Data Protection Officer

Caroline Smith made this Freedom of Information request to Renfrewshire Council

Automatic anti-spam measures are in place for this older request. Please let us know if a further response is expected or if you are having trouble responding.

The request was successful.

Dear Renfrewshire Council,

1. Could you let me know?

a. What position in the Council is designated as Senior Information Risk Owner (SIRO)?
b. The name of your Data Protection Officer (DPO)?
c. Job title of the DPO, if not just DPO?
d. If the DPO also has other duties, approximately how much of their time is spent on DPO work?
e. If the DPO has other responsibilities, has a risk assessment been carried out to ensure that any potential conflicts of interest as identified in the GDPR and the guidance from the European Data Protection Board are managed? If so, has this been reviewed in light of the recent decision of the Belgium Data Protection Authority (28 April 2020): https://edpo.com/news/dpo-and-conflict-o...
f. The line manager of the DPO – i.e. the post that the post holder reports to. Is it the SIRO?
g. Who the DPO reports to in their role as DPO if that differs from the line manager? Is it the SIRO?
h. At what spinal point is the DPO paid?
i. Key relevant qualifications that the DPO and SIRO hold or relevant training completed.

2. And could you provide the relevant extract of the Council’s Organisational Chart that shows the DPO, the DPO’s line manager, the post holder that the DPO reports to, the SIRO and Chief Executive?

Yours faithfully,

Caroline Smith

Sent request to Renfrewshire Council again, using a new contact address.

FOI, Renfrewshire Council

Dear Ms. Smith

Freedom of Information Application - Acknowledgement IG201019

Thank you for your enquiry, received by the Council on 1st September, 2020.

I am writing to inform you that your application for information is being dealt with under the provisions of the Freedom of Information (Scotland) Act, 2002. Section 10(1) of the Act stipulates that enquiries must be dealt with within twenty working days of receipt. However, we will endeavour to answer your enquiry as soon as possible.

Regards

Renfrewshire Council

Renfrewshire Council Website -http://www.renfrewshire.gov.uk

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Renfrewshire Council may, in accordance with the Telecommunications(Lawful Business Practice) (Interception of Communications) Regulations 2000, intercept e-mail messages for the purpose of monitoring or keeping a record of communications on the Council's system. If a message contains inappropriate dialogue it will automatically be intercepted by the Council's Internal Audit section who will decide whether or not the e-mail should be onwardly transmitted to the intended recipient(s).

Donna Cunningham, Renfrewshire Council

2 Attachments

Dear Caroline Smith

 

Freedom of Information (Scotland) Act 2002 (″the Act″)

 

Thank you for your request dated 17 August 2020.

 

Please find below the information requested:-

 

 

1. Could you let me know?
a. What position in the Council is designated as Senior Information Risk
Owner (SIRO)?

Renfrewshire Council’s SIRO is also the Council’s Director of Finance and
Resources.

b. The name of your Data Protection Officer (DPO)?

Allison Black

c. Job title of the DPO, if not just DPO?

Managing Solicitor (DPO)

 

d. If the DPO also has other duties, approximately how much of their time
is spent on DPO work?

In terms of the Council’s Information Governance Strategy and Framework,
although the SIRO has overall responsibility for information governance,
day to day responsibility for driving the Council’s information governance
agenda is delegated to the Managing Solicitor (DPO), who manages the
Council’s Information Governance Team. Whilst the Information Governance
Team deals with all aspects of information governance, including data
protection and the Managing Solicitor (DPO) conducts internal FOI reviews
on behalf of the Council, the vast majority of her time is spent on data
protection compliance.

 

e. If the DPO has other responsibilities, has a risk assessment been
carried out to ensure that any potential conflicts of interest as
identified in the GDPR and the guidance from the European Data Protection
Board are managed? If so, has this been reviewed in light of the recent
decision of the Belgium Data Protection Authority (28 April 2020):
[1]https://eur01.safelinks.protection.outlo...

The requirements of Article 39 of the EU General Data Protection
Regulation (“GDPR”) were carefully considered by the Council when
appointing a statutory DPO on the basis of professional qualities and
expert knowledge of data protection law and practices. A very deliberate
decision was made to ensure that the DPO was not a decision maker i.e.
part of the Council’s Corporate Management Team (“CMT”), but someone who
instead, has direct access to the CMT. Given the role of the Managing
Solicitor (DPO), the Council is satisfied that there is no conflict of
interest and the circumstances of the recent Belgian decision are quite
different to the Council’s organisational structure, as the DPO role is
entirely separate from that of Risk Manager and Chief Auditor/Internal
Audit.

 

f. The line manager of the DPO – i.e. the post that the post holder
reports to. Is it the SIRO?

The Managing Solicitor (DPO)’s direct line manager is the Head of
Corporate Governance. However, both the Council’s Information Governance
Strategy and Framework and Data Protection Policy reflect her supporting
role to the SIRO, which includes a minimum monthly briefing. In practice,
the DPO works closely with the SIRO on data protection matters and has
direct access to the SIRO, as required.

 
g. Who the DPO reports to in their role as DPO if that differs from
the line manager? Is it the SIRO?

As outlined above, the DPO reports in her role as DPO to the SIRO.

h. At what spinal point is the DPO paid?
Grade P

i. Key relevant qualifications that the DPO and SIRO hold or relevant
training completed.

As well as being a qualified solicitor who has advised on data protection
issues since 1999, the DPO holds the BCS Certificate in Data Protection
and was the first solicitor in Scotland to become a Law Society of
Scotland Accredited Specialist in Data Protection and Freedom of
Information Law. She also holds an LLM with Distinction in Human Rights
Law. The SIRO is the Director of Finance and Resources and so, is the
Chief Finance Officer for the Council.

 

2. And could you provide the relevant extract of the Council’s
Organisational Chart that shows the DPO, the DPO’s line manager, the post
holder that the DPO reports to, the SIRO and Chief Executive?

Please find attached Organisation chart as requested.

 

 

Review Procedure

 

If you are unhappy with the way in which the Council has dealt with your
request, you are entitled to require the Council to review its decision. 
A copy of the Council’s review procedures is attached at Appendix I.

 

Yours sincerely

 

Donna Cunningham

 

Information Governance Officer

Legal & Democratic Services

 

 

 

 

 

 

 

Renfrewshire Council Website -http://www.renfrewshire.gov.uk

This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager.
Renfrewshire Council may, in accordance with the Telecommunications(Lawful
Business Practice) (Interception of Communications) Regulations 2000,
intercept e-mail messages for the purpose of monitoring or keeping a
record of communications on the Council's system. If a message contains
inappropriate dialogue it will automatically be intercepted by the
Council's Internal Audit section who will decide whether or not the e-mail
should be onwardly transmitted to the intended recipient(s).

References

Visible links
1. https://eur01.safelinks.protection.outlo...