Skip to main content

Information Governance Arrangements



  • Senior Information Risk Owner (SIRO):

The SIRO has accountability for ensuring that effective systems and processes are in place to address the Information Governance agenda, including records and document management.

The SIRO is the overall owner of information risk within the organisation and acts as the focal point for information risk management in the organisation including resolution of any pan-organisation or other escalated risk issues raised by Information Asset Owners or other Officers within the Health Board. The SIRO will provide written advice to the Chief Executive on the content of the Governance Statement regarding information risk.

Within Cwm Taf Morgannwg University Health Board, the Director of Digital holds the SIRO role. Should you wish to contact the SIRO please email:

  • Data Protection Officer (DPO)

The DPO, appointed under statutory General Data Protection Regulations (GDPR) obligations, is responsible for monitoring NHS Digital’s compliance with Data Protection legislation and its compliance with its own policies in relation to the protection of personal data. This includes records management, retention and disposal, in relation to personal data of living individuals.

Under Article 39 of the UK GDPR the DPO’s tasks are defined as:

  • to inform and advise on the Health Board’s obligations to comply with the UK GDPR and other data protection laws;
  • to monitor compliance with the UK GDPR and other data protection laws, and with the Health Boards data protection polices, including managing internal data protection activities; raising awareness of data protection issues, training staff and conducting internal audits;
  • to advise on, and to monitor, data protection impact assessments;
  • to cooperate with the ICO; and
  • to be the first point of contact for the ICO and for individuals whose data is processed (employees, stakeholders, third parties etc).

It’s important to remember that the DPO’s tasks cover all personal data processing activities, not just those that require their appointment under Article 37(1) of the GDPR.

  • When carrying out their tasks the DPO is required to take into account the risk associated with the processing the Health Board is undertaking. They must have regard to the nature, scope, context and purposes of the processing.

The DPO should prioritise and focus on the more risky activities, for example where special category data is being processed, or where the potential impact on individuals could be damaging. Therefore, DPOs will provide risk-based advice to the Health Board.

In the event of the identification of high risks, the DPO will escalate to the appropriate Executive Director and/or Board.

Within Cwm Taf Morgannwg University Health Board, the Chief Information Officer (CIO) holds the DPO role. Should you wish to contact the DPO please email:

  • Caldicott Guardian

The role of the Caldicott Guardian is advisory. The Caldicott Guardian acts as the conscience of the organisation for patient information, patient confidentiality and information sharing issues and the proper management of patient information.

Within Cwm Taf Morgannwg University Health Board, the Executive Medical Director holds the Caldicott Guardian role. Should you wish to contact the Caldicott Guardian please email:


If you have any concerns about the way your information is used you should discuss these with the healthcare professional responsible for your care. If you are still not happy with the way we have collected, used or shared your information then you have a right to complain.

Concerns and Complaints - Cwm Taf Morgannwg University Health Board (

Alternatively, if you have any general enquiries about how your information is used then please contact:

Information Governance Department



NHS Direct Wales website at

Information Commissioner’s Office at

(The Information Commissioner's Office is the UK's independent authority set up to promote access to official information and to protect personal information)


Details on how to submit a Freedom of Information Request is available here: Freedom of information - Cwm Taf Morgannwg University Health Board (


Details on how to submit a request for Health Records is available here: Requests for Access to Health Records - Cwm Taf Morgannwg University Health Board (