Vision: to Help Build a Safe, Confident & Peaceful Society

HRDPO0218

JOB DESCRIPTION

Job Title / Data Protection Officer (DPO)
Grade 7
Responsible to: / Head of Corporate Support

Job Summary:

The DPO will be a dedicated and key, supporting role that underpins the Accounting Officer function carried out by the Chief Constable. The roleholder will be the cornerstone of accountability for Data Protection in PSNI and will provide full authoritative advice and recommendations in the field of Data Protection.

The roleholer will facilitate compliance with the Data Protection Act 2018 and the General Data Protection Regulation (‘GDPR’) through the implementation of accountability tools such as assisting with or carrying out data protection impact assessments and audits. The PSNI Data Protection Officer will therefore act as a change agent and an intermediary between relevant stakeholders e.g. the Information Commissioner’s Office, data subjects, business units within the PSNI and the wider public sector.

Vision: “To help build a Safe, Confident & Peaceful Society”

Northern Ireland continues to develop and thrive. It is the role of the Police Service of Northern Ireland to support and work with the Northern Ireland Executive, Business, Community and Voluntary groups to build a Safe, Confident and Peaceful Society.

Purpose: “Keeping People Safe”

As a Police Service, we will all work with partners and communities to Keep People Safe, either through frontline service delivery or by enabling services, by:

Preventing harm through working with partners to increase trust and citizen involvement, reduce offending, reduce vulnerability and prevent crime.

Protecting our citizens and communities, particularly the most vulnerable, through delivering professional policing operations and services in accordance with Human Rights standards.

Detecting offences and investigating suspects, working with justice partners to carry out professional investigations and deliver prompt visible and fair outcomes which build the confidence of victims, witnesses and communities.

How: “Policing With the Community”

We are at our strongest when we work in partnership with communities and when we involve those communities in policing. We best achieve this by demonstrating the following behaviours:

1. Accountability

Accountability is the fundamental building block to securing trust and legitimacy for any Police Service. It is the way to earn public co-operation, collaboration and information. Accountability helps us achieve our policing purpose of Keeping People Safe.

2. Acting with Fairness, Courtesy and Respect

Fairness, Courtesy and Respect are the minimum standards of how we treat others, both inside and outside the organisation. These standards are non-negotiable no matter the context or provocation to act otherwise, and are key to securing our communities’ confidence and trust.

3. We will be Collaborative in our Decision Making

Decisions are often too important, complex or far-reaching to be left to the Police alone, which is why Collaborative Decision Making is vital. Collaborative Decision Making is based upon the concepts of partnership and engagement, but takes it a step further and outlines the critical need for clear decisions to be made. This process has at its core collective responsibility and accountability. Involving others shares the opportunity behind every challenging and important decision.

These behaviours will also guide how we treat each other within the Organisation.

Who: The Police Service of Northern Ireland

We are a diverse group of people who strive to be representative of the communities we serve in both our staff profile and culture.

We are proud to serve the people of Northern Ireland and to work as part of an organisation which is committed to Keeping People Safe within this society.

MAIN JOB ACTIVITIES

The key activities, that constitute the role of Data Protection Officercan be summarised as -

Implementation of Data Protection Act 2018 and the GDPR

A key feature of the DPO role will be to understand and highlight the areas of risk within PSNI in relation to the Data Protection Act 2018 and the GDPRand to collaborate with business colleagues to mitigate these risks, whilst still maintaining the ability for the business to effectively continue to operate. PSNI has established an Implementation Board and Project team to implement the new Data Protection changes. That project team has developed an Implementation plan. The DPO will complete those tasks assigned to them under the Implementation plan and assist with ensuring PSNI’s post implementation arrangements are in compliance with the requirements of the new data protection changes. Regular internal stakeholder engagement and the ability to raise awareness, challenge and drive cultural change at senior levels are crucial to this process.

The DPO will also be responsible for designing and delivering a programme of awareness sessions/training across the organisation including to Information Asset Owners, Audit Risk Assurance Committee, Senior Management and third party processors on compliance with new Data Protection changes

Data Protection Compliance

The DPO will be at the heart of the Data Protection Framework for PSNI and will facilitate and monitor the organisation’s ongoing compliance with the requirements of the Data Protection Act 2018 and the GDPR. The role holder will be expected to take the appropriate steps to ensure those tasks assigned to the DPO at section 69 of the Data Protection Bill 2018 and the GDPR are carried out. This includes the following functions.

