel I have gained some skills . . . We have both felt a sense of community, meeting like-minded people. Our overall experience of KELP has been, and no doubt will continue to be, positive and enjoyable. By contributing in our small way to a greater project, we have gained a sense of renewed love of our own heritage.”
“Through the journey of the project I have learnt how to digitise images and realised how important it is to preserve our history and culture for our future generations.”
“I have been having conversations with my grandchildren about heritage items, they were very keen to know about the project. Lots of questions from my granddaughter and I have been telling stories about my childhood and how important these items are.”
John Chambers, Chief Executive of the Archives and Records Association UK & Ireland, said:
“It has been encouraging to see the depth and breadth of entries this year and some really great projects. Keeping East Lancashire in the Picture is a great winner and demonstrates how important archives are to the communities they serve.”
About the Archive Volunteering Awards 2025
Seven projects were nominated for the awards in 2025 and the project Crowdsourcing The Welsh Women’s Peace Petition, by The National Library of Wales, was Highly Commended by the judges. The judging panel commented on the quality and range of the projects put forward:
“A strong series of nominations, it has not been easy to choose between them. While the level of resources available clearly differs between the nominees, the commitment and ambition demonstrated is a credit to our sector and shows the seriousness in which archive services are tackling issues of inclusion, reaching new audiences and representing marginalised communities. This process has been an inspiration and I thank all of the nominees for sharing their experiences.”
Case studies for each of the nominated projects can be found here.
Bill to reform FOI has been laid in the Scottish Parliament
On 2 June a Private Member’s bill to reform Freedom of Information (FOI) was laid in the Scottish Parliament. The bill follows on from MSP Katy Clark’s 2022 consultation, which collected views from almost 100 stakeholders on the areas where Scotland’s FOI law might benefit from a refresh.
The draft bill, which is published in full on the Scottish Parliament’s website, proposes a number of changes. These include:
• Measures to support the extension of FOI to third parties providing public services
Including giving the Scottish Parliament power to designate bodies under FOI; reinforcing the Scottish Ministers’ duty to consider designation of new bodies; requiring Ministers to consider any proposals for designation that have been made by the Commissioner; and requiring that the Scottish Parliament debate and decide whether to approve Ministerial reports on the use (or otherwise) of its own designation powers.
• Reform of the FOI Act’s duty to publish information
Replacing the current ‘publication scheme’ approach with a requirement to comply with a new ‘Code of Practice’, enabling the publication approach to be updated in response to technological changes and developments in best practice.
• The introduction of a statutory requirement to appoint an FOI Officer
The FOI Officer would be responsible for ensuring the fulfilment of a number of duties within public bodies – including staff training, advising on compliance with FOI law and
the codes of practice, and reporting on FOI performance to senior management.
• The removal of the First Minister’s power of veto
Currently, the First Minister can veto the Commissioner’s decisions in some circumstances – this power has never been used.
• Pausing, rather than resetting, the 20-working-day response time when clarification is required
• New enforcement powers for the Commissioner
Including the ability to issue enforcement notice in relation to failures to comply with the FOI codes of practice.
• Strengthening the ability to bring prosecutions if information is deliberately destroyed to prevent its disclosure under FOI
Including enabling prosecutions to be taken forward where a request has not yet been made, but destruction was done to prevent disclosure in response to a future request.
Commissioner David Hamilton has welcomed the bill, noting that “after 20 years, it’s undoubtedly time for a refresh… by taking action to protect and update FOI now, we can ensure that our vital right to hold public bodies to account remains fit-forpurpose for the future.”
Read the Commissioner’s full statement on the FOI reform bill
DCMS announces new members of public records advisory body
Seven new members have been appointed to the Advisory Council on National Records and Archives, the independent body which advises the government on access to public records.
The appointments were made by Lisa Nandy, Secretary of State for Culture, Media and Sport.
The council advises her on historical public records when they are being transferred to The National Archives under the 20-year rule.
Requests from government departments for some records to remain closed under the Public Records Act come under the council’s remit, along with exemptions under the Freedom of Information Act.
