Information Governance and Caldicott Guardian
Tkm offers data protection courses approved and certificated by the SQA and BCS
Coming soon: Auditing Data Protection Compliance Courses are scheduled across the UK and can be arranged in house.
See website for dates 10% discount on individual course fees for IRMS members.
Fees start from £350 for a one day course (excluding
For further information and booking please contact us
t. 01599 511277 or 07833 617462
e. liz@tkmconsulting.co.uk
Bulletin Editor
Catherine Burton, G and C Media catherine@gandcmedia.co.uk
Production Editors
Visual Print & Design enquiries@visualprint.co.uk
Chris Callander, G and C Media chris@gandcmedia.co.uk
Publisher
Information and Records Management Society®
St James House, Vicar Lane, Sheffield, S1 2EX Tel: 01625 664520 www.irms.org.uk
IRMS Executive Committee
Jaana Pinnick AMIRMS, FIRMS, Chair jaana.pinnick@irms.org.uk
Reynold Leming AMIRMS, FIRMS, Vice Chair · (External) reynold.leming@irms.org.uk
David Reeve AMIRMS,FIRMS, Vice-Chair (Internal) david.reeve@irms.org.uk
Simon Ellis AMIRMS, FIRMS, Commercial Development Director simon.ellis@irms.org.uk
Jim Pittendrigh, Treasurer jim.pittendrigh@irms.org.uk
Nathan Bent, Secretary nathan.bent@irms.org.uk
Paulina Jedwabska, Conference Director paulina.jedwabska@irms.org.uk
Rob Bath, Digital Director rob.bath@irms.org.uk
Suzy Taylor AMIRMS, FIRMS Groups Director suzy.taylor@irms.org.uk
Jenny Obee, FIRMS, Membership Director jenny.obee@irms.org.uk
Roger Poole FIRMS, Professional Standards Director roger.poole@irms.org.uk
May Ladd, Training Director may.ladd@irms.org.uk
Marketing & Communications Director (vacant) marketing.communications@irms.org.uk
IRMS Officers and Sub-committee Chairs
Maria Lim, Technology Partnerships Officer maria.lim@irms.org.uk
Rebekah Taylor, Finance Officer rebekah.taylor@irms.org.uk
Kamil Soree, Data & Digital Officer kamil.soree@irms.org.uk
Sian Astill, Data & Digital Officer sian.astill@irms.org.uk
David Reeve AMIRMS,FIRMS, Awards Sub-committee Chair david.reeve@irms.org.uk
Jane Proffitt, Accreditation Sub-committee Chair accreditation@irms.org.uk
Lauren Cook, Groups Officer groupsofficer@irms.org.uk
Content Officer (vacant) contentofficer@irms.org.uk
Data Protection & Digital Officer (vacant) dataprotection-digitalofficer@irms.org.uk
Carys Hardy, Marketing & Communications Officer carys.hardy@irms.org.uk
Jenny Moran, Marketing & Communications Officer jenny.moran@irms.org.uk
Jonathan Nott, General Manager jonathan.nott@irms.org.uk
IRMS Conference
Emma Turley, IRMS Delegate Enquiries emma@revolution-events.com
Deborah Ward Johnstone, IRMS Sponsorship Enquiries deborah@revolution-events.com
IRMS Group contacts
Ireland · Jenny Lynn jenny.lynn@irms.org.uk
Public Sector · Elizabeth Barber AMIRMS, FIRMS elizabeth.barber@irms.org.uk
Higher Education & Further Education · Anne Grzybowski anne.grzybowski@irms.org.uk
IM Tech · Maria Lim maria.lim@irms.org.uk
Information Rights · Craig Clark craig.clark@irms.org.uk
Legal Iram Ditta iram.ditta@irms.org.uk
London · May Ladd may.ladd@irms.org.uk
Midlands Mark Smith mark.smith@irms.org.uk
North · Georgina Lee georgina.lee@irms.org.uk
Wales/Cymru · Sarah Phillips sarah.phillips@irms.org.uk
South West Lauren Cook lauren.cook@irms.org.uk
Schools · Lyn Rouse lyn.rouse@irms.org.uk
Scotland · Khopolo Jamangile khopolo.jamangile@irms.org.uk
Property Beverley Cunningham beverley.cunningham@irms.org.uk
Financial Services (vacant) financial@irms.org
How to join the IRMS Go to www.irms.org.uk/join
How to contribute
If you’d like to contribute to the Bulletin please send copy to the Editor at: catherine@gandcmedia.co.uk The up and coming deadlines to submit copy are: 15 September for the November issue and 15 November for the January issue.
How to advertise
Deborah Ward Johnstone, IRMS Bulletin Advertising Enquiries Deborah@revolution-events.com
Published bi-monthly in January, March, May, July, September, November. ISSN 2045-6581
The Bulletin provides a wide spectrum of opinion on information and records management matters: the views of the contributors do not necessarily reflect the views of the Information and Records Management Society®
from the Chair
with Jaana Pinnick · IRMS Chair
Dear readers,
I am freshly back from a little road trip in South Wales and the Southwest of England, where I was catching up with friends in Bristol, fossil hunting on the Barry coast, and visiting museums and other historical buildings in Cardiff and Worcester. After having lived in the UK for almost three decades, there is still so much to discover, and I even managed to find proper books to learn more Welsh with (Cwrs dechreuol I oedolion sy’n dysgu Cymraeg)! My first career as a linguist is still there just under the surface…
August is traditionally the month when IRMS Board and Executive Committee have no formal meetings, but this doesn’t mean we have been resting on our laurels. I am highlighting some of our summer activities below. In addition, I attended a GLOW workshop organised by the Cabinet Office and the University of Loughborough entitled “Government Records and AI” in Manchester on 22 July. The delegate list included many familiar faces: Professor Lise Jaillant, Professor Victoria Lemieux, Dr James Lappin, and David Canning MBE just to begin with. It was a thought-provoking day of talks and discussions about how our profession can benefit from AI tools in our strategies and processes. There will be a follow-up workshop next year in case you are interested.
As I am writing this, the extended IRMS & Revolution Events conference team are getting ready for our first planning meeting for the 2026 conference and to visit the venue at the Celtic
Manor in mid-August. I am very happy to report that Paulina and I are now supported by our new Conference Officer Vicky Beddall. You may remember the name from the Industry Awards ceremony in Birmingham, where I presented Vicky with the Lifetime Achievement Award – we are very lucky indeed to have Vicky join the team!
In fact, our Executive team has been joined by no less than four new officers since the Birmingham conference. Our officers are all invaluable members of the team who enable much of the work the Executive have agreed to carry out this year. Andrea Binding , who joined us as the Membership and Volunteer Officer, had to step down for personal reasons, but fortunately Lauren Cook has already stepped in and started working with Suzy Taylor and the other Group Chairs. Some of you may know Lauren from her other role as the Group Chair of IRMS Southwest Group.
In July, Simon Ellis and I interviewed candidates for two Marketing and Communications Officer vacancies. Jenny Moran and Carys Hardy (winner of the Alison North Award for New Professionals this year) have already started working with Simon, who is also temporarily looking after the Marketing Director’s responsibilities, as Jade Miles had to step away to focus on her other commitments. We will really miss you, Jade! Elsewhere within the IRMS, Scott Sammons
has recently handed over the Accreditation and Fellowship Sub-Committee Chair to Jane Proffitt who is returning to the team after some time away. Welcome back to Jane, who has previously worked as the Groups Director!
The internal governance area of IRMS, led by Dr David Reeve, is starting to review our policy and contractual framework. This work may happen more in the background and behind the scenes, but it is essential for the operations of the society and supports us in providing a basis for membership benefits and other communications.
The work on our new website and membership management tool has been progressing on schedule, thanks to Simon Ellis and Jonathan Notts for their leadership on this key project. The rest of the team have been supporting
“The route to senior decision-makers in the Information Management Industry - in public and commercial sectors.”
4,000 information managament professionals read each issue of the bulletin – They could be reading your message too.
For more details and to advertise in the bulletin contact Deborah Ward-Johnstone:
� deborah@revolution-events.com � 01892 820 936
them by testing the functionality of the new site, which is now ready for the serious task of content migration to take place. This will be no mean feat, as anyone who has ever been involved in similar work will agree with. Many of the team members will also be trained to build, populate and update their respective web pages. We are all eagerly looking forward to the new website and the new opportunities it will provide to the society.
I hope you have all had a wonderful summer, until the next issue.
Accreditation helped me focus my professional development, look to the future and give me some confidence to battle that sense of imposter syndrome
Do you know what’s next for your professional development?
Have you considered IRMS accreditation yet? If not, what’s stopping you?
Are you:
• A member of the IRMS
• Someone that works with the management of information in any way?
• Possessing 5+ years experience in the profession or 3+ years with a relevant qualification?
• Someone that can demonstrate an understanding and practical application of the principles and practice of managing and governing information and records?
Then why not apply?
- You’ll be assessed by written or verbal assessment (your choice)
- We can offer you guidance, support and an application buddy
- Regardless of outcome, you’ll have a professional development plan we’ll help you with
The bank and its safe: A comparative exploration of cybersecurity and information security
BY SIMON BISHOP
In the intricate world of digital safeguarding, the terms cybersecurity and information security are foundational yet distinct concepts that are essential for the protection of our valuable assets.
INFORMATION SECURITY: THE BANK’S SECURITY MEASURES
In this analogy, information security is similar to the bank’s overall security protocols, including the architecture of the building, the security guards, surveillance cameras, and the alarm systems. These measures are designed to protect all the assets within the bank from a variety of threats. In the realm of data, information security encompasses the strategies and practices that protect all forms of information, ensuring its confidentiality, integrity, and availability, regardless of whether it is stored digitally, on paper, or communicated verbally.
CYBERSECURITY: THE SAFE WITHIN THE BANK
CONCLUSION
Through the lens of a bank and its safe, we can understand cybersecurity and information security as distinct yet interrelated disciplines. While information security is the broad practice of protecting all forms of information, cybersecurity focuses specifically on the digital realm, defending against online threats to keep our electronic data secure. Together, these disciplines form the cornerstone of a comprehensive strategy to safeguard our valuable information in an increasingly connected world.
Although these terms are often intertwined, comprehending their unique functions and how they complement each other is crucial for any effective security strategy. This paper aims to clarify these differences through the metaphor of a bank and its safe, providing a clear and relatable framework for understanding these vital areas of digital defence.
THE BANK: A REPOSITORY OF ASSETS
Picture a bank – a secure place where individuals keep their money, documents, and other valuables safe. The bank employs various security measures to ensure the safety of these assets from external threats. This scenario parallels the digital world, where information and data are valuable assets that require protection.
