4. Roles and Responsibilities
Data Controller
For the purpose of the DPA 2018 and UKGDPR, the data controller, registered with the Information Commissioner’s office, is East Devon District Council
Senior Information Risk and Monitoring Officer (SIRO)
East Devon District Council’s Senior Information Risk Officer has specific responsibility for managing information risks on behalf of the Chief Executive and Members of the council. The SIRO will chair the Information Governance Board
Information Governance Board
Provides direction and guidance across the organisation for data protection and information governance activities, including the production by the Board of an annual report to Committee
Information Governance Working Group
Consists of officers at Assistant Director level who meet regularly to discuss and coordinate data protection and information governance activities at an operational level. This group is chaired by the Data Protection Officer
Data Protection Officer (DPO)
Responsible for providing advice and guidance to officers and Members to ensure the council is compliant with its legal obligations in relation to DPA 2018 and UKGDPR. The DPO will report to the SIRO and will act as the link between services and the SIRO in matters relating to:
- supporting services in dealing with subject access requests or other requests relating to data subject rights under DPA 2018 and UKGDPR
- maintain a personal data breach notification procedure. Review breaches and report back to services and SIRO
- support services in the completion of DP Impact Assessments and data sharing agreements
- support the SIRO in ensuring staff and members are trained and aware of their obligations under DPA 2018 and UKGDPR
Information Asset Owners – Assistant Directors (ADs) or equivalent
Information Asset Owners have responsibility for ensuring that their service areas are compliant with the principles of DPA 2018 and UKGDPR when processing personal data. This includes, but is not limited to:
- Ensuring personal data is processed in accordance with relevant privacy notice(s) and compliance with data sharing agreements and contractual obligations
- Providing relevant service specific training and guidance to staff
- Ensuring the completion of DP Impact Assessments, with advice from the DPO, as needed
- Making sure staff are aware of the procedure for reporting suspected data breaches
Information Asset Owner for data derived from the Department for Work and Pensions
The information asset owner for this data will be the Assistant Director for Revenues, Benefits and Customer Services
All Staff
All staff have a responsibility to ensure that they comply fully with DPA 2018 and UKGDPR. It is a criminal offence to knowingly or recklessly obtain or disclose personal data. Staff failing to comply with this policy could be subject to action under the council’s disciplinary procedure.
Strata Service Solutions
Strata service solutions provide the council with advice in relation to compliance with a suite of policies relating to information security. The responsibility for ensuring compliance wih these policies rests with the SIRO for each of the partner authorities.