Reference:
Request detail:
Good afternoon,
I would like to make an FOI request please
1. Who is the SIRO / Senior Information Risk Owner, or equivalent. A name and job title, or if they are below the disclosable level just a job title is fine, could you also provide a contact email for this person.
If you do not have a nominated SIRO could you please answer Q1 with the person(s) with responsibilities equivalent to a SIRO.
“A Senior Information Risk Owner (SIRO) is an Executive Director or member of the Senior Management Board of an organisation with overall responsibility for an organisation's information risk policy. The SIRO is accountable and responsible for information risk across the organisation. They ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.”
2. Do you have, or are you planning to have, appointed Information Asset Owner’s (IAO’s) (or a similar role such as data stewards, data owner, etc)
““Information Asset Owners (IAOs) must be senior/responsible individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process.”
3. If the answer to Q2 is yes, how often are they trained and who is responsible for organising the training? (as in, the person)
4. Are you or have you considered becoming ISO 27001 compliant or certified? If so whom is responsible for the project? (as in, the person)
5. When did you last conduct a Physical Security risk assessment of the Services building(s)/estate(s), and who is responsible for managing risk in this area? (as in, the person)
6. Who is your DPO (Data Protection Officer) or responsible person for DPO duties?
Response detail:
Thank you for your Freedom of Information request. Please find our responces below.
1. Who is the SIRO / Senior Information Risk Owner, or equivalent. A name and job title, or if they are below the disclosable level just a job title is fine, could you also provide a contact email for this person.
Simon Hardiman. Assistant Chief Fire Officer – Service Support. Simon.Hardiman@Shropshirefire.gov.uk
If you do not have a nominated SIRO could you please answer Q1 with the person(s) with responsibilities equivalent to a SIRO.
“A Senior Information Risk Owner (SIRO) is an Executive Director or member of the Senior Management Board of an organisation with overall responsibility for an organisation's information risk policy. The SIRO is accountable and responsible for information risk across the organisation. They ensure that everyone is aware of their personal responsibility to exercise good judgement, and to safeguard and share information appropriately.”
2. Do you have, or are you planning to have, appointed Information Asset Owner’s (IAO’s) (or a similar role such as data stewards, data owner, etc) Shropshire Fire and Rescue Service has IAO’s.
““Information Asset Owners (IAOs) must be senior/responsible individuals involved in running the relevant business. Their role is to understand what information is held, what is added and what is removed, how information is moved, and who has access and why. As a result they are able to understand and address risks to the information, and ensure that information is fully used within the law for the public good. They provide a written judgement of the security and use of their asset annually to support the audit process.”
3. If the answer to Q2 is yes, how often are they trained and who is responsible for organising the training? (as in, the person) GDPR/Data Protection training is given every 3 years. The Planning & Programmes Officer organises this training.
4. Are you or have you considered becoming ISO 27001 compliant or certified? If so whom is responsible for the project? (as in, the person) No
5. When did you last conduct a Physical Security risk assessment of the Services building(s)/estate(s), and who is responsible for managing risk in this area? (as in, the person) Tuesday 18 January 2021, Andrew Kelcey, Head of Resources
6. Who is your DPO (Data Protection Officer) or responsible person for DPO duties? Robert Montgomery
If you are unhappy with the way your request for information has been handled, you can complain or request an internal review of the decision. This must be done within 40 working days of receiving this response. You can do this by writing to the Assistant Chief Fire Officer, Shropshire Fire and Rescue Service, St. Michael’s Street, Shrewsbury, Shropshire, SY1 2HJ or email: enquiries@shropshirefire.gov.uk.
If you remain dissatisfied with the handling of your request or complaint, you have a right to appeal to the Information Commissioner at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.gov.uk