Job Description
Information Records and Data Manager
ORGANISATIONAL RESPONSIBILITIES
Reports to: Director of Policy and Management Information Systems
JOB PURPOSE
· To ensure organisational use of information complies with current legislation including the right to hold, store, retain and access.
· Lead on organisational awareness raising and monitoring of practice to ensure compliance.
· To act as the Data Protection Officer for the organisation.
· Contribute to the development of systems and business processes using a privacy by design approach to meet regulatory requirements and those of the organisation.
· Contribute to the development and delivery of the organisation’s strategic and operational plans, undertaking a variety of activities under the direction of the Director of Policy and Management Information Systems.
PRINCIPAL TASKS
· Ensure all organisational information is held for legitimate purposes and in line with current data protection legislation including maintaining an action plan for ongoing improvements. This includes maintaining an up-to-date information register.
· Provide a framework to measure and monitor all organisational practice to include who holds information relating to which data subjects, the purpose of holding the information, how the information is stored, clearly defined retention period and follows industry best practice disposal.
· Provide information and reports for risk assessment, quality assurance, strategic and financial planning purposes, including evidence of compliance. This includes maintaining an entry on the organisation’s risk register.
· Ensure contractual compliance with commissioning requirements for collecting, storing and using information including recognised standards such as The Caldicott Principles.
· Maintain a data retention and disposal schedule including triggers, information classification and managing version control.
· Regularly review and update the organisation’s Data Protection Policy to align to legislation and ensure compliance through practice.
· Provide support and advice to ensure all data handlers and anyone who has access to data subject information is aware of their responsibilities in complying with legislation, to include supporting induction, refresher and individual training where required
· Drive a culture that values and respects privacy through maintaining awareness across the organisation of the importance of data protection and maintaining the confidentiality of high risk information.
· To be the named Data Protection Officer for the organisation, representing the interests of data subjects.
· Process map and lead on the management of data subject access requests (SARs) in line with statutorily required timescales for response.
· Process map the management of any data breaches and lead on any investigations including informing the data subjects and Information Commissioner’s Office.
· Process map and lead on the management of requests to exercise the right to forget for data subjects, including recording circumstances where the right could not be exercised for legitimate legal reason and how deletion would be managed on electronic backup systems.
· Complete privacy impact assessments and ensure a privacy by design approach is adopted for all new activities that include holding data subject information and compile privacy impact assessments for all existing data sets.
· Ensure all communications comply with current legislation, including Privacy and Electronic Communications Regulations (PECR) and follow associated industry best practice.
· Ensure privacy notices are in place for activities that require information to be collected and are compliant with legislation and best practice advice.
· Provide an organisational framework that is compliant with legislation where consent to hold information is requested from data subjects. The framework will include how to ensure where consent is requested there is a legal basis for holding information that includes legitimate interest.
· Work collaboratively across the organisation to establish departmental requirements for holding and using subject data in Management Information Systems and business processes to meet regulatory requirements and those of the organisation.
· Liaise with commercial suppliers of systems and internal developers for ongoing changes required and updates.
· Work with the IT Systems team to maintain data security and minimise the risk of successful targeted or accidental data breach. This includes auditing the IT Department maintain Cyber Essentials Certification and provide advice on standards the organisation could work towards such as ISO 27001.
· Provide a policy for and audit the practice of encryption in using portable data, including how data can be exported from internal systems.
· With the IT Systems team audit to ensure fixed resources are encrypted wherever possible.
· Audit data backup and duplication meets requirements for restoring in line with organisational recovery plans and regulatory requirements including where total accidental loss of data could incur a financial penalty.
· Audit to ensure all data is stored inside the European Economic Area (EEA), or within countries that are accredited as providing adequacy of protection or in the United States are registered under the Privacy Shield Scheme.
· Provide a policy and monitor compliance with data transfer of electronic and hard copy internally and externally. This includes advising on and implementing systems with the IT team that should be in place such as secure email transfer.
· Ensure compliance in meeting requirements of data handling of subjects for all sub-contracts and for all sub-contractors. This includes checking of formal contracts.
· Map all agencies and external organisations that data subject information is shared with, ensuring formal sharing requirements are in place and the external organisation’s privacy policy is compliant.
· Provide monthly reports and analysis of data protection compliance for management and Board meetings, identifying any risks, with reference to the requirement for the Data Protection Officer to provide reports directly to the highest Governing management level.
· Provide information for internal quality assurance processes including Self-Assessment Reports, Governor and Trustee reviews and internal audit when required.