Moving deeper into our bank, we find the safe or vault – a fortified area where the most sensitive and valuable items are stored. Cybersecurity corresponds to this internal, specialised protection, focusing specifically on safeguarding digital data stored within the broader information system. It involves implementing specific technological tools and protocols, such as encryption and access controls, to protect digital information from cyber threats, such as hacking, phishing, and malware.
THE INTEGRATION OF GENERAL AND SPECIFIC SECURITY MEASURES
Our bank analogy illustrates how information security and cybersecurity serve complementary roles. While information security provides a comprehensive framework and policies for protecting all types of information within the organisation, cybersecurity delves into the specifics of defending against digital threats to ensure the safety of electronic data. Like a bank’s outer defences working in tandem with the inner sanctity of the vault, information security and cybersecurity together create a layered, robust defence against a wide array of threats.
The Author
Simon Bishop is a cybersecurity leader who has held senior roles, including Group CISO and Interim Divisional Information Security Officer. Now Head of Cybersecurity GRC Consultancy at Trustmarque, he delivers transformation programmes that boost compliance, cut risk, and strengthen resilience across regulated industries. A certified CISM and Cyber Essentials Assessor, Simon combines deep technical expertise in ISO 27001, NIS2, and risk frameworks with board-level communication skills. Known for challenging tick-box security culture, he champions people, process, and culture as the true drivers of cyber resilience, making security a competitive advantage, not just a compliance exercise.
<GRCConsultancy@trustmarque.com>
<https://www.linkedin.com/in/simonbishop/> <www.trustmarque.com>
Innovating government: Cybersecurity in the public sector
BY CHRIS WILSON
THE IMPORTANCE OF ROBUST CYBERSECURITY MEASURES IN PROTECTING GOVERNMENT DATA
AND SERVICES
As the UK Government advances its digital ambitions under the Government Digital and Data Strategy, cybersecurity has emerged as a strategic enabler. For departmental leaders and agency executives, building both strong cybersecurity and investing in broader cyber resilience is not only a technical necessity but a fundamental requirement for maintaining public trust, ensuring service continuity, and upholding national resilience. But resilience isn’t just about technology. It depends equally on people: their behaviours, awareness, and how systems are designed to support (rather than hinder) secure practices.
Aligning with the National Cyber Strategy 2022, this article explores the core components of cyber resilience for the public sector and offers practical guidance for executive action.
When public systems face compromise, the consequences go beyond IT downtime; they threaten the public’s safety, disrupt essential services, and erode trust in institutions. In a digital-first government, cybersecurity is foundational to operational integrity, service continuity, and national resilience.
From protecting sensitive citizen data to defending critical infrastructure, cybersecurity is central to the mission of modern government. As threats increase in sophistication, the strategies and capabilities we deploy in response need to evolve just as fast.
THE EVOLVING THREAT LANDSCAPE
Cyber threats to the public sector are real, persistent, and increasingly complex. In recent years, we’ve seen a sharp rise in ransomware attacks on local councils, phishing campaigns targeting NHS staff, and state-sponsored cyber espionage aimed at central government departments.
The UK’s National Cyber Security Centre (NCSC) reported that in 2024 alone, it handled over 2,000 cyber incidents, many of which targeted public sector organisations. These attacks are not just disruptive; they can be devastating, leading to data breaches, service outages, reputational damage, and even risks to public safety.
For example, a significant cyberattack on the UK’s Legal Aid Agency resulted in the theft of personal data from individuals who had applied for legal aid since 2010. The compromised data included sensitive information such as criminal records, addresses, and financial details. The breach forced the shutdown of the agency’s online services.
Another notable case is the 2017 WannaCry ransomware attack, which severely disrupted NHS services across England. Over 19,000 appointments were cancelled, and some hospitals had to divert emergency patients. The incident highlighted how outdated systems and insufficient cyber hygiene could paralyse frontline healthcare delivery.
As threats increase in sophistication, our approach must evolve from simply preventing attacks to ensuring services can withstand and recover from them; the essence of true cyber resilience.
WHY THE PUBLIC SECTOR IS A PRIME TARGET
Public sector organisations are particularly attractive to cybercriminals for several reasons:
Valuable data: Government systems hold vast amounts of sensitive personal,
financial, and operational data.
Legacy systems: Many departments still rely on outdated legacy infrastructure that lacks modern security features.
Complex supply chains: The use of third-party vendors and cloud services introduces additional vulnerabilities.
High-impact services: Disrupting public services such as healthcare, emergency response, or benefits distribution can have immediate and widespread consequences.
Strategic and geopolitical motives: Some hostile states actively target UK Government systems and critical national infrastructure to undermine stability, influence public opinion, or test capabilities.
As threats increase in sophistication, our approach must evolve from simply preventing attacks to ensuring services can withstand and recover from them; the essence of true cyber resilience.
Even events not caused by cyberattacks, such as the 2024 Heathrow power outage (initially speculated to be cyber-related), show how vulnerable infrastructure can have ripple effects. The mere suspicion of cyber involvement underscores how seriously these risks are taken by the public and media alike.
BUILDING A CYBER-RESILIENT GOVERNMENT
To counter these escalating threats, public sector organisations must adopt a proactive, layered approach to cybersecurity with broader cyberresilience strategies; one that combines the right technology, well-trained people, and secureby-design systems. Cyber resilience starts with awareness: staff need to recognise risks, know how to respond, and feel empowered to act. Equally, services must be built in ways that make secure behaviour the easy default.
This includes:
Zero-trust architecture: The traditional “castle and moat” model of security, where users inside the network are trusted by default, is no longer sufficient. A zero-trust approach assumes that no user or device is inherently trustworthy, even if they are inside the network perimeter. Guidance on this is published by the NCSC.
Key principles include:
Verify explicitly: Always authenticate and authorise based on all available data points.
Use least-privilege access: Limit user access to only what is necessary for their role.
Assume breach: Design systems with the expectation that breaches will occur and build in containment and recovery mechanisms.
Endpoint detection and response (EDR):
With the rise of remote work and mobile access, endpoints (laptops, phones, tablets) have become prime targets. EDR solutions provide real-time monitoring, threat detection, and automated response capabilities to protect these devices.
Secure by design and default: Cybersecurity must be embedded from the outset of any digital project. This means involving security professionals early, conducting threat modelling, and applying secure coding practices. Just as importantly, systems should be secure by default and configured out of the box with strong protections, so users don’t need to adjust settings to achieve baseline security.
The Government Digital Service (GDS) champions these principles to reduce complexity, minimise misconfiguration risks, and ensure services are safe from day one. And usability matters: if security controls are too complex or obstructive, staff will work around them. Embedding cybersecurity into service design helps reduce human error and makes secure behaviour the natural, easy choice.
THE ROLE OF CYBERSECURITY FRAMEWORKS AND STANDARDS
Adhering to recognised frameworks helps public sector organisations align with best practices and regulatory requirements. Key standards include:
Cyber essentials and cyber essentials plus: Baseline certifications that demonstrate an organisation’s commitment to cyber hygiene.
ISO/IEC 27001: An international standard for information security management systems.
NCSC’s 10 steps to cybersecurity: A practical guide tailored to UK organisations, covering risk management, user education, incident response, and more.
OWASP top 10: A developer-focused awareness framework outlining the most critical web application security risks. It is widely used by development teams and aligns with secure-by-design principles supported by GDS.
HUMAN FACTOR: THE WEAKEST LINK OR THE STRONGEST DEFENCE?
Technology alone cannot secure government systems. Human behaviour plays a critical role in cyber resilience. Unfortunately, human error, negligence, and decision-making
The traditional “castle and moat” model of security, where users inside the network are trusted by default, is no longer sufficient.
under pressure remain some of the leading causes of security breaches, but targeting training, continuous security awareness, and a supportive culture can significantly reduce these risks. (Tackling the ‘human factor’ to transform cybersecurity behaviours.)
To address this, public sector organisations must invest in:
Cyber-awareness training: Regular, engaging training that helps staff recognise phishing attempts, use strong passwords, and report suspicious activity.
Simulated attacks: Phishing simulations and red team exercises (controlled attempts by ethical hackers to test defences) can significantly improve response readiness.
Clear policies and reporting channels: Ensuring that staff know what to do, and who to contact, when they encounter a potential threat.
Create cyber champions: Embedded within teams to build local ownership and culture.
“Security by default, trust through
transparency, resilience through collaboration.”
INCIDENT RESPONSE AND RECOVERY
Even the best cybersecurity cannot guarantee complete protection. That’s why cyber resilience – the ability to respond, recover, and learn from incidents – is vital.
This includes:
Preparation: Define roles, responsibilities, and communication protocols.
Detection and analysis: Quickly identify and assess the scope of an incident.
Containment and eradication: Isolate affected systems and remove the threat.
Recovery: Restore services and data, and ensure systems are secure before resuming operations. This phase should align with business-continuity objectives; systems must be designed to meet non-functional requirements such as recovery point objectives and recovery time objectives, ensuring services can be restored within acceptable thresholds.
Post-incident review: Learn from the incident to improve future resilience.
The NCSC provides detailed guidance on developing and testing incident response plans tailored to public sector needs.
EMERGING TECHNOLOGIES AND FUTURE THREATS
As technology evolves, so do the threats. Forward-looking leaders must stay ahead of
the curve by understanding, preparing for, and anticipating new risks, including:
Artificial intelligence (AI) powered attacks: Cyber criminals are using AI to craft more convincing phishing emails and automate attacks at scale. As the use of generative AI increases, so do the risks of synthetic media, deepfakes, and intelligent malware. Recent research from Check Point outlines key emergent risks and the evolving threat landscape (AI Security Report 2024).
Quantum computing: While still in its infancy, quantum computing could, in the future, render today’s encryption obsolete.
Internet of things vulnerabilities: As more public services rely on connected devices (eg, smart traffic systems, environmental sensors), securing these endpoints becomes critical.
To mitigate these risks, government departments should:
Invest in quantum-resistant encryption
Conduct regular risk assessments of emerging technologies. Collaborate with industry and academia to stay informed and innovate securely.
PUBLIC TRUST AND TRANSPARENCY
Cybersecurity is not just a technical issue – it’s a matter of public trust. Citizens expect their data to be protected and their services to be reliable.
When breaches occur, transparency and accountability are key.
Public sector organisations should:
Communicate openly when breaches occur and be transparent about the steps taken to address them.
Publish independent audit findings and compliance reports.
Engage with citizens, as well as public sector staff, on cybersecurity awareness and digital safety to build cyber literacy.
CONCLUSION
In a digital-first government, cybersecurity is the foundation upon which all services are built. It protects not just data and systems, but the very trust that citizens place in public institutions. Cyber resilience is more than an IT requirement – it’s a foundational enabler of public service delivery and digital innovation.