The council challenges government departments to provide evidence to justify such requests.
It also provides advice to Saul Nassé, Chief Executive of The National Archives.
The new board members are:
• Alexandra Jones, Director of Anti-Money Laundering at the Solicitors Regulation Authority.
• Sally McInnes, former Head of Unique and Contemporary Content at the National Library of Wales and a former Director of the Digital Preservation Coalition.
• Prof Sally Sheard, Executive Dean of the Institute of Population Health at the University of Liverpool. Prof Sheard is a health policy analyst and historian.
• James Strachan, Chief Executive of Eastleigh Borough Council, who is responsible for information governance at the Council.
• Aruna Verma, Campus Dean at The University of Law, Moorgate.
• Simon Wessely, Regius Chair of Psychiatry at the Institute of Psychiatry, Psychology and Neuroscience (IOPPN), part of King’s College London.
• James Bamberg, historian and author formerly responsible for BP’s archives.
The new members have been appointed to the Advisory Council for 4 years, until March 2029.
ICO head office to move to Manchester
The Information Commissioner’s Office (ICO) will relocate its head office from Wilmslow to Manchester in autumn 2026, to the Circle Square development on Oxford Road.
The ICO’s head office has been in Wilmslow since its foundation 40 years ago.
Jen Green, Executive Director – Strategy and Resources, said:
“Our relocation to Circle Square will create a working environment that better supports how we
operate now and into the future. The new space will provide a more flexible, collaborative setting for our teams, with improved access to the facilities and connections we need.
“Wilmslow has been a welcome home for the ICO for 40 years, and we will continue to have a small presence in the area beyond next year. Moving to Manchester puts us close to universities and other organisations working in data and digital, and will also support our efforts to attract new and diverse talent and strengthen the way we engage with the wider sector.”
London council reprimanded for exposing personal details of 6,528 people for almost 2 years
The Information Commissioner’s Office (ICO) has reprimanded the London Borough of Hammersmith and Fulham (the council) after it left exposed the personal information of 6,528 people for almost two years.
The personal data breach occurred when the council responded to a freedom of information (FOI) request made via the WhatDoTheyKnow.com (WDTK) website in October 2021. The response, published on the council’s website and WDTK, contained 10 workbooks which included personal information.
Investigation findings
The council’s response included an Excel spreadsheet which contained 35 hidden workbooks. Almost 2 years later in November 2023, following a review of information on its site, WDTK informed the council the response included personal information. The information was immediately removed from both sites.
In total 6,528 people were affected, with 2,342 being children. The personal information relating to the children was classed as sensitive, as it included details of looked after children, 96 of whom were unaccompanied asylum-seeking children.
In reaching its final decision, the ICO took into account a number of mitigating factors, including the published personal information was almost 3 years old and there was no evidence that it had been inappropriately accessed or used. The ICO also considered the remedial action the council took to contain the impact of the breach notably updating guidance and procedures and ensuring staff undertook training.
Sally Anne Poole, ICO Head of investigations, said:
“It is imperative all staff are trained regularly and internal guidance and sign off protocols are reviewed on a continual basis to ensure breaches do not happen.
“In publicising this reprimand, we aim to highlight the importance of having the correct policies and procedures in place to mitigate against these types of preventable error.”
Investigation recommendations
The reprimand details a number of recommendations the ICO expects the council to take. These recommendations are relevant to all public authorities responding to FOI requests and include:
• Considering implementing the use of the ICO sign off checklist when releasing information that contains excel spreadsheets.
• Considering that all material prepared for disclosure is signed off by a manager.
• Review and update online training and guidance and continually embed this with staff.
