Cofnod Datgeliadau

Cwestiwn

PART 1 — ORGANISATIONAL STRUCTURE

1. Please provide an up-to-date organisational chart, or a written description setting out the reporting lines and hierarchical structure, for each of the following functions:

(a) Information Security Management (including any Information Security team, Cyber Security team, or equivalent);

(b) Data Protection (including any Data Protection Officer function, privacy team, or equivalent); and

(c) Information Risk Management (including any Information Governance, Records Management, or equivalent teams).

2. For each of the above functions, please confirm: (a) the name of the team or unit responsible; (b) the specialisms covered by that team or unit as defined by the UK Cyber Security Council (https://www.ukcybersecuritycouncil.org.uk/for-individuals/about-the-cyber-security-sector/cyber-career-framework); (c) the directorate or department within which it sits; and (d) the name and job title of the most senior officer accountable for that function.

PART 2 — JOB DESCRIPTIONS AND ROLE PROFILES

3. Please provide copies of the current job descriptions (or role profiles) for every post within each of the three functions identified in Question 1 above, including but not limited to:

(a) The Data Protection Officer (DPO) or Senior Information Risk Owner (SIRO) / Caldicott Guardian where applicable;

(b) Any Information Security Manager, Head of Cyber Security, or equivalent senior post;

(c) All Information Governance, Data Protection, Information Security and Information Risk posts at officer, senior officer, manager and head-of-service level; and

(d) Any contractor, interim or agency role performing substantive duties within these functions, to the extent that a job description or equivalent specification exists.

4. Where a single post holder carries responsibilities spanning more than one of the three functions above, please provide the complete job description for that post and indicate which functions it covers.

PART 3 — QUALIFICATIONS AND PROFESSIONAL CERTIFICATIONS

5. For each post identified in Part 2, please state:

(a) The minimum educational or professional qualifications specified as essential or desirable within the person specification or job description;

(b) Any professional certifications or memberships listed as essential or desirable (for example: CISM, CISSP, CRISC, BCS, IAPP CIPP/E, ISO 27001 Lead Implementer/Auditor, ILM, PRINCE2, or equivalent); and

(c) Whether the Council requires or expects its DPO to hold a specific qualification or certification in data protection law or practice, and if so which qualification(s).

6. Please also confirm whether the Council has any corporate policy, strategy or procedural guidance that sets out minimum qualification or certification requirements for staff working in Information Security, Data Protection or Information Risk Management roles. If so, please provide a copy or a summary of the relevant provisions.

PART 4 — SALARY AND REMUNERATION

7. For each post identified in Part 2, please provide:

(a) The salary grade or pay band applicable to the post;

(b) The minimum and maximum salary points within that grade or band (expressed as an annual full-time equivalent salary in pounds sterling); and

(c) Where the Council uses a nationally agreed pay spine (such as the NJC Green Book scale), the relevant spinal column points.

8. For any post that falls outside a standard pay scale — including any senior management post paid under a separate executive pay arrangement, or any contracted/interim engagement — please provide the contractual day rate or annual equivalent remuneration to the nearest £5,000 band, in accordance with the Council's publication of senior pay data under the Accounts and Audit Regulations 2015 or equivalent transparency obligation.

PART 5 — HEADCOUNT AND VACANCIES

9. For each of the three functions in Question 1, please state:

(a) The total number of full-time equivalent (FTE) posts currently established;

(b) The number of those posts that are currently filled (by permanent, fixed-term or interim/agency staff); and

(c) The number of posts that are currently vacant.

Ateb

PART 1 — ORGANISATIONAL STRUCTURE

1. Please provide an up-to-date organisational chart, or a written description setting out the reporting lines and hierarchical structure, for each of the following functions:

a. Information Security Management (including any Information Security team, Cyber Security team, or equivalent);

ICT Structure Chart –Please see the attached structure chart.

b. Data Protection (including any Data Protection Officer function, privacy team, or equivalent); and Information Governance Team structure chart – Please see the attached structure chart.

c. Information Risk Management (including any Information Governance, Records Management, or equivalent teams).

Please see the attached structure chart. Please find attached the membership of the Information Governance & Cyber Security Forum.

2. For each of the above functions, please confirm:

a. the name of the team or unit responsible;

ICT Department

Information Governance Team

Legal and Governance Services

Chief Executive/SIRO

b. the specialisms covered by that team or unit as defined by the UK Cyber Security Council

Cyber Treat Intelligence – ICT

Cyber Security Management – ICT

Incident Response – depending on the nature of the incident either ICT or Information Governance Team.

