Appendix 2: Operating model for Information Compliance

These guidance notes supplement the ICP-02 Data protection policy.

1. First lines of defence: Business owners

All staff

1.1. The data protection responsibilities of all Staff are:

1. Be aware of policy provisions.
   
   
2. Be able to recognise Personal Data.
   
   
3. Understand Personal Data handling.
   
   
4. Understand how to report/escalate potential issues.
   
   
5. Understand where to direct questions.

Information Asset Management Network

1.2. The Information Asset Management Network comprises the Information Asset Owners (IAOs) and Information Asset Administrators (IAAs).

1.3. Their general responsibilities are to:

1. Provide connection between IAOs and IAAs.
   
   
2. Collect feedback.
   
   
3. Ensure common practice.

1.4. Information Asset Owners’ data protection responsibilities are:

1. Maintain accountability for assets.
   
   
2. Ensure that policies are implemented, including security and data quality.
   
   
3. Ensure that data is handled appropriately within and related to responsibilities.
   
   
4. Report risk management status and emerging risks to SIRO.

1.5. Information Asset Administrators’ data protection responsibilities are:

1. To undertake operational activities for the asset.
   
   
2. Maintain a Record of Processing Activities (ROPA) for functional areas.
   
   
3. Maintain Information Asset Register (IAR) data.
   
   
4. Disseminate data protection information, policy, procedures.
   
   
5. Report risks and concerns to IAOs.
   
   
6. Field questions not answered by generally available material.

Back to top

2. Second line of defence: Standard Setters

2.1. The following parties are Standard Setters:

1. Senior Information Risk Owner
   
   
2. Information Compliance Team
   
   
3. Information Governance and Security Advisory Board
   
   
4. Data Protection Officer
   
   
5. Research Governance
   
   
6. Other boards
   
   
7. Information Security Manager

2.2. Standard Setters’ data protection responsibilities encompass:

1. Develop and approve policy and procedure.
   
   
2. Approve projects and direction.
   
   
3. Provide oversight, guidance and governance.

Back to top

3. Third line of defence: Assurance Providers

3.1. The following parties are Assurance Providers:

1. Internal audit
   
   
2. External audit
   
   
3. Information Commissioner’s Office

3.2. Assurance Providers’ data protection responsibilities are:

1. Audit.
   
   
2. Performance assessment.
   
   
3. Remediation guidance where gaps are noted.

Back to top