Job Title: Data Protection and Governance Officer

Salary range: £45,940 – £47,326

Grade: Assembly Grade 5

Directorate: Legal, Governance and Research Services

Business Area/Office: Information Standards Office

Accountable to: Director of Legal, Governance and Research Services

Accountable for: AG7 post

Job Purpose

There is a mandatory requirement for all public authorities or bodies to designate a Data Protection Officer (‘DPO’) who has a key role in ensuring compliance with the Data Protection Act 2018 and the UK General Data Protection Regulation (‘UK GDPR’).

In addition, the post holder will fulfil a management role in relation to Information Standards, Freedom of Information (‘FOI’) and Governance in the Assembly Commission.

Job Description:

Data Protection

• Inform and advise staff about the requirements of the UK GDPR and the Data Protection Act 2018 and help them to understand the practical implications for their business areas and the risks associated with data processing operations, taking into account the nature, scope, context and purposes of the processing.
• Monitor and ensure on-going compliance with the requirements of the UK GDPR and the Data Protection Act 2018, through for example, conducting data protection audits and requiring records of all data processing activities to be maintained.
• Assist and advise business areas and Information Asset Owners (‘IAOs’) in relation to the management of internal data protection activities.
• Raise awareness of data protection issues and promote a positive data protection culture.
• Assist business areas in deciding if a Data Protection Impact Assessment (DPIA) should be undertaken and assist with conducting DPIAs.
• Review and update the data protection, governance and information assurance policies and provide training to staff as required.
• Develop and maintain relationships with other DPOs across the wider public sector to share knowledge and best practices.
• Advise upon investigations and notifications once a data breach or other data incident has occurred.

Information Standards and FOI

• Lead an information management systems review and the implementation of a new system.
• Manage and quality assure the administration of responses to and disclosure of all FOI/DP requests in accordance with statutory deadlines and advise on more complex requests.
• Oversee the administration of FOI/DP appeals and provide advice to panels.
• Manage the Retention and Disposal Schedule and liaise with the Public Record Office of Northern Ireland (‘PRONI’).
• Attend the Information Security Group and advise on appropriate information security measures.

Governance

• Manage the secretarial support to the Secretariat Audit and Risk Committee (‘SARC’).
• Draft the SARC Annual Report and assist with the self-assessment of SARC.

• Facilitate the quarterly review and update of the Corporate Risk Register, in conjunction with the Secretariat Management Group (‘SMG’).
• Assist Directorate Management Teams with the monthly review and update of Directorate Risk Registers.
• Facilitate the 6-monthly review of Directorate Risk Registers by SMG and identify emerging “risk clusters”.
• Update and develop the Corporate Governance Framework in conjunction with SMG.
• Update and develop the Assembly Commission’s Risk Management Strategy in conjunction with SMG.
• Complete (with input from SMG and Heads of Business) Fraud and Bribery, Cyber Security and Information Risk, Risk Management and other relevant checklists and monitor subsequent action plans.
• Monitor new or updated relevant corporate governance guidance and identify potential changes or updates to the corporate governance policies or procedures.

General duties

• Fulfil the role in an independent manner.
• Lead, manage and develop a small team of staff.
• Develop and provide training for staff on data protection, UK GDPR, information management, governance and risk management.
• Develop and implement a continuous improvement programme for the office.
• Comply with all of the Assembly Commission’s staff policies and procedures including Equal Opportunities and Dignity at Work policies and procedures; and
• Carry out other duties that the Assembly Commission reasonably requires of you.
  

Essential Criteria:

Applicants for the post must possess, by the closing date for applications:

1. A thorough knowledge and understanding of the relevant law, regulations and guidance relating to data protection and freedom of information.

AND

2. A comprehensive understanding of organisational governance and risk management policies and procedures.

AND

3. A primary degree, minimum 2:2 classification, in any subject and a relevant qualification in data protection, for example, Certified Information Privacy Professional (‘CIPP’), BCS in Data Protection to Practitioner level, EU GDPR Practitioner or equivalent.

AND

4. At least two years’ experience of the following:

(a) Successfully leading a data protection and information management service and the effective and efficient delivery of specific outcomes;

(b) Advising at a senior level* on either:

• information standards and data protection policies and procedures or
• governance and risk management policies and procedures.

(c) Using the standards that underpin good information management, ensuring that organisational standards and legislative requirements are met and that a robust information system and supporting policies are maintained.

*Senior level is defined as a Project Board, Director, Head of Business, NICS Grade 7 or company board member or equivalent.        

OR

1. A thorough knowledge and understanding of the relevant law, regulations and guidance relating to data protection and freedom of information.

AND

2. A comprehensive understanding of organisational governance and risk management policies and procedures.

AND

3. A relevant qualification in data protection for example Certified Information Privacy Professional (‘CIPP’), BCS in Data Protection to Practitioner level, EU GDPR Practitioner or equivalent.

AND

4. At least four years’ experience as listed at points a) – c) above.

The successful applicant will be expected to complete Prince 2 in project management and CIPFA Governance certificate or equivalent within 12 months of appointment, if not previously completed.

Shortlisting Criterion:

Should shortlisting be required, the following shortlisting criterion will be applied:

Two years’ demonstrable experience of policy development, implementation and review in the field of data protection, information management/assurance or governance.

Assembly Skills & Behaviours:

The following Assembly Skills and Behaviours will be assessed during the selection process:

Delivering a quality service

…is about providing a high-quality and efficient service to our customers. It is thinking ahead, managing resources effectively and delivering work on time and to a high standard. It is also using professional or technical expertise to enhance service delivery.

Building relationships and effective communication

…is creating and maintaining positive, professional and respectful internal and external working relationships through effective and appropriate communications.

Initiating improvement and delivering change

…is looking for and being open to new and innovative ideas and improvements to the service provided. It is being flexible and adapting positively and professionally to sustain performance when the situation changes, workloads increase or priorities change. It is about forming sound, evidence-based decisions and being accountable for results.

Managing & Leading Self and Others

… is setting high standards for ourselves. It is about guiding, motivating and developing others to achieve high performance. It is about engaging others in delivering a corporate vision of excellence, expertise and innovation in support of the Assembly as a legislature.