By adopting a zero-trust mindset, embedding security into every stage of digital transformation, and investing in people as well as technology, the public sector can build a cyber-resilient future.
The threats are real. The stakes are high. But with the right strategies, tools, and culture, government organisations can lead by example, protecting not only their own systems, but the citizens they serve.
NEXT STEPS FOR LEADERS
Senior leaders must champion cyber resilience as a strategic priority, ensuring that their departments are equipped, educated, and aligned with national guidance:
Assess alignment with the National Cyber Strategy.
Commission a cyber-maturity review using NCSC frameworks.
Empower your teams with modern training and tooling.
Explore G-Cloud services to rapidly scale secure capabilities.
Securing government services is a shared responsibility. As we innovate, let’s ensure our foundations remain resilient, adaptive, and trustworthy.
“Security by default, trust through transparency, resilience through collaboration.”
Chris Wilson is a senior client facing professional with over 25 years of experience in IT and digital transformation. Having held several senior roles in technology organisations, he has helped to shape the delivery of digital services and transformation programmes across the UK public sector. Chris works closely with senior stakeholders to tackle complex challenges, modernise legacy systems and build innovative, usercentric digital products. Recognised for cultivating strong strategic relationships and driving measurable improvements, Chris combines deep sector expertise with a passion for creating data-driven, efficient and sustainable public services.
<C.wilson@cgi.com>
The Author
What should board members know about cybersecurity?
BY EMRAN ALI
In today’s interconnected world, cybersecurity is no longer just an IT issue – it’s a strategic priority that should be on every board’s agenda. The rise in high-profile cyberattacks, data breaches, and technology outages is reshaping the responsibilities of boards in the UK and globally. It’s imperative that cybersecurity has the same level of oversight and importance as other business risks like financial or legal.
The question is how board members should engage with this complex issue, especially given that many don’t come from technical backgrounds. Here’s a practical guide on what boards should know about cybersecurity and, more importantly, what they can do to drive meaningful action.
CYBERSECURITY IS A BOARD-LEVEL RESPONSIBILITY
For too long, cybersecurity has been relegated to the back office, seen as a problem for IT teams to manage. However, it is critical that cybersecurity is treated as a core enterprise risk that demands active board oversight. Here’s why:
The expanding attack surface: As organisations adopt new technologies like cloud storage, internet of things devices, and artificial intelligence technology, their
“attack surface” grows. These technologies bring tremendous value but also create new vulnerabilities.
The ease of cybercrime: Cyberattacks are becoming cheaper and easier to launch. For just a few pounds, an attacker can purchase tools to exploit weaknesses in even the most sophisticated organisations.
Regulatory pressures: Boards are increasingly held accountable for cybersecurity issues, including operational failures or breaches. There are a number of regulatory drivers boards need to be aware of, including the UK’s General Data Protection Regulation (GDPR) and, for some critical national infrastructure organisations, the NIS Directive. A framework like the NCSC Cyber Assessment Framework is just one example of evolving regulatory requirements. Non-compliance can lead to heavy fines and reputational damage.
Mergers and acquisitions (M&A): Cybersecurity risks can significantly impact the value and success of M&A transactions, yet they are often overlooked or underestimated during the due diligence process. Boards must embed cybersecurity into their governance frameworks, treating it as a key driver of business resilience and value creation.
It’s imperative that cybersecurity has the same level of oversight and importance as other business risks like financial or legal.
WHAT CAN BOARDS DO TO STRENGTHEN CYBERSECURITY?
To effectively govern cybersecurity, board members don’t need to be experts, but they do need to be informed, engaged, and proactive. Here are six key strategies:
1. Integrate cybersecurity into strategic decision-making
Cybersecurity should be a recurring topic in board meetings, not just an occasional update. It must be embedded into the company’s overall strategy. Boards should ask management the following questions:
How does our cybersecurity strategy align with our business objectives?
Are we prioritising the protection of critical assets, such as customer data or manufacturing processes?
Have we sought expert, external assurance of our cyber maturity?
By linking cybersecurity to the organisation’s broader goals, boards can ensure it receives the attention and resources it deserves.
2. Enhance cybersecurity expertise
The lack of cybersecurity expertise on boards is a common challenge. Boards can address this gap by:
Training and education: Regularly attend workshops, industry conferences, and utilise resources like the NCSC’s Cyber Security Toolkit for boards.
Engaging consultants: Independent experts can provide insights into emerging threats and evaluate the organisation’s security posture.
Recruiting cyber specialists: Consider appointing board members with cybersecurity expertise to guide decisionmaking.
A knowledgeable board is better equipped to ask the right questions and hold management accountable.
3. Embrace risk-based cyber governance
Boards should prioritise a risk-based approach to cybersecurity; it is important they understand the criticality of assets to support decisionmaking and ensure proportionality and an outcome-based approach when implementing controls:
Understand the threat landscape: Make sure the organisation is staying informed about the latest threats from actors operating in their sector, how they are operating, and the vulnerability posture.
Define risk appetite and tolerance: Decide how much risk the organisation is willing to accept. The goal is to establish the minimum acceptable level to meet their strategic objectives.
Demand risk integration: Ensure that cyber-risk analysis is part of all major decisions; it should be included and embedded across different processes within the business.
Mature, outcome-focused metrics: Boards must move beyond receiving raw data (eg, the number of phishing emails received) and demand mature, accurate, and outcome-focused metrics. These metrics should provide clear insights into risk exposure and assess whether cybersecurity investments are delivering the intended results, empowering boards to make informed strategic decisions.
Board members don’t need to be cybersecurity experts, but they do need to ask probing questions that drive accountability.
4. Foster a culture of cyber resilience
It is important boards understand how security fits into the culture of the organisation, where security is, where it can be, and where it should be in the cultural spectrum. Cybersecurity culture often starts from the top, and board members play a critical role.
Encouraging collaboration: Ensure cybersecurity teams work closely with other departments like legal, compliance, and operations.
Promoting awareness: Support company-wide cybersecurity training to help employees identify and report potential threats.
Engaging in simulations: Participate in tabletop exercises and cyberattack simulations to understand how prepared the organisation is to respond to incidents.
Cybersecurity is not just about technology – it’s about people and processes.
5. Stay ahead of regulatory changes
It is vital boards stay abreast of the regulatory landscape and understand how it impacts the organisation.
Understand applicable laws, contractual requirements, and compliance frameworks: Familiarise themselves with frameworks like GDPR, the NIS Directive, and PCI DSS v4. Each has unique requirements for breach reporting, data protection, and compliance. These frameworks don’t just have unique requirements, but sometimes they also set explicit expectations for boards, eg, NIS2 (Article 20(2)):
“Member States shall ensure that the management bodies of essential and important entities approve the cybersecurity riskmanagement measures taken by those entities in order to comply with Article 21, oversee its implementation and can be held liable for infringements by the entities of that Article.”
Monitor compliance: Regularly review the organisation’s compliance status and address any gaps.
Engage legal counsel: Work with experts to ensure the organisation’s cybersecurity practices meet regulatory standards.
In a global economy, boards must also account for differences in international regulations and ensure these are incorporated into the company’s response plans.
6. Ask the right questions
Board members don’t need to be cybersecurity experts, but they do need to ask probing questions that drive accountability. Key questions include:
What is our current cybersecurity risk profile and has an independent cyber risk assessment been carried out?
Have we aligned to any best-practice framework and is there a cybersecurity strategy?
What is our overall cybersecurity posture?
Are we adequately resourced to address our cybersecurity needs?
How do we handle third-party risks in our supply chain?
Have we rehearsed our incident response plan? If we faced a major attack, could we recover?
By challenging the executive team, boards can ensure the organisation is not just reacting to threats but proactively preparing for them.
The Author
Emran Ali is Associate Director of Cyber Security at Bridewell and is responsible for overseeing the consultancy teams and working alongside the executive leadership team to deliver industry-leading client consultancy. He drives growth across his organisation in the following areas, including but not limited to, ISO 27001, ISO 22301, CAF, PCI, NIST CSF, and CIS Controls. He has also performed the role of a Virtual Chief Information Security Officer (CISO) for several of Bridewell’s key clients. Additionally, Emran is a member of the ISC2, ISACA, and The SABSA Institute of Security Architecture, providing recommendations for improvements across the industry. Prior to joining Bridewell, Emran worked on largescale cybersecurity assurance and transformation projects with NHSD.
<www.bridewell.com>
Cyberattacks 2025 –what organisations can do to stay protected
BY DIANA DINU
There was major turbulence in the world of cybersecurity in the first few months of 2025, with a surge in ransomware attacks and cyber threats rocking key sectors, both in the UK and internationally. Multiple high-profile organisations, from retail and healthcare to public education and government institutions, have been hit by significant data breaches and cyber-related incidents.
This piece will summarise the key incidents that have unfolded in 2025 to date, analyse their implications, and provide information on regulatory responses, as well as recommendations for organisations aiming to strengthen their cyber defences.
Retail
Marks & Spencer (M&S) – a cyberattack occurred on 17 April 2025, involving the British retailer M&S, during which fundamental retail operations such as contactless payments and online ordering were compromised. The breach has already caused reputational damage and financial losses of millions of pounds
The Co-operative Group (Co-op) – shortly after the M&S attack, the Co-op was forced to shut down parts of its IT infrastructure in response to an attempted cyberattack, which disrupted Co-op’s stock monitoring and access
to internal systems. Furthermore, the Co-op has confirmed that the recent cyberattack led to unauthorised access to a significant set of customer data, including names and contact details, relating to current and past members. While the Co-op has not publicly disclosed specific financial losses directly attributed to the recent cyberattack, the incident has had a notable operational impact, including temporary store closures and supply-chain interruptions, particularly in remote areas such as the Isle of Skye and Western Isles.
Harrods – just days after M&S and the Coop were targeted, Harrods was also hit by a cyberattack . Harrods is understood to have been forced to shut down some systems and restrict internet access; however, all stores remained open, and it continued to operate its online sales. Harrods has not yet provided specific details regarding the extent of the breach or confirmed whether personal data was compromised.
Healthcare
HCRG Care Group – in February 2025, the HCRG Care Group (a UK healthcare provider formerly known as Virgin Care) was targeted in a significant cyberattack . The attackers (Medusa gang) claimed to have exfiltrated over 2 terabytes of data, including medical information. The hackers demanded a $2 million ransom.
Frederick Health Medical Group – in January 2025, in the USA, the Frederick Health Medical Group suffered a breach affecting almost 1 million individuals. Compromised data included names, addresses, Social Security numbers, and medical records. Furthermore, in April 2025, DaVita Clinics, one of the largest dialysis providers in the USA, faced encryption of critical parts of its network , by a ransomware group, disrupting internal communications.