• Informing, advising and issuing recommendations to the organisation to include the Chief Constable, PSNI employees and processors engaged by PSNI about their obligations under the Data Protection Act 2018.

• Overseeing Data Protection compliance by the organisation’s Information Asset Owners.

• Maintaining a record of, and monitor for compliance, all data processing undertaken within the organisation.

• Developing and managing an audit programme of data protection and conduct health checks to monitor and ensure data protection compliance in line with those policies of PSNI which relate to the protection of personal data.

• Maintaining, implementing and reporting on the action plans that derive from compliance activities.

• Assessing the risks associated with the data processing operations, taking into account the nature, scope, context and purpose of the business and ensuring internal controls are in place to mitigate these risks. These actions should focus, primarily, on the areas of higher risk processing. For example the processing of any information relating to a person’s gender, health, sexuality, trade union membership etc;

• Providing advice on the carrying out of a data protection impact assessment under section 62 of the DP Bill 2018 and advising PSNI on whether or not a Data Protection Impact Assessment (DPIA) should be undertaken, providing advice on the methodology to be applied and on safeguards, monitoring the performance of the DPIA and assessing whether its conclusions comply with the Data Protection Act 2018.

(i)In relation to the policies of the Data Controller which relate to the protection of personal data the DPO will be responsible for ensuring the following tasks are completed.Assigning responsibilities under those policies.

(ii)Raising awareness of those policies.

(iii)Training staff involved in processing operations.

(iv)Conducting audits required under those policies.

The DPO will co-operate fully with the Information Commissioner’s Office

Data Protection Awareness Culture.

The DPO will take active and visible steps to support and promote a positive

Data Protection culture within the organisation. The role holder will be

expected to operate independently without instruction from senior officers/staff

on how to undertake the roleand will have the ability to influence behaviours

at all levels in the organisation. To promote a good cultural awareness and understanding of Data Protection the DPO will -

• report directly to the Head of Corporate Support, or ACC or equivalent grade;

• ensure there are no conflicts of interest between the DPO role and any other responsibilities the role holder is asked to perform, especially if such responsibilities involve determining the purposes and/or means of processing personal information;

• ensure mandatory Data Protection training and awareness procedures are in place and monitor that PSNI staff are appropriately trained and updated as necessary;

• participate in working groups, privacy forums, workshops and training courses, as required;

• ensure continuing professional development by regularly self-assessing own training needs and taking steps to ensure any new objectives are identified and achieved;

• advise and support business areas in understanding their obligations under DPA, highlighting any potential risks whilst not losing sight of significant financial penalties for non-compliance

Data Protection Accountability

The DPO will be the visible face of Data Protection within the organisation.

The role holder will be easily accessible to employees and data subjects and

can expect their contact details to be made available in the public domain and

to be provided to the Information Commissioner’s Office. In addition the DPO

will:-

• maintain his or her expert knowledge of data protection law and practice;

• ensure, in performing their tasks, the DPO must have regard to the risks associated with processing operations, taking into account the nature, scope, context and purposes of processing activities;

• be a point of contact for any individual whose data is being processed for any issue relating to the processing of their personal data or the exercise of their rights under the Data Protection Act 2018;

• co-operate with and act as the contact point for the ICO on issues relating to data processing and consult, where appropriate, with regard to any other matter;

• develop and oversee the breach management process; and

• lead on the resolution of data protection complaints from data subjects, staff and the general public.

Codes of Conduct and Certificates

The DPO will lead on the development of relevant PSNI Data Protection Codes of Conduct/Practice, and organisational certification, seals and markings in line with the process being developed by the ICO.

CONTACTS AND COMMUNICATIONS

Within the Organisation but Outside the Work Area

Internally the DPO will attend the PSNI Service Executive Board and if required will appear before the Policing Board and attend meetings with the Department of Justice. The role holder will also have regular meetings with middle managers and senior managers. In all instances the purpose of this communication will be to persuade, influence and raise awareness on all matters relating to Data Protection and the discharge of statutory and corporate responsibilities in this respect. It will also be to provide professional opinion, advice, guidance and recommendations to support the decision making process in relation to Data Protection implications. In any cases of disagreement and/or non-compliance, the reasons for not following the DPO’s advice must be clearly documented by senior management.

