Data Protection Officer Job Specification

Data Protection Officer Job Specification

Exemplar Document

Version No: 0.1

Issue Date:31st March 2003

Purpose of this document

To provide NHS organisations with an exemplar document for use when determining the qualities, experience and knowledge needed for applicants to the post of Data Protection Officer.

version history

Version / Date Issued / Brief Summary of Change / Owner’s Name
0.1 / 1st April 2004 / Ifeoma Nwolie Information Governance Team NHSIA
For more information on the status of this document, please contact: / Helpdesk
Tel:0121 333 0420
Fax:0121 333 0421
E-mail:
Internet:
NHSnet:nww.nhsia.nhs.uk
Date of Issue / 1st April 2004
Reference / DPO Specification V0.1 doc
© Crown Copyright 2002

Data Protection Officer (DPO) Specification

PERSON SPECIFICATION

Essential / Desirable
Personal Skills
Good verbal and written communication skills, and able to communicate effectively at all levels / 
Self motivated and organised / 
Able to work under pressure and to deadlines / 
Able to plan/complete implementations and contribute to culture change / 
Able to manage time and priorities appropriately / 
Good level of people management skills / 
Positive attitude towards learning and development, demonstrated by a record of continuing professional development / 
Technical Skills and Experience
Minimum of 4 years broad IT experience, at least 2 of which has been in a security role / 
A good working knowledge of Information Security (inc BS7799) principles and practices / 
Broad awareness of hardware/software security products / 
Good working knowledge of information risk analysis/management / 
Experience in the development and delivery of training material / 
Good understanding of the business and role of the NHS organisation in which employed / 
Information Security qualification / 
Prince 2 practitioner / 
Good working knowledge of quality assurance principles and practices / 
General Knowledge
Data Protection and computer-related legislation / 
NHS data issues / 
Medical records issues / 

Data Protection Officer (DPO) Specification

JOB DESCRIPTION

The role of the Data Protection Officer is to ensure that the organisation complies with the Data Protection Act 1998, and to ensure that employees are fully informed of their own responsibilities for acting within the law and that the public, including employees, are informed of their rights under the Act.

More specifically the Data Protection Officer should:

Be the nominated officer in the Data Protection register maintained by the Information Commissioner, notify the fact of processing to the Information Commissioner and maintain the accuracy and currency of the organisation’s notification

A. Manage Data Protection compliance

Co-ordinate Data Protection Act activities (including training) with other Information Governance Leads (e.g. Caldicott, Records Management, Consent, Confidentiality, Data Protection Act, Data Accreditation) and attend such user group meetings as necessary

Ensure organisational compliance, and conformance with the Data Protection Principles

Develop, implement and enforce a suitable and relevant Data Protection policyand ensure it is reviewed on an annual basis

Liaise with the Caldicott Guardian and Information Security Officer to establish and maintain a register of data owners for sets of information (e.g. paper files, databases) and educate the data owners on their responsibilities (what is the data, how is it used, who has access to it).

Liaise with the Caldicott Guardian and Information Security Officer to develop and implement a mechanism for defining and maintaining information flow maps within the Trust, and between the Trust and partner organisations - providing advice where necessary

To undertake systematic Data Protection Act compliance audits in accordance with Information Commissioner's audit tool

Assist with investigations into complaints about breaches of the Actand undertake reporting/remedial action as required. Maintain a log of any incidents and remedial recommendations and actions.

B. Provide reports to the Board

Provide comprehensive reports to the Board on the organisation's compliance with the Data Protection Act and related provisions

C. Profile-raising and publicity

Promote Data Protection awareness throughout the organisation by providing training and written procedures that are widely disseminated and made available to all staff

Encourage the setting up of a Data Protection group with representatives from across the organisation

Ensure written information on Data Protection is available for provision to patients and employees

Develop and maintain processes for subject access requests for information by patients and employees exercising their rights under the Data Protection Act

D. Training

Liaise with the Caldicott Guardian and Information Security Officer to develop and implementa Data Protection awareness and training programme

Maintain and update own knowledge of developments in Data Protection issues, information management and, in light of the National Programme for IT, in records management systems

Be a resource for other employees by providing expert advice on the Data Protection Act and related issues

This list of responsibilities is not exhaustive; the Data Protection Officer will be expected to undertake any other relevant duties appropriate to the grading of the post and requirements of the service

DPO Specification. V0.1