Education
City of Edinburgh Council – in May 2025, the City of Edinburgh Council’s education system was struck by a phishing-driven cyberattack , which exposed public education infrastructure vulnerabilities and raised concerns regarding the preparedness of schools and councils to handle such digital threats. The attack led to a reset of all network passwords across schools, leaving over 2,500 students without access to key platforms, such as OneNote and Microsoft Teams, during their exam preparations.
Baltimore City Public Schools – as reported by CBS News, Baltimore City Public Schools in the USA also suffered a breach that disrupted IT services and exposed sensitive data of some current and former employees, volunteers, contractors, and students.
The attackers (Medusa gang) claimed to have exfiltrated over 2 terabytes of data, including medical information. The hackers demanded a $2 million ransom.
Council and police
UK council and police websites – the proRussian group NoName057(16) attacked UK council and police websites in retaliation for British support of Ukraine, successfully overwhelming public-facing servers and causing temporary service disruptions. These distributed denial-of-service attacks, while not data breaches, caused temporary public service outages, and they are emergent tactics in cyberwarfare to erode public trust.
Rising threat landscape
According to the UK National Cyber Security Centre’s (NCSC) annual review report, cyber threat is dynamic and grows more complex each year. The rise is partly attributed to cybercriminals adapting their business models to embrace the use of artificial intelligence (AI) to increase the volume and impact of cyberattacks, and exploit vulnerabilities related to AI. In line with this report:
Over 1,950 cyberattacks occurred in 2024.
89 were considered significant, and 12 highly severe – a three-fold increase year on year.
The NCSC has also recently reported the doubling of nationally significant cyber incidents between September 2024 and May 2025.
Regulatory and legislative response
As cyberattacks increase in complexity and frequency, the regulators are responding with updated policies and legislative initiatives, such as:
The Cyber Security and Resilience Bill (UK): Announced in April 2025, this bill aims to improve UK cyber defences and protect its essential public services, by creating stricter requirements for response, risk assessment, and reporting.
Data (Use and Access) Act: Adopted in June 2025, the Data (Use and Access) Act introduces a framework for improved data sharing across sectors, with measures designed to safeguard privacy.
The EU Cyber Resilience Act (CRA): Introduces a uniform framework of mandatory cybersecurity requirements for products with digital elements.
The EU-wide NIS2 legislation: Imposes new obligations on providers of critical infrastructure, defined in the act as “important entities” or “essential entities”.
According to the UK National Cyber Security Centre’s (NCSC) annual review report, cyber threat is dynamic and grows more complex each year.
How
organisations can protect themselves
Every organisation must adopt a robust cybersecurity posture, particularly given the frequency of attacks and the variety of sectors impacted and methods of attack. Below are some essential measures that can help reduce risk and improve response readiness:
Prioritise endpoint security by ensuring that all devices and servers are protected with advanced endpoint security solutions.
Patch and update regularly. Ensure systems and software are patched as soon as updates become available, by using automated tools.
Implement zero-trust architecture. Ensure that all users and devices must authenticate themselves before accessing network resources.
Enforce multi-factor authentication across all user accounts.
Implement real-time monitoring to monitor and respond to suspicious behaviour instantly.
Maintain encrypted, offline backups.
Train your staff, as human error remains a leading cause of breaches.
Align with regulatory standards and ensure that your practices are legally compliant and auditable.
Engage professionals to conduct thirdparty audits.
Have a robust incident response plan in place.
As data becomes increasingly valuable, cybercriminals continue to advance their tactics, targeting both human error and technical vulnerabilities. From exam disruptions in schools to paralysed supply chains in retail, the cybersecurity threats of 2025 are more integrated into daily life than ever before. By proactively investing in technology, training, and compliance, organisations can reduce their risk and maintain the trust of their customers and stakeholders.
Trilateral’s Data Protection and Cyber Risk Team has cybersecurity and data protection specialists with extensive expertise and experience in assisting organisations in building robust frameworks, policies, procedures, and training to ensure prevention of cybersecurity threats. If you’d like to know more about how our cybersecurity experts can support your organisation, check out the specialist services we provide. Please feel free to contact our advisors, who would be more than happy to help.
BY NIELS LADEMARK
Data definitions: What is reference data?
In my previous article (see Bulletin 246, September edition), I talked about master data, specifically what master data is. I decided to continue my rant and provide my definition of reference data. Master data and reference data are often used interchangeably, but reference data is its own distinct concept.
DEFINITION
Reference data consists of relatively simple, reusable lists that are only used in the context of other data. The key words here are “simple,” “reusable,” and “with other data”.
Reference data always consists of at least a number (a key) and a set of associated attributes.
Reference data comes in sets or finite lists (also known as an enumerated list by those familiar with the concept), meaning each type of reference data has a set number of records.
Reference data is often referred to as “codes”, “terms”, or “charts”.
SOME CHARACTERISTICS OF REFERENCE DATA
Reference data has no intrinsic value. It is only useful through its association with other types of data (master data, transaction data, or aggregated data). For example, a list of sales districts is only useful if customers, sales representatives, and potentially a report on sales turnover actually reference the list of sales districts.
The authoritative source of reference data can be external (such as the UN list of country codes)… or the source can be internal, for example, a list of possible “payment terms” offered to customers.
Reference data shares some properties with master data but also has significant differences.
SIMILARITIES TO MASTER DATA
A reference data record should exist in only one version, which is then reused.
Like master data, reference data is used in a multitude of situations. For example, postal codes are referenced by the addresses of customers, suppliers, and vendors in master data entities.
Reference data should be governed. Using two different lists of delivery terms in the order system and in outbound logistics can cause a lot of dissatisfaction or loss of revenue.
DIFFERENCES FROM MASTER DATA
Reference data varies in complexity but is always much simpler than master data entities. For example, the UN list of country codes consists of an abbreviation and a text field – a list with just two fields.
However, reference data entities can sometimes be a bit more complex and may refer to simple business rules.
At any point in time, all types of reference data have a fixed number of entries. You do not add a currency code as you would add a customer; the entries may change, but this happens rarely.
EXAMPLES OF SIMPLE REFERENCE DATA
Product colour codes, currency codes, postal codes, etc.
A list of postal codes is an example of a very simple list that stems from an external authoritative source (usually a national postal service), eg, “1066 Copenhagen” or “10001 New York City”.
EXAMPLE OF COMPLEX REFERENCE DATA
A chart of accounts is a complex hierarchy of reference data with associated rules that describe transaction data and/or master data.
Master data association A customer (master data) is associated with an account; often, a customer entity is referred to as “an account”.
Transaction data association An expense is assigned an account number, as in the procurement of a spare part.
Business rule association Limited access: Only certain employees can see or use the account.
COMMON ISSUES WITH REFERENCE DATA
Sometimes different versions of reference data exist. Such lists may overlap, contain conflicting information, and are usually maintained in different parts of the organisation. This can have “interesting” side effects.
A large company could not balance its books because two different sources of currency tables were used. The last digit in the exchange rates accumulated into significant differences across accounts, totalling millions.
A logistics company suddenly could not make bookings because two reference tables used the same list entity for two different terminals.
When one terminal closed, the entry was removed in one part of the organisation but not in the other. This caused disruptions in the booking system for months.
Feel free to share or comment if you find this useful, disagreeable, or if you want to exchange war stories.
The Author
Niels Lademark began his career as a Master of Agriculture but soon realised his mistake and changed to the IT industry. The first stop was working with data governance back in 1997, before the term was coined. As the master data manager at the University of Copenhagen, he was responsible for collecting and reporting the total research and conveyance of science done, from papers to museum exhibitions, in one unambiguous format. After a 5-year tenure at the Danish State Railways as information and enterprise architect, he joined a dedicated information management consultancy in 2007, and later Deloitte after a merger. The project tally as a management consultant ended at 28, after 14 years of consulting. All these projects revolved around enterprise architecture or information management. Currently, he works as an enterprise architect at the Nordic Resource Coordination Centre (Nordic RCC), which calculates the electric grid capacity across Scandinavia to maximise the utilisation of green electricity production capacity.
<nlh@nordic-rcc.net>
<linkedin.com/in/nielsheegaard>
How to ensure data quality for generative AI success
BY TEJASVI ADDAGADA
THE CRITICAL LINK BETWEEN DATA QUALITY AND GENERATIVE AI
Generative AI models learn from existing datasets to generate new content, insights, or predictions. If the input data is flawed, biased, or inconsistent, the output will be unreliable.
From our experience in enterprise AI implementations, we have seen that poor data quality leads to inaccurate models, flawed predictions, and a lack of user trust. On the other hand, when the data is reliable, AI delivers consistent, high-impact results.
Generative artificial intelligence (AI) is transforming industries from healthcare to banking and beyond. It helps automate processes, create intelligent content, and support decision-making. However, one often overlooked but crucial component of AI success is data quality. Without clean, accurate, and governed data, even the most advanced AI models can fail.
DATA QUALITY AND GOVERNANCE IS IMPERATIVE FOR AI SUCCESS
To maintain high data quality, a solid data governance strategy is essential. Governance includes setting rules, roles, and responsibilities for data use and management. It helps in standardising data sources, formats, and access permissions.
Key elements of a data governance strategy:
Data ownership and stewardship
Metadata management
improvement just by removing outdated and duplicate records. This drastically improved the model’s predictions and reduced bias.
Clean, diverse, and up-to-date data ensures that the AI:
1.Learns from accurate patterns
2.Produces relevant and reliable content
3.Avoids repetition and hallucinations
4.Adapts effectively to new inputs
A GUIDE TO IMPROVING DATA QUALITY IN GENERATIVE AI
Here are some foundational steps to ensure highquality data for generative AI:
1. Data profiling: Understand the current state of your data – identify gaps, errors, and inconsistencies.
2. Data cleansing: Fix issues such as missing values, duplicates, and incorrect formats.
3. Data enrichment: Add external or complementary datasets to improve variety and coverage.
This article explores the vital role of data quality generative AI, why it matters, and how organisations can ensure their data meets the standards required for successful AI applications.
Quality standards and validation rules
Data life cycle management
Access control and auditing
By integrating governance with AI development, organisations can ensure their models are trained on consistent, trustworthy data.
UNLOCKING GENERATIVE AI: THE ROLE OF DATA QUALITY
A trained generative AI model depends on the richness and integrity of its training data. For example, in one project with a financial institution, we saw significant model
4. Standardisation: Align data into consistent formats and structures across systems.
5. Validation rules: Set rules to prevent bad data from entering systems in the first place.
REMEDIATION OF DATA-QUALITY ISSUES
Addressing data-quality issues should be a continuous process. Based on our field experience, these are some effective remediation methods:
Automated tools that detect anomalies using AI
Manual intervention for complex issues like semantic conflicts
Ongoing monitoring through dashboards and alerts
User training to prevent incorrect data entries
One client we worked with used AI tools for anomaly detection and reduced their data errors by over 60% within 3 months.
