Gloucestershire Hospitals NHS Foundation Trust

Information Governance, Data Security & Protection Specialist Band 7

Information:

This job is now closed

Job summary

The post holder supports the Associate CIO (DPO) to ensure that the Trust meets its obligations under Data Protection legislation and ensures general awareness throughout the Trust on Information Governance matters.

The primary focus of the role is to manage the IG team, undertaking data protection Impact assessments (DPIA's) provide support and guidance to all staff, including coordination of data breach investigation and ensuring the Trust has robust processes and plans in place to achieve and maintain UK GDPR compliance.

Main duties of the job

- The post holder will be a specialist in the delivery of the Data Security and Protection Toolkit annual return, Data Protection Impact Assessments, Information Asset Register maintenance, drafting and review of data sharing and data processing agreements and act as a subject matter expert on data protection and data security for the Trust, in accordance with national and local policy

- The post holder will conduct and follow up on Information Governance audits across the Trust and draft associated reports. They will ensure that staff, stakeholders, contractors and members of the public are aware of their rights under Data Protection legislation

- The post holder will identify areas in which the Trust is inadequately covered by IG and IT security policies and procedures and, in consultation with the cyber security specialists, information governance team and IT service team, develop new policies and procedures to cover these areas. Supporting senior managers in presenting these to the relevant Boards or other approval bodies

- The post holder will support the maintenance of data security and data protection training and learning programmes. They will also provide expert IG advice to staff at all levels, departments and corporate / clinical functions

- The post holder will have excellent communication skills, be a compassionate leader, promote good IG with all their exchanges, and will be empowered to make decisions in line with policies and procedures

About us

Gloucestershire Hospitals NHS Foundation Trust is the largest employer in the county and with over 8,000 staff, we are one of the largest NHS trusts in the UK. We offer a generous annual leave allowance, excellent bank rates, access to the excellent NHS Pension Scheme, discounts for local shops, restaurants and services, access to our health and well-being hub, access to our two on-site nurseries, flexible working options, discounted public transport, reward and recognition schemes, exercise and activity classes and membership to our popular hospital choir.

Details

Date posted

29 July 2024

Pay scheme

Agenda for change

Band

Band 7

Salary

£43,742 to £50,056 a year pa

Contract

Permanent

Working pattern

Full-time

Reference number

318-24-COR-R12793

Job locations

Trustwide

Gloucester, Cheltenham

GL1 3NN


Job description

Job responsibilities

Key operational results areas

- Work with the DPO to ensure the completion of the Trusts Data Security and Protection Toolkit assessment, collating evidence, and undertake compliance audits.

- To advise on and provide updates to IG and cybersecurity e-learning training to ensure staff have access to up to date and relevant IG and Data security and protection training.

- To ensure the development and delivery of the UK GDPR compliance action/improvement plans, monitor progress and report.

- To ensure the Trust's contractors and support organisations have adequate IG arrangements in place.

- To ensure the development of local information sharing agreements as required.

- To provide support/undertake date privacy impact assessments.

- To ensure fair processing notices are adequate for flows of personal confidential information.

- To support the Trusts Information Asset Owners in information asset management and assist with undertaking risk assessments.

- To support the management and response to information security incidents.

- To maintain on-going personal development and knowledge of data protection laws, issues and developments.

- Freedom to take actions as the lead specialist, based on own interpretation of policy, to conduct complex investigations into suspected or actual breaches of data protection and security and provide formal written reports advising how legislation and or policy should be interpreted directly to the Information Asset owner, Human resources business partner and service leads. These cases could lead to disciplinary action being taken against staff

- Participate in relevant internal and external working groups/projects, services and initiatives to provide information and analytical advice and expertise.

- Liaise with senior managers of stakeholder organisations, NHS cyber security teams, the Counter Fraud Service, the Police and external organisations, as required, when investigating incidents.

- Investigations into abuse of IT services such as internet and email may occasionally expose the post holder to distressing images and require the post holder to act as a professional witness in disciplinary hearings etc.

- The alignment of digital and operational processes with legislative, NHS and business security requirements.

- Work with the wider digital team in the Identification and management of data protection and data security risks ensuring that digital and operational services maintains compliance in line with the overall Trust corporate governance framework, designing and maintaining appropriate data protection and data security controls and plans with procedures for their operation and maintenance

- Work with services and digital teams to Identify and classify information assets and the level of control and protection required.

