Report Summary
Issued 28 July 2025, this FOI response provides information on information asset ownership and data governance roles in the Authority.
To access the full document please open the PDF document above.
To view as accessible content please use the sections below. (Note that some tables and appendixes are not available as accessible content).
Response
The Scottish Police Authority (SPA) has considered your request under the Freedom of Information (Scotland) Act (FOISA).
Our response to each of your questions is provided below.
- Name of organisation SIRO (Senior Information Risk Owner)
- Chris Brown, Deputy Chief Executive
- Contact email of person named in request No. 1.
- Name of organisation DPO (Data Protection Officer) or responsible person for DPO duties.
- Lindsey Davie, Information Management Lead
- Contact email of DPO.
- Nominated Caldicott Guardian.
- Not applicable
- Contact email of Caldicott Guardian.
- Not applicable
- Have you appointed, or do you plan on appointing or delegating the position of IAO to any employees?
- Information Asset Owners are in place.
- Who is responsible for the leading IAO structure, I.E. the SIRO/’Lead’ IAO/Head of Governance/Head of Corporate Services etc?
- Information Management Lead
- Who is responsible for reviewing and implementing any training needs for the IAO’s?
- Information Management Lead
10.Spend on external IAO training over the past 5 years, per year (financial year), or is the training delivered internally (if at all)?
- Prior to 2020, formal certified training was delivered by
Advent IM. Thereafter training has been in-house.
11.Are you or have you considered becoming ISO 27001 compliant or certified?
- SPA do not hold ISO 27001 accreditation, but work to the principles of the standard. Our Forensic Services have ISO 17025 certification.
12.Following on from Q11, if so whom is/would be responsible for implementation or exploration of ISO 27001? (as in, the person/job title)
- SPA does not intend to seek certification to ISO 27001.