Information Governance Manager

The closing date is 30 November 2025

Lead on all aspects of Information Governance.

Assume the role of Data Protection Officer and Privacy Officer for the Trust (DPO / PO).

Be responsible for the Freedom of Information function (FOI).

Be responsible for coordinating the submission of the Data Security and Protection Toolkit (DSPT).

To have made an effective contribution to achieving the Trust's vision, strategic objectives and key work programmes by:

• Leading on developing strategy, policy, and guidance to promote and develop 'best practice' as defined by the Data Security and Protection Toolkit and to comply with all relevant legislation.
• Leading on service improvements to the Information Governance service provided to the Trust, including but not limited to manager training, documentation development and process improvement.
• Acting as source of expertise on Information Governance issues, legislation and local policies and procedures.
• Taking responsibility for the management of Freedom of Information requests.
• Producing and coordinating regular reports for the Information Governance Steering Group, appropriate internal Digital Services meetings and the Executive/Trust Boards.
• Acting as the Privacy Officer, receiving and investigating SCR notifications.
• Acting as the Data Protection Officer, providing support, advice and assurance of compliance across the Trust. At a high level, the key result area is to ensure that the organisation can demonstrate compliance with all the requirements of the DPA 2018, the GDPR and the FOIA 2000 through the annual submissions of the Data Security and Protection Toolkit.

Ashford and St. Peters Hospitals NHS Foundation Trust serves a population of more than 410,000 people living in North-West Surrey, parts of Hounslow and beyond.

Over 3,700 highly trained doctors, nurses, midwives, therapists, healthcare scientists and other support staff make up our workforce, providing a wide range of services across our two hospital sites, Ashford, Surrey and St Peter's, Chertsey, Surrey.

We also run many specialist clinics in the community and local community hospitals and other healthcare facilities.

Our vision is to be one of the best healthcare Trusts in the country. There has never been a better time to join us in the NHS at ASPH. We are committed to providing continuous professional development and flexibility to shape our workforce around our patient care.

We are expanding our theatres at Ashford Hospital and moving towards this becoming our dedicated elective centre. We want to create a state‑of‑the‑art centre for excellence for planned surgical procedures.

We can offer you the full range of NHS benefits/discounts and in addition:

• Excellent pension scheme and annual leave entitlement
• On‑site Nurseries
• On‑site staff cafés
• On‑site parking
• Salary Sacrifice schemes including wage stream, lease cars, Cycle to Work schemes and home electronics

Adverts may close early, so applicants are encouraged to submit an application as soon as possible.

For more information about a career at ASPH please visit: www.asph-careers.org

To act as a source of expertise on Information Governance issues to all relevant areas of the Trust including but not limited to: Executive Board, Business Centres and the Information Services Team.

Advise on Information Governance issues, and in particular Information Security, Data Protection and Freedom of Information, that arise with transformation or systems development to ensure best practice is adhered to.

Provide advice and support in the investigation and management of Information Governance incidents including national reporting and incident‑management for more serious cases as appropriate.

Work with and support the Trust leads for other aspects of Information Governance ensuring the Trust works towards the highest possible attainment level for data security and protection governance standards as evidenced by the Data Security and Protection Toolkit.

Work proactively with operational managers and other stakeholders to ensure that the Trust’s information governance processes meet the business requirements of the organisation.

Responsibility for developing Trust procedures and processes relating to all areas of Information Governance, in particular those covering record keeping, records transfer, information security and information sharing.

In collaboration with the Head of Digital Infrastructure and Cyber security colleagues, examine and advise on all aspects of computer security policies including logon procedures, password setting and ageing and all other relevant matters covered in Best Practice Guides.

Maintain an up to date knowledge of new developments in Data Protection legislation and related provisions.

Continue to maintain specialist knowledge in the field of Information Governance, keeping up to date with any changes and recommended good practice and to be responsible for keeping abreast of new government initiatives and requirements relating to IG.

Provide advice and guidance on rights for data subjects and ensure that the Trust’s privacy notice is regularly reviewed and updated.

Manage Data Subject Access Requests for information outside the medical record (eg. Police, Department of Health & Social Care, Coroners, Surrey County Council, Social Services, Safeguarding, staff members / ex‑staff members, patient complaints, ICO complaints, solicitors etc).