- Ensuring that the confidentiality, integrity and availability of trust information is maintained and the public trust in the organisation is promoted and maintained.

- Ensuring that all access to services by external partners and suppliers is subject to contractual agreements and appropriate responsibilities documented.

- Be responsible for a high standard of work supporting the delivery of Information Governance to quality standards and in a cost-effective manner. Maintain documentation and associated plans with regular team meetings to monitor progress and resources.

- Overseeing team members to deliver the requirements listed above; engage and liaise with key stakeholder, in particular:

- To support the delivery of day-to-day activities and projects

- Support the development and maintenance of a high performing IG team

- Advocate Data protection and cyber security during all interactions with staff across all roles and levels within the trust.

- Act as Information asset administrator for IG related assets including the Trusts Information asset register.

Customer care for patients and/or service users

- To act as a champion for patients and their interests in relation to data security and protection

- To ensure all staff and occasional public and patient contact with the office is of the highest professional standard

Leadership and management

- To provide line management for the IG team

- Be visible and available to provide support and guidance or the team and wider organisation staff . This will require on site working with a minimum of 2 days per week on site if a hybrid working pattern is adopted.

- Responsible for undertaking appraisal and personal development for staff within the team

- To support, motivate and develop staff within the team to ensure that they are able to deliver the trust and team objectives

- Liaise with other Managers to share best practice

- Plan, organise, deliver, and review regular IG and ad hoc stakeholder awareness workshops and training sessions on Data security and data protection that raise the awareness of staff of information governance issues and ensure their compliance with policies and procedures, ensuring the collaboration of Human Resources, Training, Data Protection and Information Governance Lead. Take personal responsibility for delivering some of these awareness training programmes. Develop materials to enable others to deliver training in a standard manner

Communications and working relationships

- The post holder will be a contact point in the organisation for IG and provide advice to IAOs, IAAs and liaise with the DPO, Caldicott Guardian and SIRO.

- Provide advice and take action, where necessary, in response to Audit findings and recommendations in respect of information governance.

- Work internally in the development and implementation of IG policies and procedures.

- Act as a consultant to projects, advising on matters relating to information governance & security.

- To work with the Associate CIO for IG and health records (DPO) to ensure that the Trust fully complies with relevant legislation, agreed policies and procedures.

- To deputise for the Associate CIO for IG and health records (DPO) as required in representing the Trust both on internal and external user groups ensuring that the Trust's priorities are effectively communicated, promoted and implemented.

- Ensure that Trust staff know how to report any data protection and data security breaches, incidents, malfunctions and suspected system weaknesses and threats.

- Management of IT security policies, and supporting set of policies, and their controls including their development and review and facilitation of their ratification

- Responsible for proposing and drafting changes, implementation and interpretation to policies and guidelines.

- Ensure that IT security and IG policy is enforced and communicated to all parties.

- Where necessary to liaise with external organisations on IT/cyber security matters, drafting and implementing joint policies and procedures and ensuring external network connections adhere to all appropriate security policies.

- Identify areas within the trust that are inadequately covered by IT/cyber security policies and procedures and, in consultation with operational manager IT specialists, and Data Protection Officer, develop new policies and procedures to cover these areas. Support Digital senior leads in presenting these to the relevant Boards or other approval bodies.

- The post holder will need to maintain a good knowledge of emerging policies from government departments. This will assist in the thinking and definition of the strategy discussions for the network and stakeholders.

Research and development

- Develop and implement ad-hoc audit programmes to test system and data security measures, review findings and improve those system and data security measures

- Plan, develop and evaluate methods and processes for gathering, analysing, interpreting and presenting data and information

Job description

Job responsibilities

Key operational results areas

- Work with the DPO to ensure the completion of the Trusts Data Security and Protection Toolkit assessment, collating evidence, and undertake compliance audits.

- To advise on and provide updates to IG and cybersecurity e-learning training to ensure staff have access to up to date and relevant IG and Data security and protection training.

- To ensure the development and delivery of the UK GDPR compliance action/improvement plans, monitor progress and report.

- To ensure the Trust's contractors and support organisations have adequate IG arrangements in place.

- To ensure the development of local information sharing agreements as required.

- To provide support/undertake date privacy impact assessments.

