Head of Information Security & Data Protection Officer

Job description

Job responsibilities

Job Purpose

Leading an Information Security & Records Management team, the postholder will work closely with CityCares Senior Information Risk Owners, Caldicott Guardians and key Information Management and Cyber Security colleagues to provide a high-quality Information Security, Records Management and Data Protection Service to CityCares Directorates.

The postholder will assist the Senior Management Team in providing vital support and assurance on CityCares current and proposed future developments with data protection legislation including the UK General Data Protection Regulation, Data Protection Act, Records Management Legislation and good practice, providing expert advise to all levels of the organisation.

The postholder will ensure robust systems of assurance are in place for Information Security / Information Governance, Data Protection and Records Management and provide strategic leadership by advising Senior Management on the priorities and risks for Information, Cyber and Records Management in line with legislative requirements and best practice.

The postholder will lead on CityCares submission of the Data Security and Protection Toolkit submission.

The postholder will also fulfil the statutory role of Data Protection Officer under current data protection legislation to ensure compliance with GDPR, in which the role will be accountable to the Director of Finance and Corporate Services / Senior Information Risk Owner.

Dimensions

The postholder will provide strategic leadership to a range of Information Security, Data Protection and Records Management programmes, working with Digital, Information Technology, Cyber Security and other specialists to deliver an agreed set of best practices and operational considerations for CityCare.

The postholder will provide assistance to the Senior Leadership Team, Managers and Project Leads to ensure standards of confidentiality, security, integrity and availability of the organisations personal and corporate data is effectively managed, including the development of strategies, policies and standard operating procedures.

The postholder will provide expert advice to Senior Management and all employees on matters relating to Information Security, Data Protection and Records Management and related legislation including the Data Protection Act, GDPR, PECR, FOIA, Access to Information, Records Management Code of Practice, Common Law Duty of Confidentiality etc.

Key Responsibilities

Data Protection Officer:

To undertake the statutory / legislative role of Data Protection Officer.

To inform and advise the organisation and its employees of their obligations under the UK General Data Protection Regulation, and other national data protection legislation.

To advise the organisation on all aspects of the General Data Protection Regulation in an independent and autonomous manner.

To be the named contact point and to work with the Regulatory Authority (Information Commissioners Office (ICO)), seeking advice where necessary, escalating information risks and supporting in full with any ICO Lead enquiries.

To develop effective relationships and ensure the organisation is involved in local, regional and national networking opportunities.

Provide specific support to the Senior Information Risk Owner, Caldicott Guardian and their deputies, and to relevant teams and individuals.

Ensure Data Protection Impact Assessments are carried out and become embedded whilst identifying high risk processing where mitigating actions are insufficient to reduce the risk to an acceptable level and where proactive escalation and support from the ICO is required.

Initiate investigations into complaints about breaches of the Data Protection Act/GDPR and undertake reporting/remedial action as required. Assist with complaints in relation to data protection and release of information especially where Commissioners and National Inquiries are involved. Ensure serious information breaches are reported in line with the GDPR requirements in terms of timescales and overseeing bodies, involving and keeping updated the Information Commissioners Office as necessary.

Undertake highly complex information risk analysis and management, particularly of Personal Identifiable Data (PID) and via data flows.

Information Security, Records Management and Cyber Security:

To provide day to day line management for the Information Security and Records Management team.

To provide strategic direction, advice and guidance on the diverse range of topics and issues that constitutes Information Security across CityCare.

Responsible for ensuring the Data Security and Protection Toolkit (DSPT) returns are completed for CityCare, relevant to a Community Provider organisation.

Generating assurance and supporting Managers/Service Leads to comply with the requirements of the DSPT standards, implementing remedial measures and developments identified during the management of the DSPT.

To facilitate information security compliance with ISO 27000 series in line with the standards within the DSPT.

To be responsible for coordinating all standards relating to Records Management within the DSPT.

To facilitate effective risk management, with links to the organisational risk register.

To advise on any changes required to maintain organisational compliance with Information Security, Data Protection and Records Management procedures, supporting Managers to implement action plans and have accountability for providing assurance to Board, Sub-Committees and Groups regarding compliance.

To analyse complex information to present in a clear format to different levels of staff, including the interpretation of law and best practice into localised guidance.

Develop and support the implementation of effective policies and procedures in accordance with legislation, in anticipation of change and in response to requests from the Health Community. To support Management to embed these policies into everyday practice.

To develop, design and provide awareness raising for all levels of staff, and appropriate training, including for specialist roles such as Access to Records, Information Asset Owners and Information Asset Administrators, in response to CityCares requirements and the changing Information Security/Governance agenda and in accordance with legislation.

To maintain the Information Asset Register / Data Flow Mapping on behalf of the organisation, and work with Information Asset Owners and Information Asset Administrators to fulfill their roles.

To support the Subject Access Request (SAR) process where a request is contentious/complex, providing expert advice and guidance as required.

To undertake data breach assessments, monitor Information Security incident forms and investigate breaches in security and confidentiality liaising closely with the SIRO and Caldicott Guardian. To lead on any complex serious incidents relating to data breaches and information risks, including where appropriate reporting to other DPOs, Regulators (ICO) and Authorities (i.e. Police etc.).

