The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Organisational structure

There is an organisational structure for managing data protection and information governance, which provides strong leadership, clear reporting lines and responsibilities, and effective information flows . This could mean clear management roles and responsibilities for staff in the information security or records management departments.

Ways to meet our expectations:

  • The board, or highest senior management level, has overall responsibility for data protection and information governance.
  • Decision-makers lead by example and promote a proactive, positive culture of data protection compliance.
  • You have clear reporting lines and information flows between relevant groups; such as from a management board to an audit committee, or from an executive team to an information governance steering group.
  • Policies clearly set out the organisational structure for managing data protection and information governance.
  • Job descriptions clearly set out responsibilities and reporting lines to management.
  • Job descriptions are up-to-date, fit for purpose and reviewed regularly.
  • Data protection and information governance staff understand the organisational structure and their responsibilities.

Can you answer yes to the following questions?

  • Do staff report that your organisational structure is effective?
  • Is there a positive and proactive culture of data protection compliance across your organisation?
  • Are staff aware of their responsibilities and those of others within the structure?