Job summary
Senior Information Governance Officer (Band 6):
- Supports the Head of Information Governance and IG Managers to ensure the Health Board complies with data protection laws and good IG practice.
- Provides expert advice, delivers training, and helps with policies, records management, and Subject Access Requests.
- Requires strong knowledge of data protection, excellent communication, analytical skills, and experience in IG.
Main duties of the job
The main duties of the Senior Information Governance Officer (Band 6):
- Lead on managing and investigating information governance (IG) breaches.
- Support and approve Data Protection Impact Assessments (DPIAs).
- Conduct and follow up on IG audits and report findings.
- Provide expert IG advice and operational support to staff at all levels.
- Identify and report on breach trends, and create improvement plans.
- Support the implementation of IG incident management procedures.
- Review and maintain IG systems for compliance.
- Assist in reporting data breaches to the ICO and informing data subjects.
- Deliver IG training and draft guidance documents.
- Oversee Access to Health Records requests and ensure statutory compliance.
- Line manage IG Officers and Access to Health Records Clerks.
- Communicate with staff, the public, and external organisations on IG matters.
The ability to speak Welsh is desirable for this post; English and/or Welsh speakers are equally welcome to apply.
About us
Hywel Dda University Health Board plans and provides NHS healthcare services for people living in Carmarthenshire, Ceredigion, Pembrokeshire, and bordering counties.
We have over 13,000 staff and together we provide primary, community, in-hospital, mental health and learning disabilities services.
We work in partnership with the three local authorities, as well as public, private and third sector colleagues, including our valued team of volunteers.
Our services are provided in:
- Four main hospitals: Bronglais Hospital in Aberystwyth; Glangwili Hospital in Carmarthen; Prince Philip Hospital in Llanelli; and Withybush Hospital in Haverfordwest
- Five community hospitals: Amman Valley and Llandovery hospitals in Carmarthenshire; Tregaron Hospital in Ceredigion; and Tenby and South Pembrokeshire hospitals in Pembrokeshire
- Two integrated care centres: Aberaeron and Cardigan in Ceredigion, and several other community settings
- 47 general practices (six of which are health board managed practices); dental practices (including four orthodontic); 97 community pharmacies; 43 general ophthalmic practices; and 8 ophthalmic domiciliary providers
- Numerous mental health and learning disabilities services
Job description
Job responsibilities
Key Responsibilities
- IG Breach Management: Lead on IG breaches, managing incidents from initial report to closure, including advice on recovery, containment, and lessons learned. Support the IG Breach Lead with high-level breaches.
- Data Protection Impact Assessments: Support and approve DPIAs, identify risks, and advise on mitigation, escalating when necessary.
- Auditing: Lead on audits related to IG breaches, report findings, and support the IG Team in raising awareness of responsibilities under Data Protection legislation.
- Expert Advice: Provide IG advice to staff at all levels, draft reports, and support operational IG tasks (e.g., data sharing agreements, privacy notices, Subject Access Requests).
- Trend Analysis: Identify and report on breach trends, produce statistics, and create improvement plans.
- Incident Management: Support implementation of IG incident management procedures and assist staff in reporting incidents.
- Compliance Monitoring: Review and maintain IG systems, ensure compliance with legislation, and take action on non-compliance.
- Training & Communication: Deliver training, draft guidance, and communicate complex IG issues to staff and external stakeholders.
- Records Management: Oversee Access to Health Records requests, ensure statutory compliance, and adapt systems as needed.
- Audit Support: Participate in internal and external audits, produce reports, and maintain accurate records.
- Redaction & Guidance: Redact sensitive information for disclosures and provide guidance on retention periods and IG policies.
- Resource Management: Ensure efficient use of resources and support the departments operational needs.
- Line Management: Manage IG Officers and Access to Health Records Clerks, ensuring training and performance objectives are met.
You will be able to find a full job description and person specification attached within the supporting documents.
The Health Board is committed to supporting its staff to fully embrace the need for bilingualism thereby enhancing patient and service user experiences. In our commitment to increase the number of staff who are able to communicate in Welsh with patients and professionals, we welcome applications from Welsh speakers.
The ability to communicate in Welsh is desirable for this post. If you do not meet the Welsh Language requirements specified, the Health Board offers a variety of learning options and staff support to help you meet these minimal desirable requirements during the course of your employment with us.
Interviews will be held on 14/11/2025
Job description
Job responsibilities
Key Responsibilities
- IG Breach Management: Lead on IG breaches, managing incidents from initial report to closure, including advice on recovery, containment, and lessons learned. Support the IG Breach Lead with high-level breaches.
- Data Protection Impact Assessments: Support and approve DPIAs, identify risks, and advise on mitigation, escalating when necessary.
- Auditing: Lead on audits related to IG breaches, report findings, and support the IG Team in raising awareness of responsibilities under Data Protection legislation.
- Expert Advice: Provide IG advice to staff at all levels, draft reports, and support operational IG tasks (e.g., data sharing agreements, privacy notices, Subject Access Requests).
- Trend Analysis: Identify and report on breach trends, produce statistics, and create improvement plans.
- Incident Management: Support implementation of IG incident management procedures and assist staff in reporting incidents.
- Compliance Monitoring: Review and maintain IG systems, ensure compliance with legislation, and take action on non-compliance.
- Training & Communication: Deliver training, draft guidance, and communicate complex IG issues to staff and external stakeholders.
- Records Management: Oversee Access to Health Records requests, ensure statutory compliance, and adapt systems as needed.
