Data Protection Officer Statement

Although ellenor is not a public authority or body due to the nature of our processing activities and sensitive data we hold, we have appointed our Information Governance (IG) lead (Head of Governance, Compliance & Project) as ellenor’s Data Protection Officer (DPO).

Position of the Data Protection Officer 
Our DPO reports directly to our highest level of management and is given the required independence to perform their tasks. The DPO reports to our directorate and has independence to report directly to the CEO and Board. 

As IG lead, we involve our DPO, in a timely manner, in all issues relating to the protection of personal data and in this capacity, they are sufficiently well resourced to be able to perform their tasks. The DPO attends annual Information Governance external qualified training and has access to external qualified data protection expertise when required. 

The DPO acts freely to audit our processing activities and we do not penalise the DPO for performing their duties. We review the DPO tasks through regular meetings to ensure that any other tasks or duties we assign our DPO do not result in a conflict of interests with their role as a DPO.

Tasks of the Data Protection Officer
Our DPO is tasked with monitoring compliance with the GDPR and other data protection laws, our data protection policies, awareness-raising, training, and audits. We take account of our DPO’s advice and the information they provide on our data protection obligations. Our DPO takes the lead on training all departments including senior management and our Board of Trustees. They have input into the SIRO report which is appraised by our Trustees on a quarterly basis. The DPO is Chair of our IG Group, which includes the Senior Information Risk Owner (SIRO) and Caldicott Guardian. In this capacity, as Chair, they are responsible for setting the IG Group agenda, raising awareness and reporting data protection issues. The IG Group meet every other month.    

When carrying out a Data Protection Impact Assessment (DPIA) with third parties, we seek the advice of our DPO who also monitors the process.

Our DPO acts as a contact point for the ICO. They co-operate with the ICO, including during prior consultations under Article 36, and will consult on any other matter. 

When performing their tasks, our DPO has due regard to the risk associated with processing operations, and considers the nature, scope, context, and purposes of processing. An Information Asset Register is maintained, updated and reviewed in a timely manner. 

Accessibility of the Data Protection Officer
Our DPO is easily accessible as a point of contact for our trustees, employees, volunteers, individuals and the ICO.    

We have published the contact details of the DPO and communicated them to the ICO.

The contact details are as follows: 

Contact name: Tracey Hill
Telephone: 01474 320007