Assume the role of the Data Protection Officer (DPO), reporting directly to the Trust Board in matters relating to data protection assurance and compliance. The DPO acts under contract to the Trust and must not receive specific direction from any other staff member. Responsibilities include:

• Provide support, advice, and assurance of compliance across the Trust.
• Maintain expert knowledge of data protection law and practices and how they apply to the business of the Trust.
• Be the first point of contact within the Trust for all data protection matters.
• Support programmes and initiatives that involve the development of new or innovative information processes on the need for data protection impact assessments (DPIAs), data sharing agreements (DSAs), and data processing agreements (DPAs).
• Support and advise on conducting data protection impact assessments and assure the proposed mitigations.
• Consult with the Information Commissioners Office (ICO) where proposed processing poses a high risk in the absence of proposed mitigations.
• Ensure that the IG team operates effectively in supporting these functions.
• Account for the risks associated with processing in the performance of tasks.
• Provide specialist advice on compliance obligations.
• Offer advice to projects and business change initiatives on when a DPIA is required.
• Develop materials to support staff in conducting data protection impact assessments, and system implementations.
• Act as the first point of contact for the ICO.
• Cooperate with the ICO in any matters relating to data protection compliance, including provision of evidence of compliance, and in relation to breach management.

Serve as the Privacy Officer (PO), receiving and investigating SCR notifications.

Act as the Trust’s lead for Data Protection, working closely with the Trust’s Caldicott Guardian.

Lead on the Trust’s Caldicott Assurance Plan.

Ensure that Information Governance responsibilities and accountabilities are defined, communicated and acted upon.

Lead on the Information Security Assurance Plan.

Develop and maintain currency of the Trust’s Freedom of Information (FOI) publication scheme.

Manage the FOI administrator, ensuring they are appraised regularly, including weekly 1‑2‑1 meetings.

Be responsible for all FOI requests received by the Trust, signing off before responses are sent out and advising on use of legal exemptions.

Manage appeals and internal reviews against decisions to refuse FOI requests.

Manage the Data Security and Protection Toolkit within the Trust, controlling user access, reminding contributors of deadlines, providing relevant training, advising on suitability of evidence and signing off evidence before submission, working with the auditor to ensure compliance with a subset of DSPT requirements. Report risks, issues and incidents to the Information Governance Steering Group.

Attend meetings of the Trust Information Governance Steering Group and deliver progress reports on improvement to the Information Governance service.

Co‑ordinate all statutory and external audits of Information Governance.

Act as Privacy Officer for the Trust conducting proactive and reactive audits for user access to Evolve, Cerner EPR, BadgerNet, TVS Surrey Care Record (SyCR), National Care Records Service (NCRS) etc.

Carry out quarterly unannounced spot checks in order to measure the Trust’s compliance with national and local Information Governance standards.

In conjunction with IT colleagues, investigate, manage and report cyber incidents.

Maintain the Trust’s notification registration with the Information Commissioner and inform all relevant locations of the details of registration and responsibilities.

Liaise directly with the Information Commissioners Office as required.

Produce an annual report and action plan on Information Governance in the Trust for the Trust Audit Committee.

Be responsible for delivery of the Information Governance Improvement/Action Plan and co‑coordinate the annual audit to confirm and score compliance.

Co‑coordinate and ensure delivery of an improvement plan to ensure compliance with data security and protection standards and relevant legislation.

Lead the development and roll out of training programmes to managers and staff to support Information Governance, ensuring all members of the organisation are aware of and appreciate the importance of information governance and accept their responsibility for its delivery.

Lead on the development of Information Governance documentation, including templates and document formats used, e.g. Word documents versus webforms.

Lead on the continuous improvement of Information Governance processes and SOPs to deliver earlier thought of IG within change initiatives and procurements and faster turnaround of high‑quality documents from clinical and operational colleagues.

Work closely with colleagues in similar posts in partner organisations across the local health economy to ensure the delivery of Information Governance across all organisations.

Maintain the Trust Information Governance section of the intranet and internet.

Manage the Information Governance mailbox, the Caldicott mailbox and the Police Liaison mailbox.

Support the department and organisation by carrying out any other duties that reasonably fit within the broad scope of a job of this grade and type of work.

Used as a reference for selection and assessment.

• Degree in a related information subject or evidence of professional training of an equivalent standard or equivalent experience in the field.

• Good understanding of the NHS Information Governance agenda and toolkit.
• Experience of working within the NHS.

• Working knowledge of the Data Security and Protection Toolkit, Data Protection Act 2018, General Data Protection Regulation (GDPR) and Freedom of Information Act 2000.

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

Ashford & St. Peter's Hospitals NHS Foundation Trust