All University web hosted services will be at risk of downtime every Tuesday between 7am to 9am.

Jump to accessibility statement Skip to content

Roles and Responsibility

Technical Services / Cyber Security and Information Governance / Information Governance / Roles and Responsibility

Roles and Responsibility

There are some common roles used in Information Governance to provide assurance over the way in which information is governed and used, the following section provides an overview of the specific roles and responsibilities used in the University of Sunderland.

Data Protection Officer (DPO)

The DPO’s tasks are defined in Article 39 of the General Data Protection Regulations (GDPR) as:

  • to inform and advise you and your employees about your obligations to comply with the GDPR and other data protection laws;
  • to monitor compliance with the GDPR and other data protection laws, and with your data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
  • to advise on, and to monitor, data protection impact assessments;
  • to cooperate with the supervisory authority; and
  • to be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, customers etc).

It’s important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37(1).

When carrying out their tasks the DPO is required to take into account the risk associated with the processing you are undertaking. They must have regard to the nature, scope, context and purposes of the processing.
The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs should provide risk-based advice to your organisation.
If you decide not to follow the advice given by your DPO, you should document your reasons to help demonstrate your accountability.

The University of Sunderland's Data Protection Officer is Sam Seldon, Sam also fulfills the role of Information Governance Manager.

Senior Information Risk Owner (SIRO)

The SIRO's main responsibilities fall into 4 broad themes which are:

  • Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers
  • Owning the organisation’s information risk and incident management framework
  • Owning the organisation’s overall information risk policy and risk assessment processes and ensuring they are implemented consistently by Information Asset Owners (IAOs)
  • Advising the Chief Executive or relevant Accounting Officer on the information risk aspects of his/her Annual Governance Statement


Information Asset Owners (IAOs)

At the University of Sunderland IAOs are the Academic Deans and Directors of Service.  As with the SIRO the responsibilities of the IAOs can be broken down into 4 main themes as follows:

  • Leading and fostering a culture that values, protects and uses information for the success of the organisation and benefit of its customers
  • Knowing what information comprises or is associated with the asset, and understands the nature and justification of information flows to and from the asset
  • Knowing who has access to the asset, whether system or information, and why, and ensures access is monitored and compliant with policy
  • Understanding and addressing risks to the asset, and providing assurance to the SIRO

It should be noted that whilst the IAOs are required to hold oversight of the areas noted above, they may delegate some responsibilities to individuals working within their Faculty or Service, these individuals will be Information Asset Administrators (IAAs).