Network Monitoring & Intrusion Detection – ICT

Vulnerability Management – ICT

Security Testing – ICT

Cryptography & Communication Security – ICT

Secure Operations – ICT

Identity& Access Management – depending on the system ICT or Information Governance Team

Secure System & Architecture Design – ICT

Cyber Security Audit & Assurance – ICT

Data Protection & Privacy – Information Governance Team

Secure System Development – ICT

Cyber Security Governance & Risk Management – ICT and Information Governance Team

Digital Forensics - ICT

c. the directorate or department within which it sits; and

ICT Department - Finance

Information Governance Team – Governance & Resources

Legal and Governance Services – Governance & Resources

Chief Executive/SIRO – Chief Executives

d. the name and job title of the most senior officer accountable for that function.

The most senior officer accountable for all such matters is the Senior Information Risk Owner who is the Chief Executive of the Council.

PART 2 — JOB DESCRIPTIONS AND ROLE PROFILES

3. Please provide copies of the current job descriptions (or role profiles) for every post within each of the three functions identified in Question 1 above, including but not limited to:

a. The Data Protection Officer (DPO) – Please see the JD attached

b. Senior Information Risk Owner (SIRO) Please see the JD attached

c. Head of ICT – We do not hold a copy of this JD

d. All Information Governance – Please see the JD attached

e. Corporate Information Security Officer - Please see the JD attached

f. Any contractor, interim or agency role performing substantive duties within these functions, to the extent that a job description or equivalent specification exists. - Please see the JD attached

4. Where a single post holder carries responsibilities spanning more than one of the three functions above, please provide the complete job description for that post and indicate which functions it covers.

The responsibilities for each post are detailed within the relevant job descriptions

PART 3 — QUALIFICATIONS AND PROFESSIONAL CERTIFICATIONS

5. For each post identified in Part 2, please state:

a. The minimum educational or professional qualifications specified as essential or desirable within the person specification or job description;

This is included within the relevant job descriptions

b. Any professional certifications or memberships listed as essential or desirable (for example: CISM, CISSP, CRISC, BCS, IAPP CIPP/E, ISO 27001 Lead Implementer/Auditor, ILM, PRINCE2, or equivalent);

These are included within the relevant job descriptions. Corporate Information Security Officer: ISO27001 Lead Implementer/Auditor; CISMP; CISM; ILM5 Leadership & Management; PRINCE2.

c. Whether the Council requires or expects its DPO to hold a specific qualification or certification in data protection law or practice, and if so which qualification(s).

This is included in the relevant job description.

6. Please also confirm whether the Council has any corporate policy, strategy or procedural guidance that sets out minimum qualification or certification requirements for staff working in Information Security, Data Protection or Information Risk Management roles. If so, please provide a copy or a summary of the relevant provisions.

No

PART 4 — SALARY AND REMUNERATION

7. For each post identified in Part 2, please provide:

a. The salary grade or pay band applicable to the post;

Data Protection Officer – Grade 9 SCP 37-40 (£48,226-£51,356)

Compliance Officer (IGT) – Grade 6 SCP 23-25 (£34,434-£36,363)

Corporate Information Security Officer – 11 SCP 44-46 (££55,580-£57,745)

Chief Executive – JNC Chief Officer Chief Executive Scale (£136,743)

b. The minimum and maximum salary points within that grade or band (expressed as an annual full-time equivalent salary in pounds sterling); and

JNC Chief Officer Chief Executive Scale (£136,743)

c. Where the Council uses a nationally agreed pay spine (such as the NJC Green Book scale), the relevant spinal column points.

JNC Chief Officer Chief Executive Scale (£136,743).

8. For any post that falls outside a standard pay scale — including any senior management post paid under a separate executive pay arrangement, or any contracted/interim engagement — please provide the contractual day rate or annual equivalent remuneration to the nearest £5,000 band, in accordance with the Council's publication of senior pay data under the Accounts and Audit Regulations 2015 or equivalent transparency obligation.

JNC Chief Officer Chief Executive Scale (£136,743)

PART 5 — HEADCOUNT AND VACANCIES

9. For each of the three functions in Question 1, please state:

a. The total number of full-time equivalent (FTE) posts currently established;

5.43

b. The number of those posts that are currently filled (by permanent, fixed-term or interim/agency staff); and

4.43 FTE are permanent 1 FTE - Apprentice contract is until December 2027