HOW DOES DATA QUALITY IMPACT GENERATIVE AI PERFORMANCE?
Data quality directly affects model performance in several ways:
1. Accuracy: The model produces better results when trained on accurate data.
2. Fairness: High-quality data reduces bias in generative content.
3. Efficiency: Clean data speeds up training and reduces computational cost.
4. Trust: Users trust AI outcomes when the data behind it is sound.
In simple terms, garbage in, garbage out; AI is only as good as the data it learns from.
FIVE KEY FACTORS LINKING DATA QUALITY
AND GENERATIVE AI
Completeness – missing data limits AI learning.
Consistency – uniform data across systems reduces confusion.
Validity – data must follow specific rules (eg, date formats).
Timeliness – AI needs up-to-date information to be relevant.
Accuracy – mistakes in data will reflect in AI-generated outputs.
SEVEN TIPS FOR ENHANCING DATA QUALITY IN AI PROJECTS
1. Set clear data-quality standards from the start.
2. Use automated data validation and cleansing tools.
3. Implement a scalable data governance strategy.
4. Train teams in data entry and quality practices.
5.Regularly audit and monitor data sources.
6.Maintain documentation for all datasets.
7. Include data risk management plans for critical data assets.
By following these tips, organisations can create a strong foundation for successful generative AI deployment.
UNDERSTANDING DATA QUALITY’S SIGNIFICANCE
Data quality is more than just a technical metric; it’s a strategic asset. Without reliable data, AI initiatives can lead to poor decisions, reputational damage, or even compliance violations.
In sectors like healthcare, banking, and public services, we have seen how data quality impacts everything from service delivery to legal risk. That is why aligning data quality with a clear data governance strategy and data risk management framework is crucial.
FAQS
Q1. Why is data quality important for generative AI?
Generative AI relies on existing data to generate content or insights. Poor data quality leads to inaccurate, biased, or irrelevant results.
Q2. How can I improve data quality for AI projects?
Start with data profiling and cleansing. Use tools to detect errors and integrate a governance strategy to maintain standards long term.
Q3. Can AI be used to improve data quality?
Yes, AI and machine learning can detect anomalies, clean data, and automate validation processes to improve data quality.
Q4. What is data risk management?
It involves identifying and mitigating risks related to data quality, privacy, compliance, and availability within an organisation.
Q5. What is the role of data governance in AI?
Governance ensures data consistency, security, and compliance, enabling AI to perform reliably and ethically.
CONCLUSION
For generative AI to truly succeed, data quality must be a top priority. From data profiling and standardisation to governance and risk management, each step plays a critical role in ensuring AI outputs are accurate, fair, and actionable.
By investing in a clear data governance strategy and ongoing data risk management, organisations not only boost AI performance but also build trust in their digital transformation journey.
Now is the time to treat your data like the valuable asset it is, because with generative AI better quality data means better outcomes.
The Author
In simple terms, garbage in, garbage out; AI is only as good as the data it learns from.
Tejasvi Addagada is a seasoned business strategist, data and software architect with an impressive track record. He has held prestigious positions such as Head of Data & Analytics, Chief Data Officer (CDO), and Privacy Officer in global organisations. Tejasvi is also a bestselling author, having written two books on data management and risk. His expertise extends to assisting over 15 organisations in developing winning business models. He provides contingencybased strategies, culture-oriented operating models, and customised organisational structures, all while leveraging cutting-edge technology engineering.
<www.tejasviaddagada.com>
<www.linkedin.com/in/tejasviaddagada> @tejasviaddagada
ISO 9001, ISO 30301 and ISO 15489
BY ANDREW POTTER
ISO 9001:2015 –The quality management backbone
ISO
15489:2016
In the world of standards and certification, ISO 9001 and ISO 15489 often circle each other like two planets in the same orbit – close, related, but distinct. For organisations that are serious about quality management and the integrity of their information assets, understanding how these two standards interact is crucial.
–The records management blueprint
ISO 9001:2015 is the global blueprint for quality management systems (QMS). It demands that organisations document their processes, retain evidence of conformity, and continually improve. Key requirements around “documented information” in Clause 7.5 include:
• 7.5.1 General: Organisations must determine what documented information is required and ensure it is adequately maintained and retained.
• 7.5.2 Creating and updating: Documented information must be properly identified, reviewed, and approved to ensure suitability and adequacy.
• 7.5.3 Control of documented information: Information must be protected from loss of integrity and confidentiality, and be available where and when needed.
This is where ISO 15489 steps in. Focused solely on records management, ISO 15489 offers detailed principles and processes for creating, capturing, maintaining, and disposing of records. It is the “inside manual” for making documented information reliable, authentic, usable, and trustworthy over time.
Strikingly, ISO 9001:2015 does not cite ISO 15489 anywhere – not in its main text, not in its bibliography, and not in its guidance documents. The two standards operate independently. ISO 9001 simply expects documented information to exist and to be controlled, leaving organisations free to determine the methods that best fit their context.
These clauses push organisations to systematically control the creation, approval, distribution, and retention of critical records. However, ISO 9001 deliberately stops short of prescribing exactly how to manage records beyond these high-level demands.
How they work together in practice
When an organisation uses ISO 15489 as the framework to fulfil ISO 9001’s documentation requirements, the benefits multiply. Records are not only retained – they are structured, metadata-rich, contextually linked, and primed for auditability.
Focused solely on records management, ISO 15489 offers detailed principles and processes for creating, capturing, maintaining, and disposing of records.
In essence:
• ISO 9001 says you must control your documents and records.
• ISO 15489 shows here’s how to do it to the highest standard.
ISO 15489 enhances ISO 9001 Clause 7.5 compliance by operationalising good information governance. It brings rigor to document creation, maintenance, and disposition, thereby reducing risk and strengthening trust in the organisation’s documented information.
Enter ISO 30300: The gravitational pull of management systems
If ISO 9001 and ISO 15489 are neighbouring planets, then the ISO 30300 series is the gravitational field that helps align them. The ISO 30300 family – especially ISO 30301 – sets requirements for management systems for records using the same high-level structure that ISO 9001 uses for QMS.
Both ISO 9001 and ISO 30301 require organisations to:
• understand their context
• define policy and objectives
• plan for risks and opportunities
• control documented information
• measure performance and improve continuously
Good records management, underpinned by ISO 30300 principles, strengthens business practice in the same way that a stable planetary orbit fosters life: by creating a trustworthy, navigable, and resilient operating environment.
Practical checklist: Using ISO 15489 to boost your ISO 9001 audit readiness
While ISO 9001 ensures that an organisation’s products and services meet quality standards, ISO 30301 ensures that the organisation’s evidence and memory are reliable and retrievable. Together, they orbit a common goal: sustainable, credible, and continually improving organisational performance.
Conclusion: Voluntary, but vital
No auditor will demand that you implement ISO 15489 or ISO 30301 to achieve ISO 9001 certification. But any organisation that wants not just to pass an audit but to excel in governance, risk management, and operational resilience would be wise to integrate records management principles.
In the universe of standards, good records management isn’t a distant moon – it’s a stabilising force. As digital transformation accelerates and regulatory expectations grow, building a bridge between ISO 9001, ISO 15489, and ISO 30301 isn’t just best practice. It’s becoming essential for intelligent, resilient business operations.
Identify all documented information required under ISO 9001.
Apply ISO 15489 principles to ensure each document is authentic, reliable, usable, and trustworthy.
Implement metadata standards for traceability (eg, date created, author, version).
Ensure controlled access to records to maintain integrity.
Establish clear retention and disposition policies aligned with ISO 15489.
In the universe of standards, good records management isn’t a distant moon –it’s a stabilising force.
Train staff in proper recordkeeping practices.
Periodically audit your documented information for gaps or risks.
The Author
Document your records management procedures for internal and external auditors.
Andy Potter is a consulting information professional focused on records management standards and digital governance. At the National Archives and Records Administration (NARA), he modernised federal records policies, regulatory frameworks, and electronic records programs. He contributes to international standards through ISO TC 46/SC 11, promoting digital preservation, interoperability, and best practices. Andy helps organisations navigate compliance, emerging technologies, and digital transformation, ensuring long-term accessibility and effective records governance. His work advances consistent, globally collaborative standards across the records management field.
<apotter@metaarchivist.com>
<https://metaarchivist.substack.com>
Executive leadership in action
BY CRAIG GRIMESTAD
So, how can executive leadership use psychology to communicate to an organisation that corporate records management is now a priority?
What? You’re saying executive leadership needs to use psychology to implement a successful record information management (RIM) program? I thought executive leadership says what to do and the organisation just needs to do it. No? The psychology part comes in how to best communicate this to your organisation.
Communications – (words and actions) need to be crystal clear and unmistakable – like a bugle’s call to action, not a time for a symphony or a jazz band. Words and actions need to consistently convey the same message. It’s not what you say... it’s what you do.
So, how does an executive who gets it clearly communicate that corporate records management is now a corporate priority that is to be accomplished by full cooperation and participation by the entire workforce – understanding that anything less than full compliance causes unknown and unacceptable risk to the company.
There are numerous ways to provide a clear message of support and encouragement from leadership. If your company is transitioning its RIM program from a focus on storage facilitation to a records governance focus – this is a big change.
For the executive who wants to provide leadership, individual situations and circumstances will determine the specific communications and actions. However, here are some options to consider:
• Finance the RIM full-compliance project – funding a corporate mandate is one of the strongest signals that can be sent. Providing resources to accomplish an objective garners support and leaves little room for lack of accomplishment.
• Be a spokesperson – provide introductory and regular communications supporting the program, explaining its goals, and reporting on progress, and activities remaining.
• Be an advocate – explain why it makes sense and is of value to the company.
• Be a cheerleader – acknowledge and recognise those individuals and areas that have been successful in embracing and complying with the RIM requirements.
• Lead by example – visibly embrace and comply with the RIM requirements in your area of direct control.
• Assign respected individuals – fill positions of responsibility (from ‘responsible executive’ and records manager to department coordinators) with individuals who are known and respected for their capabilities and accomplishments. Include ‘up and comers’ (excellent opportunity to learn operations and develop leadership skills with minimal risk).
• Participate in the RIM program – learn the details of the RIM program (not difficult) and consider becoming an instructor – perhaps for your direct reports?
With too much to do, and not enough time or budget to accomplish it all, employees try to determine what is really important to their leadership and then align their time and budgets with those priorities.
I digress – I recall a time some years ago when our division got a new executive vice-president as the CEO. This vice-president was a little different than his predecessors, as he favoured cardigans rather than suits or sport jackets.
