Mandatory HMRC Business Authorising Officer Reviews: Review Room Content & GPMS Markings
This is a mandatory review for the HMRC Business Authorising Officer (BAO) andmust be carried out at 6 monthly intervals (or more frequent where required) beforesigning the BAO Certificate of Assurance SW03605.
The aim of the ‘Room Content’ review is to ensure that
- all items are stored in the right place, with the correct access controls and relate to the agreed business purpose
- all items have a GPMS marking of RESTRICTED or below (for more information see the S&BC web site ‘Protective Markings for Personal Data’).
The extent of the Review
Depending on the amount of content in a Room it may not be practical for the BAO toreview all content that has been added to the Room since the last review.
But all reviews must be of a sufficient level to satisfy the BAO that items contained inthe Room comply with SW and HMRC policies.
As a minimum standard, the BAO must review a sample of items that have been added duringeach month since the last review. Each monthly sample must include items that have been
- added by HMRC Members
- added by Customer Members (for Customer Rooms)
- added to all types of items (including folders, documents, discussions, calendars, databases etc).
The BAO will need to consider the complexity, frequency of use, membership and purposeof the Room in determining the extent of the review.
The BAO should contact the HMRC Members’ manager or Customer Nominated Contact whereany learning requirements have been identified by the review.
Room Content Incorrect
Where the Room does not comply with SW and HMRC policies the BAO must take immediatecorrective action. Until all issues are resolved, the Certificate of Assurance must not becompleted and the BAO should consider locking the Room, where appropriate SW06300.
Further guidance is available in the HMRCBAO Online Learning Package (prospectus item code 0010372)