Accountability at North Devon Council

North Devon Council (the Council) is a public authority and therefore we have appointed a Data Protection Officer in compliance with Article 37 of the General Data Protection Regulation.

Our Data Protection Officer plays a key role in ensuring our accountability, but is not solely responsible.

We have a number of officers involved with the privacy and information management in line with good practice and pursuant to our Data Protection and our Information Security and Standards Policies. This sets up a network which enables us to embed cultural and systematic good practice, identify and manage our information risks, and monitor compliance.

These are the key roles:

  • Senior Information Risk Owner (SIRO) – held by our Head of Customer Focus
  • Data Protection Officer (DPO) – held by our Solicitor and Data Protection Officer
  • Information Asset Owners (IAOs) – all Heads of Service (and those delegated by them)
  • Data Protection Leads – officers nominated by Information Asset Owners to have responsibility for ensuring compliance with the Data Protection Policy

Our SIRO, DPO, IAOs and Data Protection Leads are responsible for making sure that our business processes and decision making are in line with GDPR requirements and good practice.

The DPO also supervises a small support team who may provide advice, monitor compliance and carry out key tasks like responding to requests, handling security incidents, assist in managing records and promote good privacy, security and information management practices.

Our approach has ‘privacy by design and default’ at the forefront. We have an established privacy assessment process led by our DPO who is available to provide advice throughout the process. This process is linked to our procurement, supplier assessment and contract management processes.

We have key accountability documentation including a record of our processing activities, corporate retention schedule and information asset register. Our business processes require that decisions and rationale are documented.

We are committed to being transparent with people who interact with us and use our services. Required changes to our privacy notice are identified and implemented through our privacy assessment and procurement processes.

Training in data protection and governance for new starters and existing staff is ongoing. Where specific training needs are identified, we are committed to providing appropriate training and support.

Our Data Protection Officer

This explains how our DPO fits into our governance structure.

The Council is a public authority and therefore we have appointed a DPO in compliance with Article 37 of the General Data Protection Regulation.

This statement explains how the role of the DPO works within the Council.

Qualification

Our DPO is a solicitor at the Council with experience of advising on data protection issues.

Independence

Our DPO is free of conflicting priorities and is able to raise issues in the way and in the forum they see fit, without approval from their line manager or others to do so. Our DPO is not penalised for performing their tasks.

Reporting to highest level of management

The DPO is accountable to the most senior officers at the Council, consisting of the Council’s Senior Management Team (SMT).

The DPO is responsible for reporting risks or opportunities and recommending appropriate actions in relation to the Council’s processing of personal information. Our DPO has very regular contact with all members of our SMT, including our Chief Executive, our SIRO, our Monitoring Officer and all Heads of Service. SMT is responsible for corporate planning and making business decisions which might impact on how we process personal information. Our Heads of Service implement those plans and decisions.

Resources and access

The DPO works in the Council’s Legal Services team and, as set out above, supervises two support staff in dealing with data subject requests and general data protection issues. The DPO also consults with the Council’s Monitoring Officer, who covers the DPO’s role when the DPO is on leave. The Council also has a Data Protection Lead in each distinct unit within the Council. These Data Protection Leads meet quarterly with the DPO to discuss data protection issues. The SIRO sits separately of the DPO in the Council’s ICT team but works closely with the DPO. The SIRO and DPO also run an Information Management Asset Group (IMAG) which meets quarterly to discuss (and, where relevant, highlight to SMT) information security matters. Work to ensure our internal data protection compliance, including Data Protection Impact Assessments, is carried out and monitored by these members of staff.

These resources are regularly reviewed and increased or changed where needs are identified.

Our DPO has access to all of our information systems and access to all services and staff if they need input, information or support.

DPO tasks

The requirements of Article 39 of the GDPR are included in the DPO job description.

Our DPO’s other tasks

We have appointed an internal, existing employee as our DPO who has existing professional duties. As DPO and a solicitor the tasks and focus of each role complement each other and do not conflict. Neither responsibility is focussed on determining the purposes and means of processing personal data but are both focussed on providing advice about the risks, mitigations, safeguards and solutions required to ensure our processing is compliant and supported by our business decisions.

Visibility

Our DPO’s contact details are included within our privacy information and records of processing activities. The DPO also delivers training sessions for all staff when they join the Council. The DPO’s name and photograph is also easily available on our Intranet. We have a dedicated email address and monitored inbox for data protection queries or complaints received internally or externally.

Our DPO is our contact with the Information Commissioner’s Office, the UK’s supervisory authority for the purposes of the GDPR.

Decision making

Where the advice of the DPO is not followed, this is documented.

If you have any queries please email dataprotection@northdevon.gov.uk.