It was interesting (and a bit amusing) to observe how members of his staff (and then their staff) over time (never before seen in cardigans) also started to sport cardigans!
An executive who embraces, advocates, and ‘wears’ the new RIM fabric is a tremendous advantage for the RIM project and subsequent ongoing compliance. For that company, it is a key success factor.
The Author
change management. He holds an MSc in engineering and was the Records Manager for the Electro Motive Division of General
where he participated in the development of the GM Corporate RIM program, and implemented and managed Electro Motive Division’s RIM program.
<www.ironmountain.com/uk/resources> <www.linkedin.com/in/craig-grimestad2214b37>
Craig Grimestad is a senior consultant with Iron Mountain Consulting. His specialty is designing RIM core components with subspecialties for RIM auditing and
Motors,
Confronting fear: Embracing uncertainty for personal growth
BY JACQUELINE STOCKWELL
Fear is a universal experience. It comes in many forms, from the fear of failure to the fear of public speaking. For me, it’s the fear of pigeons in London. This fear, rooted in the unpredictability of these birds, their sudden movements, and the mere thought of them flying into my face, has often dictated my behaviour in the city. But fear, no matter how irrational it may seem, can be overcome by pushing ourselves out of our comfort zones.
MY ENCOUNTER WITH LONDON’S PIGEONS
Walking through London, I encountered a common sight: a flock of pigeons pecking at the ground. Normally, I would jump around like a lunatic, take a leap to avoid them, or even change my route. But on this particular day, I was determined to face my fear head-on. The only way to reach my destination was to walk through them.
I stopped, took a deep breath, and gave myself a pep talk. “You can do this. What’s the worst that could happen?” To avoid falling into blind panic, I used a technique I recommend for public speaking: squeezing my upper thighs and buttocks. This simple act grounded me and helped me focus.
With my heart racing and sweat trickling down my back, I took a step forward. Then another. And another. Each step was a battle against my instincts to flee. But I kept go -
ing, one brave foot after another, until I was through the flock. I was terrified, but I did it.
THE LESSONS LEARNED
This experience taught me several valuable lessons about fear and personal growth:
1. Face your fears: Even when you’re scared, face your fears. Avoiding them only gives them more power over you. By confronting your fear, you take back control.
2. Embrace discomfort: Growth happens outside your comfort zone. Whether it’s pigeons, public speaking, or any other fear, stepping into discomfort is essential for personal development.
3. Use grounding techniques: Find techniques that help you stay grounded in moments of panic. For me, squeezing my
upper thighs and buttocks works wonders. Find what works for you and use it.
4. Positive self-talk: Encourage yourself. A simple pep talk can shift your mindset from fear to determination.
5. Focus on the goal: Keep your end goal in mind. In my case, it was reaching my destination. Focusing on the outcome can provide the motivation needed to push through fear.
THE IMPORTANCE OF FEAR IN GROWTH
Fear is not the enemy; it’s a signal that you’re stepping into new territory. It’s a sign that you’re about to grow. Embrace it, learn from it, and let it propel you forward. This journey, as I’ve outlined in my previous blog about the learning curve, is essential for self-improvement.
In conclusion, overcoming fear is about feeling the fear and doing it anyway. It’s about digging deep and finding the courage to push through discomfort. By doing so, you not only conquer your fears but also unlock new levels of personal growth and resilience. So, the next time you encounter your own version of pigeons in London, remember: you have the strength to walk through them.
The Author
Jacqueline Stockwell is the CEO and Founder of Leadership Through Data. She leads global information management training and consulting, making learning fun and engaging for information leaders. Her presentations equip leaders with skills to deliver engaging content, incorporating behavioral psychology and colour communication styles. Currently, she is transforming eLearning into exciting opportunities for staff and business growth by combining creative leadership with proactive information management. She emphasises the importance of security and compliance for business success, promoting continuous learning and innovation to help organisations thrive in the digital world.
<jacqueline@leadershipthroughdata.co.uk> <https://leadershipthroughdata.com>
Spotlight on Paulina Jedwabska
From construction site to compliance: My journey into records management
My career in records and information governance wasn’t planned – it evolved, shaped by curiosity, opportunity, and the trust of those who were willing to take a chance on me.
My career in records and information governance wasn’t planned – it evolved, shaped by curiosity, opportunity, and the trust of those who were willing to take a chance on me. Like many in the field, I didn’t set out thinking I would work in records management. But over time, I came to appreciate the central role it plays in enabling organisations to function effectively, transparently, and with accountability. I began my journey in an unlikely place: a construction site. I joined Balfour Beatty as a document controller, managing drawings, project files, and correspondence. From site to site, I grew comfortable navigating complex technical documentation, working with engineers, contractors, and project managers. I was thrown in at the deep end, but I found satisfaction in bringing order to chaos, ensuring records were complete, accurate, and retrievable.
the first time. Working alongside internal and external stakeholders, such as the London Organising Committee of the Olympic and Paralympic Games; The National Archives (TNA); the Royal Institute of British Architects; and the Department for Culture, Media and Sport (DCMS), I began to understand records as more than evidence – they were legacy, compliance, and knowledge assets all in one.
After my time abroad, I returned to the UK and took up a role at the National Portrait Gallery, supporting records, archives, and freedom of information requests
The turning point came when I transitioned to the client side of delivery, taking on an assurance role during the London 2012 Olympics. I was responsible for reviewing documentation and records submitted by construction contractors. The sheer scale and visibility of the Olympics demanded precision – and that’s where I encountered formal records management for
That experience opened unexpected doors. I moved to Switzerland and supported the Olympic Movement at a global level, helping Organising Committees for the Olympic Games and bid cities to manage their records, preserve institutional knowledge, and ensure that critical information wasn’t lost between events. While others ran marathons, I ran information audits – and occasionally rewatched all eight seasons of Game of Thrones in a single sitting.
After my time abroad, I returned to the UK and took up a role at the National Portrait Gallery, supporting records, archives, and freedom of information requests. Working in the cultural sector was a privilege – it reminded me how history, art, and public accountability intersect through careful recordkeeping.
As technology evolves, so does the role of governance. My current work increasingly intersects with artificial intelligence, particularly how large language models interact with information and organisational data.
From there, I joined DCMS, returning to central government. My work included supporting arms-length bodies with General Data Protection Regulation and Data Protection Act compliance, improving audit scores through work with TNA, and contributing to Brexit readiness – particularly the thorny area of international data transfers. It was a challenging and rewarding time, where the impact of good governance was tangible.
After government, I moved to the Wellcome Trust, one of the world’s leading charitable foundations. There, I continued my career in information governance, focusing on policies, process development, retention schedules, and sensitivity classifications. I enjoyed building and embedding structures that would outlive my time there, supporting both operational needs and research excellence.
Most recently, I’ve joined Slaughter and May as their first dedicated information governance professional at the firm. Being part of a law firm – particularly one of such standing – brings a different lens to governance and compliance. It’s an exciting challenge to build frameworks from the ground up, ensuring they are not only fit for purpose but aligned with legal practice, risk, and client expectations.
As technology evolves, so does the role of governance. My current work increasingly intersects with artificial intelligence, particularly how large language models interact with information and organisational data. Going forward, ethical considerations, transparency, and robust governance will become even more critical. As professionals in this space, we must stay curious and informed, continuously upskilling ourselves to keep pace with developments. The future of records and data isn’t just about storage – it’s about stewardship, values, and trust.
Throughout my career, I’ve changed industries more than once – from construction to culture, government to global events, charity to law. What’s remained constant is the belief that good information management underpins good decision-making. I’ve never taken a conventional path, and I owe much of my progress to people who were willing to take a chance on me. That pattern – of opportunity arising from trust – has shaped both how I work and how I support others.
I’m often asked why I stay in this field. The answer is simple: it matters. Records management and information governance
may not be glamorous, but they are essential. We hold the scaffolding of accountability, memory, and compliance. And sometimes, the unsung heroes behind the scenes are the ones who make the difference. That’s also why I volunteer as the IRMS Conference Director – to help create space for others in the profession to connect, learn, and be inspired. It’s my way of giving back to a community that has shaped my journey and continues to drive me forward.
I’m often asked why I stay in this field. The answer is simple: it matters.
< paulina.jedwabska@irms.org.uk>
The Author Paulina Jedwabska is a data, information governance and knowledge management specialist with a proven track record of engaging at multiple levels within complex organisations in UK and internationally recognised bodies.
Charity fined following destruction of irreplaceable personal records Police conduct investigator fined after unlawfully obtaining sensitive case details
The Information Commissioner’s Office (ICO) has fined Scottish charity Birthlink £18,000 after it destroyed approximately 4,800 personal records, up to 10% of which may be irreplaceable.
The investigation found the charity had limited knowledge of data protection obligations and lacked cost-effective and easy-to-implement policies and procedures, which would likely have prevented the destruction.
Sally Anne Poole, Head of Investigations, said:
“This case highlights – perhaps more than most – that data protection is about people and how a data breach can have far-reaching ripple effects that continue to affect people’s lives long after it occurs.
“The destroyed records had the potential to be an unknown memory, an identity, a sense of belonging, answers – all deeply personal pieces in the jigsaw of a person’s history – some now lost for eternity.
“It is inconceivable to think, due to the very nature of its work, that Birthlink had such a poor understanding of both its data protection responsibilities and records management process. We do, however, welcome the improvements the charity has subsequently put in place, not least by appointing a data protection officer to monitor compliance and raise awareness of data protection throughout the organisation.
“Whilst we acknowledge the important work charities do, they are not above the law and by issuing and publicising this proportionate fine we aim to promote compliance, remind all organisations of the requirement to take data protection seriously and ultimately deter them from making similar mistakes.”
In January 2021, Birthlink reviewed whether they
could destroy ‘linked records’, as space was running out in the charity’s filing cabinets where they were stored. Linked records are files of cases where people have already been linked with the person they sought and can include handwritten letters from birth parents, photographs and copies of birth certificates.
Following a February 2021 board meeting, it was agreed that no barriers to the destruction of records existed but that retention periods should apply to certain files and only replaceable records could be destroyed. Due to poor recordkeeping, it is estimated some records were destroyed on 15 April 2021 with a further 40 bags destroyed on 27 May 2021.
In August 2023, following an inspection by the Care Inspectorate, the Birthlink Board became aware that irreplaceable items had in fact been destroyed as part of the overall record destruction and reported the incident to the ICO.
The subsequent investigation found at the time of the breach there was a limited understanding of data protection law at the charity, which had not implemented relevant policies and procedures or appropriately trained its staff. The ICO also found that, despite concerns being raised about shredding people’s photographs and cards at the time of destruction, the task continued. In addition, poor recordkeeping meant Birthlink were unable to identify people affected by the breach.
