Data Protection Officer – AR

JOB ROLE PROFILE AND PERSON SPECIFICATION

Purpose of the Role:
The Data Protection Officer and the Data Protection Team are part of the Law and Governance Service within the Legal Practice and Compliance Team.
Under the Data Protection Act 2018 the Data Protection Officer must operate independently to fulfil their role as an unbiased body guiding the organisation to meet the 7 Principles of GDPR. Reporting to the Head of Legal Practice and Compliance the Data Protection Officer is accountable for safeguarding personal data to ensure it is used responsibly, securely and in compliance with legal and regulatory requirements. The role is responsible to ensure that the Council and schools are advised correctly in all aspects of protecting individuals’ privacy, preventing unauthorised access, and ensuring that data is processed transparently and lawfully.

The Data Protection Officer will:
• Have responsibility for delivery of the legally mandated role of Data Protection Officer for the Council and schools. The postholder will be required to register as the Data Protection Officer with the Information Commissioners Office on behalf of the Council.
• Be technically proficient as they will give advice which has legally binding consequences. The post holder must have clear expertise and ongoing professional development in data management and will be expected to hold one or more technical qualifications in data protection.
• Have accountability for the data policies within the Council and Schools, ensuring that they are reviewed at least annually or where legislation or operational changes occur.
• Have the day-to-day authority and responsibility for advising the Council and schools on compliance with the data protection laws in order that they to carry out their duties lawfully.
• Lead personally or via delegation investigation into all reported data breaches as soon as notified through to conclusion and where appropriate implement measures to prevent or mitigate reoccurrence.
• Be expected to effectively communicate, influence, and engage across all levels in the organisation ranging from the council’s most senior leadership, Directors and Assistant Director and groups of staff to the Leader and Deputy Leader, Councillors and with school governors, headteachers and school staff.
• Be the data protection contact point of liaison with regulators, third parties such as police, press, suppliers, and the public.
Job Role Profile and Person Specification
• Have an overarching responsibility for fostering a data protection culture within the council and schools and maintain the highest standards of integrity and professional ethics.
• Maintain the corporate Data Protection and Information Governance Risk Register and ensure that risk mitigation actions are prioritised in the Data Protection Team workplan.
• Produce regular reports on data protection compliance and issues for the highest management level of both the council and schools.

The postholder must be able to independently analyse and evaluate situations, creating what-if scenarios, reasoning based on the information, experience and knowledge to arrive at one or more options, and draw effective conclusions, upon which to provide decisions at an operational and mid-term strategic level. They will be required to participate regularly in meetings of senior or middle management where decisions with data protection implications are taken.

The demands of this role involve regularly managing a number of competing activities, at times with demanding deadlines and public/press/regulator involvement, on an on-going basis, with a range of complexities, from very complex to tactical, including key decisions that could result in legislative action against the council, impact the delivery of the service to the whole Council and beyond, to partner organisations.

This role is required to act alongside the Head of Legal Practice and Compliance as the communication channel to/from all data users with internal and external stakeholders, especially in the case of a major data breach. As such, there may be times when the post holder is required to be available out of hours, including weekends. Accountability for reporting and managing data breaches remains with the data owner.

Key Accountabilities:

Accountabilities
1. Prepare and keep up to date by at least annual review all data protection policies and associated documentation which will include but not limited to; Privacy Notices, Data Processing Agreements, consent forms, Data Privacy Impact Assessments, legitimate interest assessments, Police disclosure requests.
2. Monitoring changes to the law and the data protection environment making recommendations to the Data Protection, Information and Security Strategic Governance Board when appropriate.
3. Maintain a deep understanding of the Council and school compliance with data protection laws and regulations by completing self-assessments and data protection audit.
4. Liaise directly with all areas of the business and develop influential relationships, to guarantee that the data protection culture is maintained and continuously improved.
5. Developing data protection training programs for the Council and schools with responsibility for ensuring these are implemented.
6. Collaborating with the Information Governance and Digital Security functions to raise employee awareness of information governance, data protection and security issues, and providing training on the subject matter.
7. Developing strategies and initiatives to ensure engagement with key internal and external stakeholders, this may include actions such as data protection surgeries, intranet articles, staff communication emails.
8. Accountable to ensure that each Council directorate and school have a robust Record of Processing Activity (ROPA) that is regularly reviewed and updated considering changes.
9. Take accountability for the agreed retention periods of both hard copy and digital data assets.