- To ensure fair processing notices are adequate for flows of personal confidential information.

- To support the Trusts Information Asset Owners in information asset management and assist with undertaking risk assessments.

- To support the management and response to information security incidents.

- To maintain on-going personal development and knowledge of data protection laws, issues and developments.

- Freedom to take actions as the lead specialist, based on own interpretation of policy, to conduct complex investigations into suspected or actual breaches of data protection and security and provide formal written reports advising how legislation and or policy should be interpreted directly to the Information Asset owner, Human resources business partner and service leads. These cases could lead to disciplinary action being taken against staff

- Participate in relevant internal and external working groups/projects, services and initiatives to provide information and analytical advice and expertise.

- Liaise with senior managers of stakeholder organisations, NHS cyber security teams, the Counter Fraud Service, the Police and external organisations, as required, when investigating incidents.

- Investigations into abuse of IT services such as internet and email may occasionally expose the post holder to distressing images and require the post holder to act as a professional witness in disciplinary hearings etc.

- The alignment of digital and operational processes with legislative, NHS and business security requirements.

- Work with the wider digital team in the Identification and management of data protection and data security risks ensuring that digital and operational services maintains compliance in line with the overall Trust corporate governance framework, designing and maintaining appropriate data protection and data security controls and plans with procedures for their operation and maintenance

- Work with services and digital teams to Identify and classify information assets and the level of control and protection required.

- Ensuring that the confidentiality, integrity and availability of trust information is maintained and the public trust in the organisation is promoted and maintained.

- Ensuring that all access to services by external partners and suppliers is subject to contractual agreements and appropriate responsibilities documented.

- Be responsible for a high standard of work supporting the delivery of Information Governance to quality standards and in a cost-effective manner. Maintain documentation and associated plans with regular team meetings to monitor progress and resources.

- Overseeing team members to deliver the requirements listed above; engage and liaise with key stakeholder, in particular:

- To support the delivery of day-to-day activities and projects

- Support the development and maintenance of a high performing IG team

- Advocate Data protection and cyber security during all interactions with staff across all roles and levels within the trust.

- Act as Information asset administrator for IG related assets including the Trusts Information asset register.

Customer care for patients and/or service users

- To act as a champion for patients and their interests in relation to data security and protection

- To ensure all staff and occasional public and patient contact with the office is of the highest professional standard

Leadership and management

- To provide line management for the IG team

- Be visible and available to provide support and guidance or the team and wider organisation staff . This will require on site working with a minimum of 2 days per week on site if a hybrid working pattern is adopted.

- Responsible for undertaking appraisal and personal development for staff within the team

- To support, motivate and develop staff within the team to ensure that they are able to deliver the trust and team objectives

- Liaise with other Managers to share best practice

- Plan, organise, deliver, and review regular IG and ad hoc stakeholder awareness workshops and training sessions on Data security and data protection that raise the awareness of staff of information governance issues and ensure their compliance with policies and procedures, ensuring the collaboration of Human Resources, Training, Data Protection and Information Governance Lead. Take personal responsibility for delivering some of these awareness training programmes. Develop materials to enable others to deliver training in a standard manner

Communications and working relationships

- The post holder will be a contact point in the organisation for IG and provide advice to IAOs, IAAs and liaise with the DPO, Caldicott Guardian and SIRO.

- Provide advice and take action, where necessary, in response to Audit findings and recommendations in respect of information governance.

- Work internally in the development and implementation of IG policies and procedures.

- Act as a consultant to projects, advising on matters relating to information governance & security.

- To work with the Associate CIO for IG and health records (DPO) to ensure that the Trust fully complies with relevant legislation, agreed policies and procedures.

- To deputise for the Associate CIO for IG and health records (DPO) as required in representing the Trust both on internal and external user groups ensuring that the Trust's priorities are effectively communicated, promoted and implemented.

- Ensure that Trust staff know how to report any data protection and data security breaches, incidents, malfunctions and suspected system weaknesses and threats.

- Management of IT security policies, and supporting set of policies, and their controls including their development and review and facilitation of their ratification

- Responsible for proposing and drafting changes, implementation and interpretation to policies and guidelines.

- Ensure that IT security and IG policy is enforced and communicated to all parties.

- Where necessary to liaise with external organisations on IT/cyber security matters, drafting and implementing joint policies and procedures and ensuring external network connections adhere to all appropriate security policies.

