--- status: template playbook-section: 60 title: "Staff Onboarding Checklist (Data Access & Security)" last-reviewed: "[FILL IN: YYYY-MM-DD]" --- # Staff Onboarding Checklist (Data Access & Security) > **Template status** — fill every `[FILL IN: …]` marker before use. > **Not code-enforced** — this checklist documents HR and operational controls. Access provisioning, policy acknowledgement, and training completion are tracked outside the application codebase by `[FILL IN: HR system / identity provider / ticketing tool]`. The consumer is responsible for integrating this checklist into their onboarding workflow. --- ## 1. Purpose & Scope This checklist ensures that every new employee, contractor, or third-party with access to `[FILL IN: organisation name]`'s systems completes the required security, privacy, and data-access steps before handling personal data. **Owner:** `[FILL IN: role — e.g., HR / People Ops + Engineering Lead]` --- ## 2. Before First Day | # | Task | Owner | Done | | --- | ---------------------------------------------------------------------------------------------------- | --------------------- | ---- | | 1 | Role-based access list agreed with hiring manager | `[FILL IN: e.g., HR]` | ☐ | | 2 | Identity-provider account created (IdP: `[FILL IN: provider name]`) | `[FILL IN: e.g., IT]` | ☐ | | 3 | Device provisioned and MDM-enrolled (see [`device-policy.template.md`](./device-policy.template.md)) | `[FILL IN:]` | ☐ | | 4 | NDA / data-processing agreement signed | `[FILL IN: e.g., HR]` | ☐ | | 5 | Emergency contact and DPO contact shared with new hire | `[FILL IN: e.g., HR]` | ☐ | --- ## 3. Day 1 — Security & Privacy Orientation | # | Task | Owner | Done | | --- | --------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ---- | | 1 | Complete data-protection / GDPR awareness training: `[FILL IN: course name / platform]` | New hire | ☐ | | 2 | Read and acknowledge: Acceptable Use & Device Policy (see [`device-policy.template.md`](./device-policy.template.md)) | New hire | ☐ | | 3 | Read and acknowledge: Password & Authentication Policy (see [`password-policy.template.md`](./password-policy.template.md)) | New hire | ☐ | | 4 | Set up MFA on IdP account: `[FILL IN: MFA method + instructions URL]` | New hire + IT | ☐ | | 5 | Access production systems: `[FILL IN: systems list]` granted at minimum-privilege level | `[FILL IN: e.g., IT / Lead]` | ☐ | --- ## 4. First Week — System Access Provisioning | # | System / tool | Access level | Approver | Done | | --- | -------------------------------------- | ------------------------------------- | ----------------------------- | ---- | | 1 | `[FILL IN: e.g., GitHub org]` | `[FILL IN: e.g., member / write]` | `[FILL IN: engineering lead]` | ☐ | | 2 | `[FILL IN: e.g., Payload CMS admin]` | `[FILL IN: e.g., editor / admin]` | `[FILL IN:]` | ☐ | | 3 | `[FILL IN: e.g., cloud console]` | `[FILL IN: e.g., read-only / scoped]` | `[FILL IN:]` | ☐ | | 4 | `[FILL IN: e.g., monitoring / Sentry]` | `[FILL IN: e.g., member]` | `[FILL IN:]` | ☐ | | 5 | `[FILL IN: e.g., HR / payroll system]` | `[FILL IN:]` | `[FILL IN:]` | ☐ | | 6 | `[FILL IN: any other system]` | `[FILL IN:]` | `[FILL IN:]` | ☐ | --- ## 5. First 30 Days — Compliance Acknowledgement | # | Task | Done | | --- | ----------------------------------------------------------------------------------------------- | ---- | | 1 | Confirm receipt of this organisation's privacy notice (staff version) | ☐ | | 2 | Complete any role-specific data-handling training: `[FILL IN: e.g., PCI / HIPAA if applicable]` | ☐ | | 3 | 30-day check-in with manager on access requirements (reduce if not needed) | ☐ | --- ## 6. Record-Keeping Completed checklists are stored in `[FILL IN: location — e.g., HR system / personnel file]` and retained for `[FILL IN: e.g., the duration of employment + 2 years]`. --- ## 7. Review Cycle This checklist is reviewed `[FILL IN: frequency — e.g., annually or when systems change]`. The next scheduled review is `[FILL IN: YYYY-MM-DD]`.