Helen Jones, Strategic Director Adult Social Care and Health.
The Caldicott Guardian should act as the conscience of the organisation, ensuring that both legal and ethical considerations are taken into account, particularly when deciding whether to share confidential information.
The responsibilities fall into 3 main categories:
- strategic role - the strategic role covers both governance and the promoting of an appropriate culture within the organisation
- advisory role - providing advice on information sharing and confidentiality issues and, in particular, being an arbiter when there is disagreement about a process potentially impacting on information sharing or confidentiality
- operational role - concerned with how information is processed within the organisation and with whom it is shared outside the organisation
The Caldicott Guardian shall receive training as necessary to ensure they remain effective in their role.
Senior information risk owner (SIRO)
Peter Handford, Director of Finance and ICT.
- take the lead on delivering risk management and security strategy in the council and assist corporate management team (CMT) in the delivery of this including chairing the information governance group (IGG)
- provide support where appropriate to the Caldicott Guardian and DPO in all aspects of information security
- oversee the information security function within the broader information governance team
- oversee incident management and risk management
- oversee security management and reporting
- provide advice on government and best practice security standards and practices to help combat security threats
- oversee maintenance of ISO 27001 standard and alert senior management and IGG to areas of potential non-compliance
The SIRO shall receive training as necessary to ensure they remain effective in their role.
Data protection officer (DPO)
Jane Lakin, Assistant Director of Legal.
Accountable to the council via corporate management team to:
- inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws
- monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments, train staff and conduct internal audits
- be the first point of contact for supervisory authorities and for individuals whose data is processed
The DPO shall receive training as necessary to ensure they remain effective in their role.