There will also be regular contact with senior management across all PSNI business areas. The purpose of this will be to explore and gain sufficient understanding of all processing operations and service delivery activities as well as the ICT, Data Security and Data Protection needs of the organisation as a Data Controller. It will also be essential thatthe DPO has access to functional areas such as Corporate Information, Records Management, Information Security, HR, Legal, IT and Security etc and develops good partnership working arrangements to enable support, input and information to be provided as required.

For staff at all levels generally, the DPO will have a responsibility for ensuring the provision of information, advice, guidance, training, awareness and recommendations on all matters relating to Data Protection. There will be an important responsibility to ensure that all staff, who carry out data processing activities, are fully aware of their obligations pursuant to Data Protection legislation.

Contacts between Government Organisations

The DPO will communicate with other DPO colleagues and Information Management professionals (typically senior managers and middle managers) across the NICS, wider public sector and other police services. The purpose of such contacts will be to develop and maintain working relationships, share best practice, develop common approaches, obtain support in the resolution of issues and exchange information and advice on matters of common interest.

Externally to the PSNI there will be a seeking of advice, clarification and guidance from senior managers within the ICO. There will be an exchange of advice and guidance with senior managers in other police services, devolved administrations, agencies, Arm’s Length Bodies, Cross-Border Implementation Bodies etc as appropriate.

All Other Contacts, including External Organisations

External to the above most of the roleholder’s communication will involve exchanging information with the public and individuals who raise concerns with the DPO about the processing of their personal information. This will include complaint resolution and ensuring reporting where there are potential Data Protection/Security breaches.

PROBLEM SOLVING

The Data Protection Act 2018 requires that the DPO anticipates and predicts

the long-term impact of international developments in Data Protection including the legislative and technological impacts on the organisation.

Furthermore, the roleholder will be required to shape the Data Protection

strategies and plans to support the organisation’s vision and long-term

direction considering the impact that this will have on citizens.

The role holder will need to have due regard to the risk associated with the

processing operations taking into account the nature, scope, context and

purposes of processing. This requires the DPO to prioritise their own work

activities and focus on creating and implementing effective plans and

governance arrangements to manage change and respond quickly to the

higher Data Protection risks. Problem solving will be integral to managing and

delivering privacy of design through a period of rapid transformation.

DECISION MAKING

Own Decisions

The DPO will be involved at all times where decisions with Data Protection implications are taken by PSNI, for example ensuring that an individual’s rights are taken into consideration. The role holder will be operating in an area without precedent under the new legislation making sharp assessments in unknown territory. Some of the cases will be very complex and multi-dimensional with contrasting viewpoints.

The DPO will be heavily involved in deciding if a DPIA should be undertaken by a business area/department. And advising PSNI business areas on completion of DPIAs and putting measures in place to monitor compliance

The DPO must consider the risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing.

The DPO will be bound by secrecy or confidentiality concerning the performance of their duties.

Informing and Advising Others

The DPO will play a key role in fostering a Data Protection culture within the organisation and help to implement essential elements of the Data Protection

Act 2018 and GDPR. To this effect, the role holder will need to be highly articulate and credible at the most senior levels across and outside the PSNI, consistently delivering inspiring, engaging and meaningful messages about the need for privacy by design. At times, the role will involve advising business areas and senior officers/staff of the inherent risks resulting from projects being put on hold. This will require a high level of tact and diplomacy.

The DPO will be an influential role in an important field of work that can potentially have wide and serious organisational impact. As such decisions that are taken by others, based on the role holder’s advice and recommendations should usually be accepted. In any cases of disagreement and/or non-compliance, the reasons for not following the DPO’s advice must be clearly documented by senior management.

AUTONOMY

The Data Protection Act 2018 requires the roleholder to be able to perform their responsibilities with a sufficient degree of autonomy within PSNI and also to fulfil their role in an independent manner. In particular the Chief Constable, as data controller, must ensure that the DPO does not receive any instructions regarding the execution of their duties.

As a fully autonomous leadership role the DPO will be expected to take complete ownership and accountability for Data Protection and privacy in the organisation.

The autonomy of the DPO does not mean they have decision-making powers extending beyond their role in relation to the Data Protection Act 2018. The Chief Constable, as data controller, remains responsible for compliance with data protection law and must be able to demonstrate compliance