Head of Information Governance & Data Protection

Head of Information Governance & Data Protection

This is a senior position reporting to the Deputy CIO and accountable to the SIRO. The Head of Information Governance and Data Protection Officer (DPO) provides strategic leadership for the organisations Information Governance (IG) framework, ensuring compliance with statutory and regulatory requirements across data protection, confidentiality, records management, information rights (including FOI and SAR) and information security.

The post holder acts as the Groups statutory DPO under the UK GDPR and the Data Protection Act 2018, offering independent oversight of compliance, advising on high-risk processing and DPIAs, and serving as the primary contact for the Information Commissioner's Office (ICO) and data subjects.

The role leads the IG function, develops and maintains policies, oversees the DSP Toolkit, coordinates training and awareness, and ensures effective incident management and risk assurance to the SIRO, Caldicott Guardian and Trust Board.

Main duties of the job

Key Relationships:

Works closely with the Chief Information Officer, Deputy Chief Information Officer, Caldicott Guardian, Senior Information Risk Owner, Executive Directors, CSU leads and Information Asset Owners to ensure data protection and confidentiality are embedded across the organisation, while also supporting clinical and operational teams with policy implementation.

Work closely with the management teams and boards of the Groups Limited Liability Partnerships (LLP's) in the role of DPO.

Collaborates with clinical staff, corporate staff, digital / cyber teams, and information governance colleagues both within the Groups and regionally and nationally including NHS England.

Data Protection Officer, appointed under Article 37 of UK GDPR, operates independently but liaises with the Chief Executive, SIRO, and Information Governance leads to advice on legal compliance, data breaches, and privacy risks, while maintaining a direct line to the Information Commissioner's Office for regulatory matters.

About us

South Tees Hospitals NHS Foundation Trust and North Tees and Hartlepool NHS Foundation Trust now form University Hospitals Tees and as such you may be required to work at any site across both Trusts.

At North Tees & Hartlepool NHS Foundation Trust, we want our organisation to be the best place to work with the right staff, in the right roles, at the right time, to ensure we deliver exceptional patient care and experience.

We will support staff through providing an inclusive and supportive workplace with health and well-being initiatives, staff benefits and opportunities for personal and professional development.

We support the 'Making Every Contact Count' approach to behaviour change in the promotion of health and wellbeing of individuals and communities.

Job responsibilities

Developing and maintaining policies, ensuring compliance with data protection laws, managing information risks, leading staff training, and overseeing audits and incident investigations

Monitors compliance with data protection legislation, advises on privacy matters, manages data breaches, FOI and subject access requests, liaises with the Information Commissioners Office, and promotes staff awareness and training

Prepare regular reports to the SIRO and Group Boards and Groups to report on Information Governance, data protection and FOIA compliance and assurance

Leads IG strategy, policy, and compliance across the Trust.

Advises senior leaders on data protection, confidentiality, and security.

Manages IG audits, training, and incident investigations.

Oversees secure storage and access to records.

Ensures compliance with legal and clinical documentation standards.

Independently monitors GDPR compliance and advises on data risks.

Manages data breaches, FOI, subject access requests, and DPIAs.

Act as Asset Owner (IAO) for Information Governance departments

Reports to senior leadership and liaises with the ICO when needed.

Liaise with partner organisations, suppliers and researchers to establish compliant data flows and agreements (e.g., DSAs, IGAs, DTAs).

This is a non-clinical role with no direct contact with patients.

Delivery of the Group values and behaviors when communicating or dealing with members of the public.

Support patients, members of the public and staff regarding their right to information under the Data Protection Act 2018, General Data Protection Regulation (GDPR), FOI Act 2000 and the Environmental Information Regulations 2004.

Person Specification Qualifications

• Master's Degree in a relevant field (e.g. Information Governance, Law, Health Informatics, or IT) or equivalent demonstrable experience
• Postgraduate qualification or equivalent experience in data protection or information governance.
• Accredited DPO training (e.g. BCS)
• Evidence of CPD in IG/Data Protection

Experience

• Significant experience in information governance, data protection, and NHS regulatory compliance
• Significant experience and proven track record of leading IG programmes, managing audits, and advising on confidentiality and data sharing.
• Experience working with senior stakeholders, including SIROs, Caldicott Guardians, and executive teams
• Proven ability to lead teams, manage services across multiple sites, and ensure compliance with NHS standards
• Substantial experience in data protection law, including GDPR and the Data Protection Act, FOI Act
• Developing policies, DPIAs, DSAs and records management frameworks.
• Managing incidents/breaches and liaison with the ICO
• Proven ability to advise business units on legal obligations and monitor compliance
• Previous statutory DPO experience

Knowledge & Skills

• Comprehensive, expert knowledge of UK GDPR, Data Protection Act 2018, and Freedom of Information Act, Caldicott principles and related privacy legislation
• Deep understanding of NHS IG standards and DSP Toolkit.
• Knowledge of information security standards, data lifecycle management, and confidentiality protocols
• Awareness of legal and ethical considerations in data sharing and patient information use
• In depth understanding of data protection impact assessments (DPIAs), subject access requests, FOI request and data breach reporting.
• Familiarity with NHS data governance structures and ICO guidance.
• Awareness of ethical and legal implications of data use in research and service delivery.
• Strong analytical skills for risk assessment, compliance monitoring, and incident investigation.
• Excellent communication skills to engage with senior stakeholders, regulators, and staff
• Knowledge of emerging data protection risks/technologies
• Understanding of NHS clinical systems and complex data flows
• Ability to design and deliver engaging IG training.

Disclosure and Barring Service Check

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

Deputy Chief Information And Technology Officer