Employee Training & Awareness Policy

Reviewed: 29 January 2026

At a glance

  • We provide mandatory onboarding and annual refresher training covering privacy, security, AML/fraud, health & safety and conduct.
  • Role‑based modules (e.g., mailroom, verification, customer support) add hands‑on, job‑specific requirements..

Purpose

To set a structured training and awareness programme that ensures our people understand their responsibilities and can perform their roles safely, securely and lawfully, supporting customer trust and compliance with UK laws and industry standards.

Scope

This Policy applies to all UK Postbox workers and contractors with access to our premises, systems, data or customer mail. It covers onboarding, annual refreshers, role‑based training, awareness campaigns, simulations/exercises and recordkeeping.

Legal & standards alignment

Our programme aligns with:

  • UK GDPR & Data Protection Act 2018 (training and awareness; Article 39 for DPO tasks); ICO guidance on staff training.
  • MLR 2017 (as amended) requiring AML awareness for relevant staff; POCA 2002 (SAR/tipping‑off).
  • Bribery Act 2010 (adequate procedures include training).
  • Health and Safety at Work etc. Act 1974 and subordinate regulations (training for safe systems of work).
  • Computer Misuse Act 1990 (acceptable use/security awareness).
  • Modern Slavery Act 2015 (awareness in supply chains).
  • Industry good practice (e.g., Cyber Essentials Plus, PCI DSS awareness for staff handling payments).

Roles & responsibilities

  • Executive Sponsor: approves annual training plan, resources and KPIs.
  • Compliance (Owner): defines curriculum; ensures legal alignment; runs audits and reports completion metrics.
  • Security Lead: designs security modules (access control, phishing, incident reporting) and runs simulations.
  • MLRO: designs AML/KYC modules, SAR process, sanctions awareness.
  • HR/People: manages  onboarding packs, reminders and performance escalations.
  • Managers: ensure team completion on time; provide time and support for training.
  • All staff: complete assigned training on schedule; keep knowledge current; follow policies.

Training framework

Mandatory baseline (all staff)

To be completed within 14 days of start and annually thereafter. Failure to complete baseline training within 14 days may result in restricted system access until training is completed:

  • Data protection & privacy: UK GDPR fundamentals, roles (controller/processor), data rights, incident reporting.
  • Information security & acceptable use: passwords/MFA, phishing, device security, data handling, clear desk/screen, reporting to security@ukpostbox.com.
  • AML/KYC & fraud awareness: red flags, SARs to MLRO, sanctions basics, address misuse, no tipping‑off.
  • Health & safety: site rules, risk reporting, manual handling, DSE, emergency procedures.
  • Modern slavery & human rights: spotting signs; reporting; supplier expectations.
  • Code of Conduct & whistleblowing: conflicts, gifts/hospitality, social media, Speak Up reporting. Anti-bribery and corruption: prohibited conduct, gifts/hospitality thresholds, reporting obligations.
  • AI usage & data handling: approved tools only; no PII/mail content in public AI; human‑in‑the‑loop.

Role‑based modules (examples)

  • Mailroom & operations: Mail Inspection & Handling, Restricted Goods, secure destruction (BS EN 15713), tamper‑evident custody.
  • Support & customer success: identity verification procedures, sensitive data masking, vulnerable‑customer handling, complaint/escalation process.
  • IT: secure SDLC, secrets management, vuln management & patching SLAs, code review, dependency/SCA, infrastructure security, incident response.
  • Finance & billing: PCI awareness, payments fraud, expense fraud indicators, chargebacks, sanctions checks, Handling of Cash/Postal Orders/Cheques.
  • Sales & marketing: PECR & consent, cookie rules, claim substantiation, fair wording, accessibility.
  • Compliance/MLRO/DPO teams: advanced GDPR/AML, DPIA/ROPA practice, investigations, regulator engagement.

Managers & leaders

  • Leading by example, handling reports & investigations, fair discipline (ACAS), inclusive workplaces, risk‑based decision making, change management.

Simulations, drills & awareness

  • Phishing simulations: at least quarterly with targeted refreshers for repeat clickers. Results are anonymised for reporting but individual follow-up training is provided where necessary.
  • Incident tabletop exercises: annually for cross‑functional teams (security/privacy breach, BC/DR, carrier disruption).
  • Awareness campaigns: periodic tips, Telegram nudges, Trust Centre spotlights (e.g., new policy updates).
  • Mailroom spot checks: secure handling and custody checks, restricted‑goods drills.

Assessments, attestation & escalation

  • Each module includes a knowledge check (e.g., quiz, scenario). Passing scores are set per module.
  • Staff must attest to having read and understood key policies (e.g., Code of Conduct, Data Protection, AUP).
  • Non‑completion triggers reminders at 7 and 14 days overdue; manager escalation at 21 days; access restrictions may apply from 28 days; and disciplinary steps per HR procedures.

Accessibility & inclusivity

  • Training is provided in accessible formats (captions, transcripts, readable fonts/colour contrast).
  • We make reasonable adjustments on request and consider language needs.
  • Content is short, plain‑English and scenario‑based for better retention.

Records & retention

  • Records: completion dates, scores, attestations, simulation results and exceptions.
  • Retention: keep training records for 6 years after employment end (or longer where legally required/under legal hold). Records are retained in a manner that allows us to demonstrate training completion to regulators, auditors, and customers upon request.

Contractors & third parties

Contractors with access to our facilities, systems or data must complete baseline training (or provide evidence of equivalent training within the last 12 months) before access is granted. We may require role‑specific modules where risk warrants.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907