National Police Information Security practice requires the appointment of a Senior Information Risk Owner (SIRO).
It is accepted that PCCs with access to PNN and other police systems ought to adopt the convention of appointing a SIRO to take overall responsibility for the management of information risk.
In Cleveland, the OPCC relies upon joint corporate arrangements in respect of communications and information technology and does not operate bespoke hardware or software solutions. In other words, the IT environment aligns with Cleveland Police. In those circumstances it makes sense to align SIRO arrangements with Cleveland Police.
This Decision Record approves the appointment of Deputy Chief Constable Iain Spittal for the purposes of SIRO responsibilities in respect of the Office of the Police & Crime Commissioner.
In so doing, the PCC recognises that it would be unlawful to seek to effect a specific delegation to the DCC and approves the arrangement under which the Chief of Staff (as his delegate on risk management matters and in respect of overall management and leadership of the OPCC) liaises closely as part of existing meeting structures with the DCC and Steria, in relation to the management of information risk and information security risk.
This decision should be reflected in suitable terms in the appropriate section of the Joint Corporate Governance Framework as part of its next revision.