· Produce reports when required for external quality assurance agencies including the Information Commissioner’s Office, Ofsted, Estyn and The Care Quality Commission.
· Provide first line support for users of management information systems by answering queries relating to data protection including supporting staff at remote sites.
· Develop reference resources for users in electronic, hard copy, video or other formats.
· Ensure high quality of brand reputation is maintained by demonstrating responsible use of data across the organisation and minimising the risk of data breach.
· Adopt a positive attitude towards resolving ‘everyday’ and variable challenges encountered in the use of systems and processes in relation to information management.
· Work flexibly where required according to the on-going requirements of the role. This may include occasional visits to remote sites supporting with the use of information.
· To positively promote the Policy and Management Information Department, acting as a role model through promoting the activities, values and culture of the organisation.
· Through personal example and action demonstrate commitment to equality, diversity and inclusion ensuring equality of access and treatment in service delivery.
· Promote and adhere to the organisation’s Health and Safety at Work policy and procedures.
· To support and promote the organisation’s safeguarding policy and procedures.
· Comply with Data Protection legislation in all activities in relation to the role
· To undertake such other duties as may be required by the Director of Policy and MIS or Chief Executive.
SAFEGUARDING
The organisation takes seriously its responsibility for safeguarding and is committed to safeguarding and promoting the welfare of young adults and children. Therefore we require that all staff share this and act accordingly by applying organisation policy and procedure and attending annual safeguarding training.
EQUALITY & DIVERSITY
Through personal example and clear action demonstrate commitment to equality and diversity ensuring equality of access and treatment in employment and service delivery to all.
HEALTH & SAFETY
Promote the organisation’s Health and Safety at Work Policy and Procedure and ensure these are implemented effectively within the department
Person Specification
Desirable (D) /
Education:
· Minimum of Level 2 Qualifications at Grade C or above in English and Maths / E
· Hold Certified Information Privacy Protection/Europe (CIPP/E) certification and/or EU General Data Protection Regulation Practitioner qualification / D
· Qualification in data protection management or demonstrate equivalent knowledge / E
· Formal Education to Level 3 or above / D
Experience/Knowledge:
· Worked within a role with responsibility for compliance with data protection or similar legislation / E
· Maintained accurate information for reporting or other purposes / E
· Demonstrated a working knowledge of current data protection legislation and General Data Protection Regulation principles in relation to holding and sharing information / E
· Used a range of technologies including personal computers and mobile devices for professional purposes / E
· High level of IT Literacy, including use of Excel or similar software for basic formulas and data analysis / E
· Supported others in the use of technologies / E
· Produced information and reports using Word or similar software / E
· Completed projects to set deadlines / E
· Provided a service of a similar nature in an education and/or residential care environment / D
· Experience of working to standards such as ISO 27001 / D
· Created resources as a reference for users / D
· Trained others to develop their skills and knowledge / D
· Produced formal reports including analysis and recommendations of actions / D
· Knowledge of good Safeguarding practice for vulnerable people / D
· Knowledge of data sharing with external organisations for reports for external organisations associated with education and/or residential care / D
· Knowledge of reporting for external quality assurance agencies including Information Commissioner’s Office, Ofsted, Estyn and Care Quality Commission / D
· Used Access or similar software to create databases and reports / D
· Experience of working with people who have learning difficulties and/or physical disabilities / D
Skills and Abilities:
· Excellent interpersonal and communication skills / E
· Strong organisational and planning skills / E
· Able to maintain accurate records / E
· Able to analyse using multiple data and information sources / E
· Use initiative to make improvements and think creatively / E
· Problem solve and make decisions based on experience, knowledge and progressive thinking / E
· Produce and analyse data as required / E
· Ability to clearly convey technical and complicated information to non-technical people / E
· Demonstrate can identify new equipment, applications or processes to meet compliance, improve efficiency, cost savings and sustainability / E
· Promote team working and positive partnerships between departments / E
· Competent user of Access, Filemaker Pro or other database software / D
Personal Attributes:
· Desire to provide high quality provision for all stakeholders / E
· Commitment to own and others’ continuing professional development / E
· Recognise the need to maintain confidentiality / E
· Constantly demonstrate a professional approach to work and relationship with colleagues / E
· Respond positively to requirements presented / E
· Be flexible to provide the level of service required for users / E
· Be self-motivated and enthusiastic in approach to work and team management / E
· Commitment to promoting equality, diversity and inclusion in all aspects of role / E
· Able to work flexibly to support the organisation’s activities where required / E
Other
· Support the ethos of the organisation and meet the safeguarding requirements set down by the organisation to work with vulnerable adults and children / E
January 2018