Hi Paul,
I work for a non departmental public body (which coincidentally is also a charitable body) and I am asking and investigating the exact same issue.
We had some advice from our sponsoring Government department who stated it is utlimately up to the organisation as to how much of a risk appetite it has but it should utlimately be signed off by the organisations SIRO.
At the moment I am building a picture/map of how much personal data is being sent via post to see just how many forms etc. are in transit. We will then take a view on what practice is acceptable (e.g. perhaps single items are ok, multiple items must go recorded). Our sponsoring department takes a very low risk view and pretty much sends everything via "track and trace".
I am not sure which path we will take at this stage but would be interested to know how others tackle this and also what you learn.
Regards
Mark
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving messages please send to the list owner
[log in to unmask]
Full help Desk - please email [log in to unmask] describing your needs
To receive these emails in HTML format send the command:
SET data-protection HTML to [log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|