- Audit Support: Participate in internal and external audits, produce reports, and maintain accurate records.
- Redaction & Guidance: Redact sensitive information for disclosures and provide guidance on retention periods and IG policies.
- Resource Management: Ensure efficient use of resources and support the departments operational needs.
- Line Management: Manage IG Officers and Access to Health Records Clerks, ensuring training and performance objectives are met.
You will be able to find a full job description and person specification attached within the supporting documents.
The Health Board is committed to supporting its staff to fully embrace the need for bilingualism thereby enhancing patient and service user experiences. In our commitment to increase the number of staff who are able to communicate in Welsh with patients and professionals, we welcome applications from Welsh speakers.
The ability to communicate in Welsh is desirable for this post. If you do not meet the Welsh Language requirements specified, the Health Board offers a variety of learning options and staff support to help you meet these minimal desirable requirements during the course of your employment with us.
Interviews will be held on 14/11/2025
Person Specification
Qualifications and Knowledge
Essential
- Degree level or equivalent management experience
- Further knowledge to postgraduate diploma level e.g: - Data Protection professional qualification e.g. BCS Foundation Certificate / Practitioner Certificate in Data Protection - Expert knowledge and understanding in the principles of the DPA, GDPR, FOIA and NHS Code of Confidentiality, - Expert knowledge in the areas of Caldicott, patient confidentiality, WASPI and information sharing, privacy notices, Data Protection Impact Assessments and information security.
- Evidence of continuous professional development
Desirable
- Knowledge of risk management processes
- Knowledge of Health and Care Standards
Experience
Essential
- Previous information governance experience
- Previous breach/complaint management experience
- Previous Data Protection Impact Assessment support & approval experience
- Previous experience of report preparation and delivery
- Previous experience of dealing with complex and confidential issues
Desirable
- Previous information/ IT security experience
- Previous auditing experience
- Previous project management experience
- Previous experience of working within the NHS or other healthcare setting
- Successful change management and negotiation experience
- Previous experience of risk assessment
- Experience of using Datix system
Other
Essential
- Ability to work in a busy, sometimes stressful environment, and to deal with interruptions and changing priorities
- Professional and confident manner
- Self-motivated, dynamic and proactive
- Adaptable and flexible to meet any changing service needs with enthusiasm
- Highly confidential always
- Ability to deal positively with difficult situations e.g. verbal abuse from patients / staff on an occasional basis
- Commitment to embedding excellent information governance practices into all levels of staff and the organisation as a whole
- Ability to work effectively at home or away from agreed base but still within HDUHB's region
- Ability to travel within HDUHB's geographical area
Desirable
Person Specification
Qualifications and Knowledge
Essential
- Degree level or equivalent management experience
- Further knowledge to postgraduate diploma level e.g: - Data Protection professional qualification e.g. BCS Foundation Certificate / Practitioner Certificate in Data Protection - Expert knowledge and understanding in the principles of the DPA, GDPR, FOIA and NHS Code of Confidentiality, - Expert knowledge in the areas of Caldicott, patient confidentiality, WASPI and information sharing, privacy notices, Data Protection Impact Assessments and information security.
- Evidence of continuous professional development
Desirable
- Knowledge of risk management processes
- Knowledge of Health and Care Standards
Experience
Essential
- Previous information governance experience
- Previous breach/complaint management experience
- Previous Data Protection Impact Assessment support & approval experience
- Previous experience of report preparation and delivery
- Previous experience of dealing with complex and confidential issues
Desirable
- Previous information/ IT security experience
- Previous auditing experience
- Previous project management experience
- Previous experience of working within the NHS or other healthcare setting
- Successful change management and negotiation experience
- Previous experience of risk assessment
- Experience of using Datix system
Other
Essential
- Ability to work in a busy, sometimes stressful environment, and to deal with interruptions and changing priorities
- Professional and confident manner
- Self-motivated, dynamic and proactive
- Adaptable and flexible to meet any changing service needs with enthusiasm
- Highly confidential always
- Ability to deal positively with difficult situations e.g. verbal abuse from patients / staff on an occasional basis
- Commitment to embedding excellent information governance practices into all levels of staff and the organisation as a whole
- Ability to work effectively at home or away from agreed base but still within HDUHB's region
- Ability to travel within HDUHB's geographical area
Desirable
Disclosure and Barring Service Check
This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.
Applications from job seekers who require current Skilled worker sponsorship to work in the UK are welcome and will be considered alongside all other applications. For further information visit the UK Visas and Immigration website (Opens in a new tab).
From 6 April 2017, skilled worker applicants, applying for entry clearance into the UK, have had to present a criminal record certificate from each country they have resided continuously or cumulatively for 12 months or more in the past 10 years. Adult dependants (over 18 years old) are also subject to this requirement. Guidance can be found here Criminal records checks for overseas applicants (Opens in a new tab).
Additional information
Disclosure and Barring Service Check
This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.
Applications from job seekers who require current Skilled worker sponsorship to work in the UK are welcome and will be considered alongside all other applications. For further information visit the UK Visas and Immigration website (Opens in a new tab).
From 6 April 2017, skilled worker applicants, applying for entry clearance into the UK, have had to present a criminal record certificate from each country they have resided continuously or cumulatively for 12 months or more in the past 10 years. Adult dependants (over 18 years old) are also subject to this requirement. Guidance can be found here Criminal records checks for overseas applicants (Opens in a new tab).