Support the CityCare internal and external audit processes (including the Commissioning for Quality and Innovation (CQUIN) monitoring), as well as managing a number of high-level analytical projects, to include the development of robust systems to audit and monitor adherence to existing policies and protocols specific to corporate records management and DSPT requirements.

To map data and information flows within and external to the organisation to build assurance of processes and controls and identify opportunities for continuous improvement.

Ensure robustness and development of Information/Data Sharing Agreements and Information/Inter Transfer Agreements at CityCare, including awareness raising and governance processes.

To liaise with external organisations to develop and regularly review appropriate data sharing protocols/agreements and arrangements across organisational boundaries, and facilitate integrated working between Health and Social Care, and other Partners.

To work closely with Nottinghamshire Health Informatics Service in the implementation of cyber security strategies, guidance and policies at CityCare, whilst representing CityCare at the relevant Cyber Security Partnership Meetings.

To support the development of Data Protection Impact Assessments as required, in conjunction with the role of Data Protection Officer.

To maintain relationships with members of the public and internal / external stakeholders whilst ensuring that queries are dealt with confidentiality and sensitively, effectively and of high standard, whilst using own judgement to decide on the course of action.

To ensure CityCares Privacy Notice is kept up to date and compliant with UK GDPR.

To provide expert support and specialist advice and guidance to all levels of the organisation on the appropriate legislation and best practice in relation to all areas of records management, information security and data protection.

To develop, implement and monitor the effectives of the audit plan of the Information Security, Data Protection and Records Management Service, reporting any findings to the relevant Committees and escalating concerns to the Director of Finance & Corporate Services (SIRO) and/or Caldicott Guardian as required.

To lead on the systems and processes needed to assure the Board that the organisation has effective systems for clinical and corporate information management in place, including but not limited to, effective governance of clinical and corporate records, policies, and documents.

Person Specification

Skills and Attributes

• Specialist knowledge and understanding of national and European Information Governance, data protection legislation and practices related national guidance including GDPR, the Data Protection Act, Caldicott principles, common law duty of confidentiality, the Human Rights Act, records management, information security and information sharing.
• The ability to critically review, challenge and effectively utilise Data Protection legislation.
• In depth understanding of the application of Information Governance in a healthcare setting.
• Understanding NHS information flows and associated risks.
• Detailed specialist knowledge of GDPR and other relevant legislation.
• Ability to manage complex corporate, clinical and operational situations that involve staff from all levels within an organisation and across a range of professional boundaries.
• High level drive and determination.
• Ability to receive and advise on complex and continuous issues.
• Excellent analytical and problem solving skills.
• Excellent facilitation, influencing and negotiating skills.
• Good organisational and established self-directed time management skills.
• Ability to think strategically and plan ahead.
• Excellent written and oral communication skills to be able to communicate effectively with all staff at all levels and across organisational boundaries.
• High level of IT competency skills to include Microsoft Word, Excel, Microsoft Outlook Email.
• Ability to prioritise work/manage deadlines.
• Able to work effectively in a team, supporting others and challenging colleagues views and attitudes when necessary.
• Ability to assess a situation, set priorities and problem solve quickly and effectively

• Relevant experience in legal, compliance, data security (IT and/or information).
• Using and advising on the use of electronic patient records (e.g. SystmOne) including advising on system changes.
• Project management skills/proven ability to lead projects.

Special Criteria

• Ability to be flexible over hours worked within contracted hours to meet the needs of the service.
• Ability to work out of hours (within reason).
• Able to attend the office at least 2 days per week and to travel to various locations / CityCare bases.

Experience

• Experience of working in a senior management position in a relevant field.
• Demonstrable experience of leading on Information Governance/Security areas within an organisation.
• Experience of collaborative working and successfully working in a complex and politically sensitive environment.
• Experience of working with the Data Security and Protection Toolkit, ensuring compliance and completing action plans.
• Experience of networking with a range of professionals at all levels.
• Experience of developing long term strategies which impact across Directorates.
• Experience in creating policy documents and training materials (including delivering training to a range of staff in a variety of settings).
• Experience in undertaking audits.

• Experience of managing risk/ incidents pertinent to Information Security e.g. advising on actions from incidents and managing relevant risks on the risk register.
• Proven success in the management of change.
• Evidence of experience of project work using a multi-agency approach.
• Leading on IG/Information Security improvement work within a relevant health care background.

Qualifications

• Masters qualification, degree or equivalent level of knowledge acquired through experience and further training/development.
• Knowledge of Information Security, Data Protection or Records Management acquired through qualification or equivalent level of knowledge acquired through experience and further training/development.
• Additional knowledge/accreditation gained through training and senior level experience.
• Evidence of continuous professional development.

• Post Graduate studies in relevant area.
• BCS Certificate in Data Protection.
• BCS Information Security.
• Specialist qualification in GDPR.
• Teaching or training qualification.

Employer details

Employer name

Nottingham CityCare Partnership CIC

Address

Aspect House, Aspect Business Park

26 Bennerley Road

Bulwell

Nottinghamshire

NG6 8WR

Employer's website

https://www.nottinghamcitycare.nhs.uk/