Due to the serious nature of the breach, the ICO concluded a fine was appropriate and after considering representations from the charity reduced the amount from £45,000 to £18,000. Since the breach occurred, the charity has implemented improvements, including digitally recording and storing all physical records, appointing a data protection officer and initiating staff training.
An investigator for the police complaints watchdog has pleaded guilty to unlawfully obtaining sensitive personal data.
Mohammed Ejaz, 42, from Bradford, worked for the Independent Office for Police Conduct (IOPC), which is responsible for investigating the most serious complaints and conduct matters involving the police. This includes cases where there is an indication that police contact (direct or indirect) may have caused or contributed to a death.
Following an Information Commissioner’s Office (ICO) investigation, Ejaz pleaded guilty at a hearing on 15 July at Leeds Crown Court to unlawfully obtaining personal information.
Ejaz, a lead IOPC investigator, sent an email to his private Hotmail account containing restricted, sensitive information. This included recordings of
999 calls, which had been referred to the IOPC and were related to an incident that resulted in death.
He has been fined £200 and ordered to pay £2,000 costs.
ICO Head of Investigations, Andy Curry, said:
“It is only right that people expect the information they provided to the IOPC to be treated with integrity and professionalism. Ejaz clearly abused the position of trust he had been given by the IOPC in the way he misused this highly sensitive information.
“We hope this successful prosecution makes other employees in such positions realise they cannot take advantage of the trust placed in them by their employers and members of the public.”
Latest release of Cabinet Office and Prime Ministers’ papers
The National Archives have digitised 200 files which have been released by the Cabinet Office.
This release includes previously retained files from the Prime Minister’s Office covering Tony Blair ’s administration. It also includes records from the administrations of Margaret Thatcher and John Major
The files are available to search via the National Archive’s online catalogue – Discovery.
New guidance on disclosing documents to the public New accreditation awards to archive services
The Information Commissioner’s Office (ICO) has published new guidance to help organisations disclose documents securely
From public authorities handling freedom of information requests to organisations responding to subject access requests, many need to regularly disclose documents containing large amounts of information to the public.
Personal information can be hidden or not immediately visible in documents. If they are not checked properly, it may be disclosed by accident –sometimes with serious consequences.
The guidance includes practical steps and howto videos to help organisations understand how to check documents, including spreadsheets, for hidden personal information and reduce the risk of a data breach.
Emily Keaney, Deputy Commissioner at the ICO, said:
“We have seen a number of serious data breaches, including at the Police Service of Northern Ireland and the Ministry of Defence, which have involved documents being disclosed without proper checks for hidden personal information – this crucial step cannot be missed.
“All organisations must have robust measures in place to protect the personal information they hold and prevent it from being inadvertently disclosed. We are committed to providing clear guidance to help organisations get this right, reducing the margin for mistakes and making it second nature to check documents for hidden personal information.”
The new guidance includes checklists and how-to videos, covering topics such as:
• deciding an appropriate format for disclosure to the public
• finding various types of hidden personal information, including hidden rows, columns and worksheets, metadata and active filters
• converting documents to simpler formats to reveal hidden data
• avoiding using ineffective techniques to keep information secure
• using software tools designed to help identify hidden personal information (such as Microsoft Document Inspector)
• reviewing the circumstances of a breach to prevent a recurrence
• removing and redacting personal information effectively
While the guidance is designed to support organisations with disclosing documents to the public, the practical advice will also help all organisations avoid accidental data breaches in any situation where they are disclosing or sharing documents.
The regulator also has a wealth of guidance on data sharing, including a Code of Practice, to help organisations sharing personal information.
Read the new guidance here.
Following a recent Archive Service Accreditation Panel, the UK Archive Service Accreditation Committee is pleased to announce that the following archive services have been accredited for the first time:
• Science and Industry Museum
• North Lanarkshire Archives
The Science and Industry Museum is part of the Science Museum Group. Their archive holdings support the work of the museum in inspiring audiences with the past, present and future of STEM.
The archive collections include incredible textile sample books, including the Calico Printers Association collection, material from creative music industry in the city that formed the Use Hearing Protection exhibition, and significant works relating to industry from the city such as the Ferranti archive from the Manchester-based company who changed the face of electronics by manufacturing the first commercially available computer.
The archives also hold significant material relating to the historic site of the museum, which is home to the grade I listed passenger railway station and 1830 Warehouse, both first examples of their kind. The archives continue to acquire material from science and industry in the North West.
Sally MacDonald, director, said: “This achievement signifies the specialist work that goes into caring for our incredible archive collections, which support so much of our activity at the museum. We look forward to using this standard to continue to improve our archival offer for our users.”
The records in the North Lanarkshire Archives’ collection date from the 16th to the 21st century and tell of the transformation from an agricultural area to one of Scotland’s main centres of manufacturing and heavy industry, and through to the post-industrial era. Thanks to an Archives Revealed grant, they are currently cataloguing and promoting their Cumbernauld New Town collection.
Heather Liddle, Active and Creative Communities Manager at North Lanarkshire Council, said: “We are delighted that the panel has acknowledged the impressive service offer and successful collaborative working with our partners. The team has shown great commitment to continuous improvement and worked tirelessly to achieve the standards required for this award.”
Find out more about Archive Service Accreditation
European Commission brings use of Microsoft 365 into compliance with data protection rules for EU institutions and bodies
Following enforcement proceedings by the European Data Protection Supervisor (EDPS), the European Commission has demonstrated compliance with Regulation (EU) 2018/1725 in relation to its use of Microsoft 365 as examined by the EDPS. This follows the EDPS’ Decision of 8 March 2024, which identified a number of infringements and imposed corrective measures on the Commission.
After receiving a compliance report in December 2024, the EDPS held several discussions with the Commission services to obtain necessary clarifications. On that basis, and in particular following the Commission’s letter of 3 July 2025 on additional measures implemented and scheduled by the Commission and Microsoft, the EDPS has concluded in their letter of 11 July that the infringements identified in the EDPS’ 2024 Decision have been remedied.
Wojciech Wiewiórowski, Supervisor, said: “Thanks to our thorough investigation, and the Commission’s follow-up, we have jointly contributed to a significant improvement of data protection compliance in the Commission’s use of Microsoft 365. We also acknowledge and appreciate Microsoft’s efforts to align with the Commission’s requirements stemming from the EDPS decision of March 2024. This is a meaningful and shared success, and a strong signal of what can be achieved through constructive cooperation and effective supervision.”
The key improvements and compliance measures applied by the Commission include:
Purpose limitation: The Commission has explicitly specified the types of personal data processed and the purposes of
processing in its use of Microsoft 365. Through updated contractual, technical, and organisational measures, it has ensured that Microsoft and sub-processors process data solely based on documented instructions and only for specified purposes in the public interest. The Commission has also ensured that further processing is carried out, within the European Economic Area (EEA), as required by EU or Member State law, or, outside of the EEA, in compliance with third-country law that ensures a level of protection essentially equivalent to that in the EEA.
Transfers to third countries: The Commission has also determined the specific recipients and purposes for which personal data in its use of Microsoft 365 is allowed to be transferred, and ensured compliance with Article 47 of Regulation (EU) 2018/1725. This is complemented by technical and organisational measures implemented by the Commission and Microsoft, thereby reducing the possibility for transfers to third countries not covered by an adequacy decision to occur. Transfers outside the EU/EEA are now limited to countries listed in the amended contract and rely either on adequacy decisions or the derogation for important reasons of public interest, as per Article 50(1)(d) of Regulation (EU) 2018/1725. The Commission has also issued binding instructions to Microsoft and its sub-processors in that respect.
Disclosures and notifications: Additional contractual provisions ensure that only EU or Member State law may require that Microsoft or its sub-processors omit notification to the Commission of disclosure requests for
personal data in the Commission’s use of Microsoft 365 processed within the EEA, or that they disclose such data. For data processed outside the EEA, the same may be required under third-country law, as long as it provides essentially equivalent protection. All this complements the existing technical and organisational measures implemented by the Commission and Microsoft for personal data processed within and outside of the EEA.
Conclusion of proceedings: In view of the measures taken, the factual situation has substantially changed compared to the one examined in the EDPS Decision of 8 March 2024. As a result, the EDPS has found that the infringements found have been remedied, and has therefore closed its enforcement proceedings.
A signal to other EU institutions, bodies, offices and agencies
The Commission has made the recent improvements to the Inter-Institutional Licensing Agreement with Microsoft available to other EU institutions, bodies, offices and agencies (EUIs) that are contracting Microsoft 365 under this contract.
Wojciech Wiewiórowski, Supervisor, said: “The EDPS welcomes such a proactive approach of the Commission in its role of the lead contracting authority to assist other EUIs. The EDPS calls on other EUIs that are considering or already using Microsoft 365 services, to carry out similar assessments and to implement technical and organisational measures comparable to those adopted by the Commission. Such measures are necessary to ensure compliance with Regulation (EU) 2018/1725.”
The EDPS also notes that these proceedings focused on specific provisions of Regulation (EU) 2018/1725. Their closure does not imply that the EDPS has assessed or confirmed the Commission’s overall compliance with other provisions of the Regulation that were not part of this examination.
New assurance initiatives to help boost confidence in cyber resilience
The National Cyber Security Centre (NCSC) – a part of GCHQ – has announced two initiatives to help improve national cyber resilience.
The new Cyber Resilience Test Facilities (CTRFs) programme is developing a national network of assured facilities, which will allow technology vendors to demonstrate the cyber resilience of their products in a consistent and structured way, enabling independent audits and assessments by public and private sector organisations, including the UK Government.
The NCSC will also be launching a new scheme for Cyber Adversary Simulation (CyAS) in early summer. Companies assured under the CyAS scheme will deliver services to test an organisation’s cyber resilience, including their ability to prevent, detect and respond to simulated cyberattacks.
Both of these initiatives were formally announced at this year’s CYBERUK, the government’s flagship cybersecurity conference.
Find out more about CRTFs by visiting the NCSC’s Cyber Resilience Testing pages.
UK critical systems at increased risk from ‘digital divide’ created by AI threats
Over the next 2 years, a growing divide will emerge between organisations that can keep pace with artificial intelligence (AI) enabled threats and those that fall behind – exposing them to greater risk and intensifying the overall threat to the UK’s digital infrastructure, cyber chiefs have warned.
A new report launched by Pat McFadden, the Chancellor of the Duchy of Lancaster, at the National Cyber Security Centre’s (NCSC) CYBERUK conference, outlines how AI will impact the cyber threat from now to 2027, highlighting how AI will almost certainly continue to make elements of cyber-intrusion operations more effective and efficient.
It warns that, by 2027, AI-enabled tools are set to enhance threat actors’ ability to exploit known vulnerabilities, adding that, whilst the time between disclosure and exploitation has already shrunk to days, AI will almost certainly reduce this further, posing a challenge for network defenders.