- Identify areas within the trust that are inadequately covered by IT/cyber security policies and procedures and, in consultation with operational manager IT specialists, and Data Protection Officer, develop new policies and procedures to cover these areas. Support Digital senior leads in presenting these to the relevant Boards or other approval bodies.

- The post holder will need to maintain a good knowledge of emerging policies from government departments. This will assist in the thinking and definition of the strategy discussions for the network and stakeholders.

Research and development

- Develop and implement ad-hoc audit programmes to test system and data security measures, review findings and improve those system and data security measures

- Plan, develop and evaluate methods and processes for gathering, analysing, interpreting and presenting data and information

Person Specification

Qualifications

Essential

  • Degree level or equivalent in a discipline directly relevant to the role
  • Evidence of CPD

Desirable

  • Data Protection professional qualification(s)
  • SSCP/CISSP/CISMP

Experience

Essential

  • Data protection and data security risk management in an enterprise setting
  • Significant experience of working in, or managing, an IT Security or IG function
  • Demonstrable experience in delivery of training / education to large groups of staff at all levels of the organisation
  • Experience of managing and motivating a team and reviewing performance of the individuals

Desirable

  • Previous experience of working within the NHS or other healthcare setting

Knowledge / Skills

Essential

  • Knowledge and understanding in the principles of the DPA, UK GDPR, FOIA and NHS Code of Confidentiality
  • Knowledge in the areas of Caldicott, patient confidentiality, WASPI and information sharing, Privacy Impact Assessments and information sharing, Privacy Impact Assessments and information security
  • Excellent oral, numerical and written skills Ability to make decisions in accordance with agreed departmental protocols
  • Ability to work on own initiative with minimal supervision, prioritise and achieve goals. Responsive and enthusiastic and be able to direct activities of others.

Desirable

  • Demonstrated capability to plan over short, medium and long-term timeframes and adjust plans and resource requirements accordingly
Person Specification

Qualifications

Essential

  • Degree level or equivalent in a discipline directly relevant to the role
  • Evidence of CPD

Desirable

  • Data Protection professional qualification(s)
  • SSCP/CISSP/CISMP

Experience

Essential

  • Data protection and data security risk management in an enterprise setting
  • Significant experience of working in, or managing, an IT Security or IG function
  • Demonstrable experience in delivery of training / education to large groups of staff at all levels of the organisation
  • Experience of managing and motivating a team and reviewing performance of the individuals

Desirable

  • Previous experience of working within the NHS or other healthcare setting

Knowledge / Skills

Essential

  • Knowledge and understanding in the principles of the DPA, UK GDPR, FOIA and NHS Code of Confidentiality
  • Knowledge in the areas of Caldicott, patient confidentiality, WASPI and information sharing, Privacy Impact Assessments and information sharing, Privacy Impact Assessments and information security
  • Excellent oral, numerical and written skills Ability to make decisions in accordance with agreed departmental protocols
  • Ability to work on own initiative with minimal supervision, prioritise and achieve goals. Responsive and enthusiastic and be able to direct activities of others.

Desirable

  • Demonstrated capability to plan over short, medium and long-term timeframes and adjust plans and resource requirements accordingly

Disclosure and Barring Service Check

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

Employer details

Employer name

Gloucestershire Hospitals NHS Foundation Trust

Address

Trustwide

Gloucester, Cheltenham

GL1 3NN


Employer's website

https://www.gloshospitals.nhs.uk/ (Opens in a new tab)

Employer details

Employer name

Gloucestershire Hospitals NHS Foundation Trust

Address

Trustwide

Gloucester, Cheltenham

GL1 3NN


Employer's website

https://www.gloshospitals.nhs.uk/ (Opens in a new tab)

Employer contact details

For questions about the job, contact:

Associate CIO, IG & Health Records

Thelma Turner

thelma.turner1@nhs.net

Details

Date posted

29 July 2024

Pay scheme

Agenda for change

Band

Band 7

Salary

£43,742 to £50,056 a year pa

Contract

Permanent

Working pattern

Full-time

Reference number

318-24-COR-R12793

Job locations

Trustwide

Gloucester, Cheltenham

GL1 3NN


Supporting documents

Privacy notice

Gloucestershire Hospitals NHS Foundation Trust's privacy notice (opens in a new tab)