Latest offerings from our Training Partners
DPS & BJM IG and Data Privacy Training
DPS & BJM IG and Data Privacy Training
DPS & BJM IG and Data Privacy Training
UK GDPR/GDPR, Data Protection and the Common Law of Confidentiality for all staff
Essential General Data Protection Training
Advanced Data Protection Training for IG Leads
Training delivery can be virtual or in house. From a group of 4 and can be recorded
Training delivery can be virtual or in house. From a group of 4 and can be recorded
Training delivery can be virtual or in house. From a group of 4 and can be recorded
Tkm Consulting
Tkm Consulting
Developing your role as a Senior Information Risk Owner (SIRO)
BCS Practitioner Certificate in Scottish Public Sector Records Management
Conducting Data Protection Impact Assessments
Tkm Consulting
Tkm Consulting
Naomi Korn Associates
Naomi Korn Associates
Naomi Korn Associates
Naomi Korn Associates HCUK
BCS Practitioner Certificate in Data Protection
Tkm Diploma in Managing Data Protection Compliance
Privacy by Design: Data Protection Impact Assessments (DPIAs)
Information Security and Data Breach Management
Data Protection Essentials
Data Protection Rights (focused on Data Subject Access Requests)
For full details of all the courses, including course description and cost, please visit: <https://irms.org.uk/page/ThirdPartyTrainingProviderCourses> And don’t forget to take advantage of your fantastic IRMS member discount.
Subject Area
Data Protection Data Protection
Data Protection/ Information Architecture/ Information Law (Governance)/ Records Management
Data Protection/ Information Law (Governance)/ Records Management
Data Protection/ Information Law (Governance)
Data Protection/ Information Law (Governance)
Information Architecture Information Law (Governance)
Information Law (Governance)
Information Law (Governance)
Naomi Korn Associates
Naomi Korn Associates Freevacy Freevacy Freevacy Freevacy
An Overview of The Freedom of Information Act and Environmental Information Regulations
Information Security and Data Breach Management
Certified Information Privacy Technologist
Certified Information Privacy Manager
Certified Information Privacy Professional Europe (CIPP/E)
Certified Information Privacy Professional Europe (CIPP/US)
DPS & BJM IG and Data Privacy Training HCUK HCUK HCUK
Essential Cyber Security Training
Working Together: Combined course for Senior information Risk Owners, Caldicott Guardians and Data Protection Officers: Half day
Responding to Subject Access Requests for Health & Social Care
Data Protection Officer in Health and Social Care: What Good Looks Like
online
Live online, instructor-led training & in-company classroom training option for groups of 6 or more
Live online, instructor-led training & in-company classroom training option for groups of 6 or more
Live online, instructor-led training & in-company classroom training option for groups of 6 or more
Live online, instructor-led training & in-company classroom training option for groups of 6 or more
Training delivery can be virtual or in house. From a group of 4 and can be recorded
3 and a half hours/ 1 half day
3 and a half hours/ 1 half day
4 x 4 hour online sessions, or 2 days onsite + unlimited 1-2-1 coaching and exam preparation
4 x 4 hour online sessions, or 2 days onsite + unlimited 1-2-1 coaching and exam preparation
4 x 4 hour online sessions, or 2 days onsite + unlimited 1-2-1 coaching and exam preparation
4 x 4 hour online sessions, or 2 days onsite + unlimited 1-2-1 coaching and exam preparation
Subject Area
Information Law (Governance)
Records Management
Records Management
diary
IRMS Events
IRMS London Group – Monthly networking event
15 July 2025
Time: 18:00–21:00
Location: London
IRMS London Group – Monthly networking event
19 July 2025
Time: 18:00–21:00
Location: London
IRMS Public Sector Group: Records Management Basics
23 July 2025
Time: 13:00
Location: online
IRMS HE FE Group Networking
28 July 2025
Time: 12:00–13:00
Location: online
Dates
IRMS HE FE Group Networking
1 September 2025
Time: 12:00–13:00
Location: online
IRMS Public Sector Group –What does good records management look like?
17 September 2025
Time: 13:00–14:00
Location: online
IRMS Public Sector Group: A practical session on managing records in M365
16 October 5
Time: 13:00–14:00
Location: online
new members JULY 2025
There have been 246 new members since January 2025 individual members
Gerard Mooney
Victoria Elson
Elaine Shergold student/apprentice members
Craig Clark
Sona Moideen
Keith Seymour
Ignatius Nwagba
Tabitha Duffill
Julie Brooks