5.1. The Commission

The Commission, as a corporate entity, is ultimately responsible for the security of all corporate and casework information and will hold the Executive Team to account for the application of the principles and procedures set out in this policy. 

5.2. The Senior Information Risk Owner (“SIRO”)

The Director of Investigation is the SIRO and is responsible for managing information risks, including:

• maintaining and reviewing the regime of compliance with and review of this policy
• leading and fostering a culture that values, protects and uses information for the public good
• ensuring the risk policy is complete – covering how the organisation implements at least the minimum mandatory measures
• ensuring that risk assessment is completed at least quarterly
• based on the risk assessment, understanding what information risks there are and ensuring they are addressed
• incorporating annual assessments of performance into the information risks aspects of the Accounting Officer’s statement of internal control.  

5.3. Data Protection Officer (“DPO”)

The Head of Policy and Communications is the DPO and is responsible for:

• providing information and advice to the organisation and employees on their data protection obligations, including in relation to data breach incidents
• monitoring compliance with UK GDPR and the DPA18, and the LGSCO’s policies on data security, including assigning responsibilities, staff training and audits
• providing advice where requested on data protection impact assessment and monitoring performance in relation to these being carried out
• acting as the contact point with the Information Commissioner’s office, and cooperating with them, on data protection issues
• acting as the point of contact for data subjects who wish to exercise any of their rights under GDPR

In the performance of the above, the DPO shall have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

The DPO is responsible for logging security breaches and involving others in their investigation, as appropriate, for reporting incidents regularly to the Information Working Group.

5.4. Information Asset Owners (“IAOs”)

Senior named individuals are IAOs for each identified information asset (defined as data sets, databases and/or ICT systems). IAOs: 

• Determine which of the staff under their control are given access to which information systems. 
• Promote a culture of compliance with the policy.
• Provide assessments on the use and security of the information assets for which they are responsible (see Audit and review).
  • The assessments should cover adherence to this policy and highlight any areas of concern.  

The following are IAOs:

• Director of Investigation is the IAO for all data held on ECHO.  
  • The Director of Intake and Assessment and the Assistant Ombudsmen are delegated IAOs for casework material managed by their teams. 
• The Operational Support Manager will provide a secure physical environment for the storage of information. They will maintain, review and implement safe and effective access and security arrangements for premises and provide appropriate secure physical storage for information and equipment. The Operational Support Manager is IAO for facilities records including health and safety.
• The IT Manager has responsibility for assessing and addressing security risks to computer and other IT assets, and the information held or transmitted by them. They will conduct regular reviews and tests of security of such assets and electronic information and provide advice and guidance to users. The IT Manager is the IAO for information technology records.
• The HR Business Partner, the Head of Policy and Communications, the Communications Manager, the Policy and Stakeholder Relations Manager, the Head of Finance, the Director of Intake and Assessment, and the Committee and Governance Clerk are IAOs, respectively, for human resources records, policy and communications records, finance records, legal records and executive records.

5.5. Information and Records Officer (“IRO”)

The IRO helps run the Information Working Group, and is responsible for amending the policy and procedures as directed. They will maintain the Information and Personal Data Asset Register and chase progress as necessary. They also have day to day responsibility for dealing with access to information requests (see Policy on Access to Information).

5.6. Line managers

Line managers must ensure the staff under their direction apply the principles and procedures set out in this policy, as appropriate, and handle information in a manner consistent with it. Managers should use the disciplinary policy when an individual repeatedly fails to adhere to the policy. 

Line managers will ensure every new user reads this policy on their first day before accessing LGSCO IT systems. Line managers will ensure new employees sign to say they have done so, and pass the completed confirmation form to HR.

See also Procedure for new users and leavers.

5.7. Investigators and other case owners

To ensure information is not mistakenly disclosed, Investigators and other case owners are responsible for ensuring any case information which may not be disclosable to others is saved in ECHO at the earliest opportunity, to the DO NOT DISCLOSE virtual folder with DO NOT DISCLOSE in the record’s title.).

5.8. All staff

All staff must understand and apply the principles and procedures set out in this policy, as appropriate, and handle information in a manner consistent with it. They should also be aware of, and adhere to, our Social Media Policy and Email and Calendar Policy