Danijel Martinek
d32464c94b
Five skeleton templates for docs/compliance/templates/. Each has YAML frontmatter (status: template, playbook-section), a "not code-enforced" banner, and [FILL IN:] markers throughout. password-policy banner cites ADR-025 §Deferred items by number (MFA + password policy + lockout deferral). Cross-template relative links all resolve. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5.2 KiB
status, playbook-section, title, last-reviewed
| status | playbook-section | title | last-reviewed |
|---|---|---|---|
| template | 60 | Staff Onboarding Checklist (Data Access & Security) | [FILL IN: YYYY-MM-DD] |
Staff Onboarding Checklist (Data Access & Security)
Template status — fill every
[FILL IN: …]marker before use.
Not code-enforced — this checklist documents HR and operational controls. Access provisioning, policy acknowledgement, and training completion are tracked outside the application codebase by
[FILL IN: HR system / identity provider / ticketing tool]. The consumer is responsible for integrating this checklist into their onboarding workflow.
1. Purpose & Scope
This checklist ensures that every new employee, contractor, or third-party with access to [FILL IN: organisation name]'s systems completes the required security, privacy, and data-access steps before handling personal data.
Owner: [FILL IN: role — e.g., HR / People Ops + Engineering Lead]
2. Before First Day
| # | Task | Owner | Done |
|---|---|---|---|
| 1 | Role-based access list agreed with hiring manager | [FILL IN: e.g., HR] |
☐ |
| 2 | Identity-provider account created (IdP: [FILL IN: provider name]) |
[FILL IN: e.g., IT] |
☐ |
| 3 | Device provisioned and MDM-enrolled (see device-policy.template.md) |
[FILL IN:] |
☐ |
| 4 | NDA / data-processing agreement signed | [FILL IN: e.g., HR] |
☐ |
| 5 | Emergency contact and DPO contact shared with new hire | [FILL IN: e.g., HR] |
☐ |
3. Day 1 — Security & Privacy Orientation
| # | Task | Owner | Done |
|---|---|---|---|
| 1 | Complete data-protection / GDPR awareness training: [FILL IN: course name / platform] |
New hire | ☐ |
| 2 | Read and acknowledge: Acceptable Use & Device Policy (see device-policy.template.md) |
New hire | ☐ |
| 3 | Read and acknowledge: Password & Authentication Policy (see password-policy.template.md) |
New hire | ☐ |
| 4 | Set up MFA on IdP account: [FILL IN: MFA method + instructions URL] |
New hire + IT | ☐ |
| 5 | Access production systems: [FILL IN: systems list] granted at minimum-privilege level |
[FILL IN: e.g., IT / Lead] |
☐ |
4. First Week — System Access Provisioning
| # | System / tool | Access level | Approver | Done |
|---|---|---|---|---|
| 1 | [FILL IN: e.g., GitHub org] |
[FILL IN: e.g., member / write] |
[FILL IN: engineering lead] |
☐ |
| 2 | [FILL IN: e.g., Payload CMS admin] |
[FILL IN: e.g., editor / admin] |
[FILL IN:] |
☐ |
| 3 | [FILL IN: e.g., cloud console] |
[FILL IN: e.g., read-only / scoped] |
[FILL IN:] |
☐ |
| 4 | [FILL IN: e.g., monitoring / Sentry] |
[FILL IN: e.g., member] |
[FILL IN:] |
☐ |
| 5 | [FILL IN: e.g., HR / payroll system] |
[FILL IN:] |
[FILL IN:] |
☐ |
| 6 | [FILL IN: any other system] |
[FILL IN:] |
[FILL IN:] |
☐ |
5. First 30 Days — Compliance Acknowledgement
| # | Task | Done |
|---|---|---|
| 1 | Confirm receipt of this organisation's privacy notice (staff version) | ☐ |
| 2 | Complete any role-specific data-handling training: [FILL IN: e.g., PCI / HIPAA if applicable] |
☐ |
| 3 | 30-day check-in with manager on access requirements (reduce if not needed) | ☐ |
6. Record-Keeping
Completed checklists are stored in [FILL IN: location — e.g., HR system / personnel file] and retained for [FILL IN: e.g., the duration of employment + 2 years].
7. Review Cycle
This checklist is reviewed [FILL IN: frequency — e.g., annually or when systems change]. The next scheduled review is [FILL IN: YYYY-MM-DD].