EPR Information Governance Lead

Closing Date: 09 January 2026

This is an exciting opportunity to contribute to a major digital initiative designed to transform the delivery of care at South London and Maudsley NHS Foundation Trust (SLaM). The Electronic Patient Record (EPR) Programme stands as one of the most ambitious change projects in the Trust's history. Its aim is to streamline staff workflows, enhance safety, and ultimately achieve improved outcomes for service users.

We are committed to getting the very best out of our staff and supporting staff in their career aspirations. Career pathways are available, allowing you to develop your skills and build on your experience to progress into other roles across different specialties. We also offer ongoing training and development in conjunction with the BCS membership.

The EPR Information Governance Lead is central to the successful implementation and integration of a new Electronic Patient Record system. This pivotal role is responsible for leading all information governance activity associated with the design, testing, implementation and adoption of the new EPR, working alongside the Trust Data Protection Officers (DPOs) and other colleagues to ensure that SLaM's EPR Programme meets statutory obligations with regards to Information Governance and Data Protection.

As the programme's IG subject matter expert, the post-holder will interpret national policy and guidance and lead on the development and/or modification of IG related programme collateral – including Data Privacy Impact Assessment documents, Data Sharing/Data Processing agreements and Data Security & Protection Toolkits (DSPTs). The post-holder will also lead on mitigation and oversee the management of data risks associated with the implementation of the EPR across the Trust.

We pride ourselves on offering flexible working as part of our new ways of working. In this role you will be able to work Monday to Friday between 8 am and 6 pm, giving you a good work‑life balance.

This role is in the Digital PMO, which sits under the Digital Services Directorate. The Directorate utilises technology and digital solutions to empower staff to work effectively and to improve the care our service users receive.

The Digital team is located across three main sites:

• Our Trust headquarters at Denmark Hill, less than 5 minutes from the train station (zone 2), within walking distance of the green spaces of Ruskin Park and a vibrantly high‑street with great shopping.

• St Pauls, located within the Bromley area, less than 10 minutes from the train stations (Bromley South, Bromley North and Shortlands), within walking distance of Bromley Park and the high‑street.

• Bethlem Royal Hospital, set in a beautiful 200‑acre green space in the London Borough of Bromley, South East London, with free parking and convenient access to main roads and nearby stations.

Key Responsibilities:

1. Information Governance Leadership

Support the DPO by leading on all IG‑related activities across the EPR Programme lifecycle, from procurement to post‑implementation.

Provide specialist advice and assurance to the EPR Programme Board, SRO, and Programme Director on IG and data protection risks, controls, and mitigations.

Develop and maintain programme‑level IG artefacts including:

• Data Protection Impact Assessments (DPIAs)
• Data Sharing / Processing Agreements
• Privacy Notices and Records of Processing Activities
• IG Risk Registers and Mitigation Plans

Embed data protection by design and by default principles in all new workflows, integrations, and supplier relationships.

Ensure all IG artefacts gain appropriate internal approval.

2. Data Protection Compliance

Ensure that the EPR Programme aligns with UK GDPR, the Data Protection Act 2018, and NHS guidance.

Support the DPO in monitoring and evidencing compliance, and ensure all relevant activities are reflected in the Trusts Data Security and Protection Toolkit (DSPT).

Review and assure supplier contracts to ensure robust data processing clauses and lawful data sharing arrangements.

Lead on the management of IG incidents and support Root Cause Analysis (RCA) related to the programme.

3. Liaison and Partnership

Act as the key point of contact for all IG and data protection matters within the EPR Programme.

Work collaboratively with:

• The Trusts DPO, SIRO, and Caldicott Guardian
• Digital Security and Clinical Safety Officers
• Legal and Procurement teams
• Third‑party suppliers (e.g., system vendors, integration partners)
• Information Governance and Records Management teams across SLaM and the wider South London Partnership (SLP)

Ensure alignment with regional and national data protection standards and share best practices with other Trusts undertaking EPR implementations.

4. Assurance and Reporting

Develop and maintain programme‑level IG dashboards and reports for governance forums (e.g. Programme Board, SIRO reports, and Trust Information Governance Group).

Provide expert input into programme risk registers and contribute to external assurance reviews (e.g. IG audits, compliance inspections).

Liaise with the Information Commissioners Office (ICO) where necessary, supporting the DPO in formal submissions.

5. Policy, Training, and Culture

Support the update and development of relevant Trust policies relating to data protection, confidentiality, and records management as they pertain to the EPR.

Promote an open and informed culture around data protection and IG awareness within the EPR Programme and wider clinical teams.

Develop and deliver IG training materials specific to the new EPR and associated change programmes.

Support embedding of the Caldicott and confidentiality principles within the system design and rollout.

• Degree or equivalent experience. BCS Practitioner Certificate in Data Protection or equivalent.
• MSc in Information Governance / Law / Health Informatics. Professional registration with IAPP or BCS.

• Extensive knowledge of Information Governance and Data Protection within the NHS, including GDPR, DPA 2018, Caldicott Principles, DSPT. Experience leading IG in a large NHS digital transformation or EPR implementation. Experience interpreting complex legislation and applying it to digital and clinical workflows.
• Proactive, collaborative, and diplomatic. High integrity and commitment to confidentiality. Comfortable working in a complex and changing environment.
• Excellent interpersonal and influencing skills across technical and clinical teams. Strong analytical and report‑writing skills. Ability to manage competing priorities and deliver to tight deadlines.
• Extensive operational expertise and knowledge in Information Governance and Information Security principles and practices.
• Knowledge and understanding of the NHS Data Security and Protection Toolkit.
• Substantial management experience at a senior level.
• Able to demonstrate a track record of achievement at a senior level.
• Ability to provide and receive highly complex, highly sensitive or highly contentious information, where developed persuasive, motivational, negotiation, training, empathic or re‑assurance skills are required.
• Ability to present complex, sensitive or contentious information to a large group.
• Ability to make judgments on multi‑stranded or complex IM&T problems which may have no precedent or where there are conflicting opinions.
• Ability to manage, motivate and develop staff.
• Collaborative approach and good team working.
• Previous experience of working directly with EPR systems (e.g., Cerner, Epic, RiO, CareNotes (ePJS)). Experience of multi‑Trust or regional IG collaboration.
• Experience of line‑managing IG or data protection staff.

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

South London and Maudsley NHS Foundation Trust

£72,921 to £83,362 a year per annum inclusive of HCAS