The answer is that everyone is responsible.
We are all responsible for protecting and keeping secure personal and special category information when we are working with this kind of information as part of our jobs. We are all required to inform the DPO of breaches so that they can be handled in accordance with the procedure.
Managers and Heads of Service are responsible for ensuring that their teams adhere to this policy and ensure that their teams have a system in place for handling personal information.
The GDPR and Data Protection Act 2018 makes it compulsory to carry out a ‘data protection impact assessment’ (DPIA) for all new, or changes to, systems, processes, policies and procedures. This will enable you to identify the risks of your activity in ensuring that personal data is in line with the legislation. Use the DPIA screening checklist first to see if you are required to complete a DPIA. The forms can be found on Buzz and completed as appropriate
Serious breaches of the Data Protection Act could result in financial penalties from the Information Commissioners Officer of up to a maximum of 4% of global turnover.
For specific queries not covered by this policy seek advice from the DPO. The role has been designated the DPO for Bron Afon and will liaise with the Information Commissioners Office where we need to seek further clarification or information. Specifically, the DPO is responsible for:
- Keeping this policy and associated procedures up to date and in line with guidance as it arises from the Information Commissioners Office.
- Be an expert in Data Protection and be able to appropriately advise the business
- Review personal information held by the business and ensure it is necessary, relevant and accurate.
- Report to Board and the ICO any concerns or high-risk breaches.
All staff and Board members will be required to read and understand this policy as part of their induction.