Sutton Coldfield Group Practice

Information Governance & GDPR Lead

The closing date is 01 May 2026

Job summary

We are a large, modern GP Practice with six sites serving over 50,000 patients.

We are recruiting an experienced Information Governance & GDPR Lead to take operational responsibility for GDPR compliance, DSP Toolkit assurance, and privacy governance across the organisation.

This is a specialist, standalone role reporting to the Digital Transformation Manager, with expert support from the ICB appointed Data Protection Officer for complex or high risk matters.

Main duties of the job

Lead day to day GDPR and Information Governance compliance across all practice sites.

Manage internal staff Subject Access Requests (SARs) and other information rights requests.

Act as SystmOne Privacy Officer, overseeing access controls, audit reviews, and data sharing governance

Oversee IG incidents and data breaches, supporting investigation and reporting, including ICO liaison where required

Own and deliver the annual DSP Toolkit submission and ongoing improvement planning

Deliver IG training, audits, and clear, proportionate advice to staff at all levels

About us

SCGP mission statement and values:

PASSIONATE ABOUT HEALTH - COMPASSIONATE WITH PEOPLE

Our vision is to be a bold and innovative general practice which is integrated in the community and delivers quality care in partnership with our patients.

All member of the SCGP team are dedicated to providing a quality service in order to achieve safe health services, which meet patient needs.

Date posted

16 April 2026

Pay scheme

Other

Salary

£40,000 to £50,000 a year

Contract

Permanent

Working pattern

Full-time

Reference number

A3813-26-0001

Job locations

228 Lichfield Road

Sutton Coldfield

B74 2UE

Job description

Job responsibilities

Manage internal staff Subject Access Requests (SARs): scope, ID checks, searches, redaction, exemptions, responses, and logging.

Coordinate incident/breach identification, triage and internal reporting; prepare materials for potential ICO notification via the DPO within statutory timescales.

Design and deliver GDPR/IG training and targeted refreshers; run internal audits/spot checks and address findings.

Conduct planned and ad-hoc information governance audits. Including site visits to assess compliance with GDPR and organisational policies, as part of internal assurance and continuous improvement

Produce reports to the Board & SMT on risks, incidents, SAR metrics, DPIAs and DSPT status

Liaise with the ICB DPO for independent advice and escalate complex issues as needed

Communicates clearly and professionally with all staff, explaining GDPR and IG requirements in a practical, accessible way.

Builds effective working relationships with clinical, admin and management teams, supporting them to meet data protection responsibilities.

Works constructively with the ICB appointed DPO, seeking advice and escalating issues where required, in line with NHS and ICO expectations for accountability and independence.

Handles sensitive matters (e.g., internal SARs, access concerns, incidents) with discretion, fairness and confidentiality.

Provides training and guidance that supports a positive, open culture around information governance.

Completes SARs, incident assessments, DPIAs and DSP Toolkit tasks accurately and within required timescales, as expected under NHS England policy and ICO guidance.

Ensures consistent application of IG policies and standards.

Demonstrates good judgment, proportionality and risk awareness when advising staff or escalating to the ICB DPO.

Delivers training, audits and actions that support ongoing compliance and continuous improvement