10. Collaborating with the Information Governance function who will maintain the Information Asset Register and are responsible for ensuring adherence to retention periods.
11. Collaborating with property services to ensure safe a secure physical document storage is available. Owners of the physical data are within the Directorates. The DPO is accountable with the Directors to ensure that data owners adhere to retention policies.
12. Deal with all reported security breaches (confirmed and near misses) by investigation, risk assessments, escalation where necessary, reporting to the regulator within timescales, notifying data subjects where necessary, providing advice and guidance to officers and training to prevent a reoccurrence where required.
13. Complete annual data protection reports, analysing trends and providing strategic advice for implementing improvements.
14. Active involvement in the end-to-end workflow process for DPIAs and sign off of all DPIA’s.
15. As the subject matter expert oversee and facilitate Data Sharing Agreements, Data Processing Agreements, MOU and others ensuring compliance with regulations.
16. Accountability for a process of Police Disclosure Requests and responsibility to ensure these are completed to the highest standard. This involves working with services to ensure they provide the necessary information and that it approved before disclosure.
17. Respond to FOI, complaints or claims relating to data protection in the set timescales.
18. Collaboration with the SARs team, offering advice and guidance on specific complex SAR requests.
19. General advice to schools on subject access requests (SARs), FOIs.
20. Monitor compliance with the regulations [Article 39 (1)(b)]. This will include:
a. collecting information to identify processing activities,
b. analysing and checking the compliance of processing activities, and
c. informing, advising and issuing recommendations to the organisations.
21. Ensure that they are easily accessible to all parts of the council, schools, the regulator and the data subject. [GDPR Article 37(2)]
22. Ensure they liaise with the data controllers to maintain appropriate methods and teams to meet the requirements of all the bodies they are representing, and ensure that the controller(s) are kept informed of issues with this requirement [GDPR Article 37(3)]
23. Ensure that they maintain the secrecy and privacy required for the role in handling of personal data [GDPR Article 38(5)]
24. Ensure that the contact details for the Data Protection Officer are published and available to the regulator, the public and the data subjects [GDPR Article 37(7)]
25. Provide advice in a proper and timely manner to the organisations on all issues which relate to the protection of personal data [GDPR Article 38(1)], and participate in the assessment of issues as requested by the controller [GDPR Article 35(1), 35(2), 39 (1)(c)]
26. Have due regard in providing advice for the risk associated with the processing operations, taking into account the nature, scope, context and purposes of processing [GDPR Article 39(2)]
27. Ensure that they maintain independence of their role and inform the controller of any attempts to interfere that may impact this [GDPR Article 39]
28. Maintain their knowledge and expertise in data protection law and practice commensurate with the organisational requirements of the council and schools [GDPR Article 37(5)]
29. Any other duties reasonably requested by management
30. Carry out all accountabilities in compliance with the Council’s Policies and Procedures.

The post holder will be the deputy chair of the Data Protection, Information and Security Strategic Governance Board. Other members include the SIRO (chair), Caldicott Guardian,
Information Governance Manager, Digital Security Manager, Head of Legal Practice and Compliance. The board remit covers assurance, decision making and escalation of issues relating to the data protection, information governance and cyber security functions.

PERSON SPECIFICATION

KNOWLEDGE, SKILLS & ABILITIES

Essential:
1. Qualification in data protection or information security or law or equivalent training and/or certification.
2. Experience (at least 3 years) of delivering data protection services which will include drafting and updating policies and procedures, assessment of DPIA’s, Data Sharing Agreements, Data Processing Agreements, dealing with disclosure requests, dealing with data breaches.
3. Demonstrable experience of providing advice and guidance at the highest levels of organisations within the business context of local government and education.
4. Experience in developing data protection training, and delivery of training.
5. Ability to engage, coach and motivate teams and set clear targets and expectations.
6. Evidence of high levels of customer service and satisfaction.
7. Experience of successfully managing performance and providing clear constructive feedback.
8. Experience of successfully implementing plans and projects to time and budget.
9. Demonstrates a good understanding of the political structure and role of elected members.
10. Ability to work collaboratively both with own service and across other services.
11. Stakeholder management.
12. Good working knowledge of using MS-365 software (Word, Excel, Outlook).
13. Exceptional English literacy (written, and verbal for customer facing roles) and numeracy skills.

Desirable:
1. Membership with certified ongoing professional development of a professional organisation related to data protection e.g., IAPP, NADPO, BCS, ISACA, (ISC)2

Qualifications & Professional registration criteria
1. Higher education / college or equivalent
2. At least 1 recognised data protection qualification which may be
(ISC)2 CISSP-ISSMP
ISACA CISM
ISACA CGEIT
CESG Certified Professional in one of the data governance areas IAPP CIPP/E and CIPM

If you are interested in this role please do reach out to me via email or telephone!

amberrayment@carringtonblakerecruitment.com

020 753 766 07