The report also suggests that the growing incorporation of AI models and systems across the UK’s technology base, particularly within critical national infrastructure and where there are insufficient cybersecurity controls, will almost certainly present an increased attack surface and opportunities for adversaries.
As AI technologies become more embedded in business operations, organisations are being urged to act decisively to strengthen cyber resilience and mitigate against AI-enabled cyber threats.
View ‘The impact of AI on cyber threat – from now to 2027’ assessment.
Digital Preservation Coalition Prospectus 2025–2026 now available
The Digital Preservation Coalition (DPC) is delighted to share its new program of activities for 2025–2026. The prospectus is the DPC’s road map for the year ahead – an ambitious, communitydriven plan, which outlines upcoming publications, training opportunities, webinars, specialist briefings and a wealth of supporting resources. Shaped by the evolving needs of DPC members, it is designed to empower and support the global digital preservation community. Accessible in multiple languages and time zones, the program ensures that no matter their location, members of the digital preservation community can stay informed, connected and equipped for the challenges ahead.
“By uniting institutions from a rich diversity of sectors, domains and countries, we’re building a powerful, collective community of digital preservation practice,” says Sarah Middleton, Chief Community Officer for the DPC. “Our goal is to equip the global community with the tools, resources, support and skills needed to safeguard our digital memory for the long term.
“With the DPC now firmly established in the Americas, Australasia and the Asia-Pacific region, and with 178 members across 26 countries, this new prospectus represents a strong, global commitment. It introduces a regular program of thematic and recurring events tailored to time zones across Australasia and Asia-Pacific, Europe and Africa, and the Americas – ensuring that knowledge, expertise and opportunity are accessible to all, wherever they are in the world.”
Download a copy of the DPC Prospectus 2025–2026.
Appointment of Naomi Korn Associates as consultant to develop generally recognised standards for the data protection purpose of “archiving purposes in the public interest”
In May 2025, following the introduction of the Data (Use and Access) Bill into the UK Parliament, the Archives and Records Association (ARA) noted the requirement to agree “generally recognised standards” relating to the data protection purpose of “archiving purposes in the public interest”.
Together with other sector bodies, ARA agreed to commission a specialist consultant to draft the generally recognised standards with the support of data protection specialists from the archive and records management sector. The proposal involves the sector and leading sector organisations to ensure that the resulting standards are adopted across the sector without objection.
The following partner organisations have all agreed with this proposal:
The UK National Archives National Records of Scotland Public Record Office of Northern Ireland
Welsh Government Culture Division
Information and Records Management Society
Business Archives Council
Scottish Council on Archives
Archives and Records Council Wales
British Records Association
The Information Commissioner’s Office has confirmed its support and will be involved as a consultee.
Naomi Korn Associates has now been appointed as the consultant, and they will now draft what will become the generally recognised standards. The organisations listed above will provide input via nominated archivists and records managers with detailed and practical knowledge of data protection and archives and records. These representatives will be available for guidance and comment at the start of the project, at the interim report stage and at the final report stage.
South Yorkshire Police reprimanded following deletion of body-worn video evidence
The Information Commissioner’s Office (ICO) has reprimanded South Yorkshire Police (SYP) after the force deleted over 96,000 pieces of body-worn video (BWV) evidence.
The investigation found SYP did not have the appropriate technical and organisational measures in place to keep the evidence secure, including:
delaying the formulation of IT backup policies and not escalating to senior management when flaws were discovered in 2019;
poor recordkeeping, meaning it could not confirm how many pieces of footage were permanently lost; and
not identifying the security risk in relation to transferring of personal data between IT systems.
Sally Anne Poole, Head of Investigations said:
“This incident highlights the importance of having detailed policies and procedures in place to mitigate against the loss of evidence.
“People rightly have high expectations that our police forces and services, which protect us, also protect the personal information they hold.
“There is a lot to be learned from this incident and I encourage police forces and services and other organisation using this type of technology to check and make improvements where they find potential flaws”.
What happened?
At the end of each shift, officers’ BWV footage was uploaded and stored to a central hub, which could be accessed and managed, along with all of SYP’s digital evidence, via a secure system.
Following an upgrade in May 2023, the secure system began to struggle processing BWV data and a local drive workaround was put in place.
In August 2023, SYP identified that its BWV file storage was very low and further investigation found that 96,174 pieces of original footage had been deleted from its system.
The following month, it was found the deletion had taken place on 26 July 2023 and included the loss of data relating to 126 criminal cases; only three of the cases were impacted by the
loss. Of those three cases, SYP states one may have progressed to the first court hearing if BWV had been available. However, as there was no additional independent evidence to prove the offence, progression to prosecution stage was already uncertain.
Prior to the deletion, 95,033 pieces of BWV footage had been copied to a new system that SYP was implementing but, due to poor record keeping, SYP remain unable to confirm the exact number of files deleted without copies made.
The ICO have a dual role of enforcer and educator, and in issuing the reprimand have set out a number of actions it recommends SYP takes:
Ensure there is an adequate storage backup solution and process to restore lost BWV footage.
Continue to shadow third parties when accessing SYP IT systems.
Define third-party roles and responsibilities when processing personal information held on SYP IT systems.
Complete a risk assessment to determine security implications and control requirements prior to permitting third party access to SYP IT systems.
Ensure all records are marked in a clear, identifiable way.
These should also act as prompts to all police forces and services who use BWV to check and improve, where necessary, data protection practices.
World Digital Preservation Day 2025
Save the date for World Digital Preservation Day (WDPD) on Thursday 6 November 2025 and join individuals and institutions from across the globe in a celebration of digital preservation!
Organised by the Digital Preservation Coalition (DPC) and supported by digital preservation networks around the globe, WDPD is open to participation from anyone interested in securing our digital legacy – across all sectors and geographic locations.
This year’s theme Why Preserve? invites digital preservation practitioners to explore the diverse motivations behind digital preservation efforts. The DPC are encouraging organisations to reflect on their unique reasons to preserve their digital collections, to share their stories, and to transform those insights into compelling advocacy messages that resonate with diverse audiences. This WDPD theme will identify and highlight the current digital preservation landscape, outline a path forward and invite the community to unite in answering a powerful question: Why Preserve?
In an exciting development on WDPD on Thursday 6 November, alongside the iPRES 2025 conference (3–7 November) in Wellington, the DPC will launch a global ‘Why Preserve?’ campaign, equipping the global digital preservation community with compelling advocacy messages and resources to advocate for the importance of preserving our digital assets. The day will also see the release of an updated Global Bit List of Endangered Digital Species, spotlighting the digital materials most at risk of loss.
is
coming!
Get involved! Share your unique preservation story through blog posts, social media updates, creative activities, or by organising an event. From baking digital preservation-themed treats to creating preservation-inspired music or hosting webinars - there are countless ways to participate. More information and inspiration will follow soon on the DPC website <www. dpconline.org >.
WDPD is just one of the ways the DPC helps to raise awareness of the strategic, cultural, and technological issues which make up the digital preservation challenge. The DPC also supports members through other advocacy activities, workforce development, and partnerships, helping members to deliver resilient long-term access to digital content and services and derive enduring value from their digital collections.
A detailed program and more information about WDPD2025 will be issued over the coming months. For all the latest updates, visit the WDPD page on the DPC website, follow the hashtag #WDPD2025 on social media or contact < sarah. middleton@dpconline.org > for more details.
Latest offerings from our Training Partners
For full details of all the courses, including course description and cost, please visit: <https://irms.org.uk/page/ThirdPartyTrainingProviderCourses> And don’t forget to take advantage of your fantastic IRMS member discount.
Advanced Data Protection Training for IG Leads
Developing Your Role as a Senior Information Risk Owner (SIRO)
BCS Practitioner Certificate in Scottish Public Sector Records Management
Conducting Data Protection Impact Assessments
BCS Practitioner Certificate in Data Protection
Tkm Diploma in Managing Data Protection Compliance
Privacy by Design: Data Protection Impact Assessments (DPIAs)
Information Security and Data Breach Management
Data Protection Essentials
Data Protection Rights (Focused on Data Subject Access Requests)
Training delivery can be virtual or in house. From a group of 4 and can be recorded
Training delivery can be virtual or in house. From a group of 4 and can be recorded Training delivery can be virtual or in house. From a group of 4 and
An Overview of The Freedom of Information Act and Environmental Information Regulations
Information Security and Data Breach Management
Data Protection/ Information Architecture/ Information Law (Governance)/ Records Management
Data Protection/ Information Law (Governance)/ Records Management
Data Protection/ Information Law (Governance) Data Protection/ Information Law (Governance)
4
Certified Information Privacy Technologist Certified Information Privacy Manager
Certified Information Privacy Professional Europe (CIPP/E)
Certified Information Privacy Professional Europe (CIPP/US)
Essential Cyber Security Training
Law (Governance)
Law (Governance)
(Governance)
Working Together: Combined Course for Senior information Risk Owners, Caldicott Guardians and Data Protection Officers: Half day
Responding to Subject Access Requests for Health & Social Care
Data Protection Officer in Health and Social Care: What Good Looks Like
or in house. From a group of 4 and can be
or 2 days onsite + unlimited 1-2-1 coaching and exam preparation
x 4
online sessions, or 2 days onsite + unlimited 1-2-1 coaching and exam preparation
diary Dates
IRMS Events
IRMS North Group: Are we the guardians of responsible AI
8 September 2025
Time: 11:00–12:00
Location: Online webinar
IRMS Public Sector Group: What Does Good Records Management Look Like?
17 September 2025
Time: 13:00–14:00
Location: London
IRMS Public Sector Group: Records Management Basics
23 July 2025
Time: 13:00
Location: Online webinar
IRMS London Group – Monthly Drinks and Networking Event
18 September 2025
Time: 18:00–21:00
Location: London
IRMS North & Wales
3 October 2025
Time: 10:00–16:00
Location: Manchester
IRMS Public Sector Group: A Practical Session on Managing Records in M365
16 October 2025
Time: 13:00–14:00 Location: Online webinar
IRMS Public Sector Group: A Practical Session on Managing Records in M365
16 October 2025
Time: 13:00–14:00
Location: online
IRMS London Group – Monthly Drinks and Networking Event
16 October 2025
Time: 18:00–21:00
Location: London
new members September 2025
There have been 303 new members since January 2025
IRMS London Group –Monthly Drinks and Networking Event
20 November 2025
Time: 18:00–21:00
Location: London
IRMS Conference 2026
17–19 May 2026
Location: Celtic Manor Resort, Newport
Peter Ngamate
Eugene Amoo-Sargon
individual members
Arlette Walls
Jenny Moran
Tamara Anderson corporate members