Information Risk Officer

This is a Fixed Term Full Time Position (Maternity Leave). A great opportunity has arisen for the right person to join the Information Governance team within the Town Clerks Service as our Information Risk Officer for 6 months. We are looking to appoint a motivated, enthusiastic, experienced, and appropriately skilled individual to manage our data breach incidents and lead our Information Governance Officers. Primary responsibilities include the triage and resolution of data breach incidents and the implementation of recovery actions and process changes to mitigate future risks. You must also be able to manage and support the delivery of Information Rights cases, leading a small team. You will work with the Information & Data Protection Manager to manage corporate information risks, developing and maintaining policies and procedures covering data protection, information security, information rights and information risk.

You will have Information Governance qualification(s) at HND/HNC level, including the UK GDPR at practitioner level, or extensive experience delivering Information Governance functions in a UK public sector environment. You will be able to provide expert advice and support to junior colleagues on the Freedom of Information Act/Environmental Information Regulations, the UK General Data Protection Regulation, Data Protection Act 2018, Data (Use and Access) Act and associated UK legislation and regulation.

ROLE AND PURPOSE

• Develops and oversees the corporate approach to information governance standards to maintain the safety and security of the Council’s data.
• Promotes and monitors corporate information risk management with particular focus on data security, lawful and fair processing and the reporting and management of security incidents.
• Directly contributes to Information Security policies, procedures and frameworks, working closely with the Information Governance & Data Protection Manager and the ICT Service.
• Proactively raises awareness of information security risks and threats using a range of tools including e-learning, security bulletins and briefing sessions.
• Advises social care colleagues and the Caldicott Guardians to maintain compliance with relevant health data standards, including the NHS Data Security and Protection Toolkit.
• Manages and develops the Council’s Information Security Incident management process, acting as the Council’s point of contact with the Information Commissioner’s Office (ICO) and/or the Police on serious data breach and information security matters.
• Determines whether serious incidents meet the legal threshold for reporting to the ICO.
• Creates data breach monitoring reports and leads the risk monitoring discussion at Information Governance Group meetings.
• Provides leadership and line management to the Information Governance Officers in responding to information requests and information security matters.
• Ensures statutory deadlines are met, regulatory compliance is maintained, and the Council complies with Court/CPS requirements.
• Works closely with partner organisations to address risk and develop and implement safe practice for information sharing and data transfer.

PRINCIPAL ACCOUNTABILITIES:

• To promote and safeguard the welfare of children, young people and/or vulnerable adults.
• Customer Focus – Works directly with victims of data breaches to provide support and assurance in the aftermath of incidents. Leads and supports service area colleagues in the Council’s responses to data breaches to ensure victims receive appropriate ongoing support, immediate risks to them and their personal data are mitigated, and matters are escalated to the Police or Information Commissioner’s Office as necessary.
• Supports managers and HR with advice on employee breaches of information governance policies/procedures.
• Uses specialist knowledge to adjudicate on data breach complaints and concerns, acknowledges and resolves complaints and/or defends the Council’s position based on a fair interpretation of the circumstances.
• Liaises with data breach victims and the insurance section to ensure potential claims for data breaches are efficiently received and actioned.
• Ensures that problem-solving, reconciliation and negotiation take place at earliest stage to resolve breaches.
• Acts as the Council’s contact with the Information Commissioner’s Office/Police on serious data breach incidents to mitigate risks to individuals.
• Works with the ICO to resolve customer concerns on information access and security matters.
• Provides expert advice to colleagues across the Council responding to issues, complaints and information risk issues.
• Determines whether matters are eligible for data breach complaints process and allocates to the correct Complaints Scheme.
• Consults the SIRO and Information & Data Protection Manager and Town Clerk where necessary.
• Supports the Information Governance & Member Support Manager in delivering the Council's approach to Information Governance and wider management of information risk.
• Demonstrates customer service of a high standard to meet changing needs while maintaining legal compliance.
• Maintains a caseload of information requests under FOI/EIR/DPA/Information Security and will be expected to provide line management, leadership, advice and decision-making support to junior colleagues on more complex cases.
• Protects and enhances the council’s reputation through engagement with audiences including employees, Members, customers, partners and stakeholders in the response to Information Governance risks and issues.
• Includes the development and delivery of training sessions, including bespoke sessions to address risks arising from information security incidents.

Strategy – Collates and monitors the Council’s information security incidents to inform senior decision makers. Leads the data breach monitoring evaluation at Corporate Information Governance Group meetings, highlighting specific risks, themes and threats for awareness or escalation.

Works closely with both Caldicott Guardians, Director and Assistant Directors to address issues and risks to drive improvement and safety in respect of social care information and our patients’/customers’ rights. Works with Customer Services and ICT colleagues to identify risks and solutions where issues are raised in respect of customer contact channels. Oversees the Council’s approach to the use of secure email solutions for data exchange, including publication of the intranet ‘safe sender’ list.

Uses initiative to research, draft and publish council-wide bulletins and updates via email/website/intranet to promote information security and ensure staff are briefed on information security threats or immediate risks.

Performance Management – Maintains focus on continuous improvement, effective use of resources and value for money.

Provides Council colleagues with specialist advice on data breach, information security and information rights to mitigate incidents and risks and ensure compliance with the law, legal deadlines and the Council’s policies. Works with service area colleagues to implement recovery actions and develop or amend processes to mitigate future risk.

Seeks to maximise resources and reduce demand taking a highly pro-active approach to the management of, and responses to, information security incidents. Ensures serious data breach reporting to regulator takes place within statutory 72-hour period.

Collates, evaluates and disseminates themes arising from breaches to inform practice development and improve information security for the Council and its service users. Works with Directors and senior managers at the strategic level to address risks to personal data. Escalates concerns to the SIRO, Information & Data Protection Manager, Town Clerk, Caldicott Guardians, Directors and/or Internal Audit as necessary.

Compiles and presents a monthly information security incident monitoring report to the Information Governance Group highlighting themes and trends. Uses research, incident monitoring and horizon scanning to ensure that training, policies and processes are fit for purpose, continually seeking new opportunities and innovations, adopts best practice from elsewhere when appropriate.

Develops and monitors clear success indicators for personal, team and corporate activity. Ensures that the Information Governance Team meet statutory deadlines on information rights requests. Works closely with the Legal Service to ensure that Public Interest Immunity disclosures are made to the Police to ensure prosecutions are not delayed.

Leadership – Line manages Information Governance staff, including delegation of work, management of performance, identification and implementation of learning and development interventions, coaching and motivating, health, safety, and welfare.

Provides expert advice to service area colleagues and takes decisions on whether personal or otherwise confidential information can or must be disclosed to other agencies or partners, or in response to legal claims.

Develops and monitors clear success indicators for personal, team and corporate activity. Ensures that the Information Governance Team meet statutory deadlines on information rights requests. Works closely with the Legal Service to ensure that Public Interest Immunity disclosures are made to the Police to ensure prosecutions are not delayed.

Statutory Obligations – Oversees and publicises the Council’s Information Security Incident Reporting process ensuring incidents are reported to the ICO in accordance with the UK GDPR and UK standards and legislation. The UK GDPR requires reporting of serious incidents within 72 hours of them coming to light with the potential for very large monetary penalties in the event of non-compliance.

Analyses data breaches to identify root causes and develop appropriate controls and risk mitigations to meet the legal requirement to have appropriate technical and organisational measures in place to protect personal and special category data. Supports services to meet mandatory standards including the Caldicott Principles, the NHS Data Security and Protection Toolkit and PSN accreditation.

Works with Service Areas to ensure business activities are lawful and strike an effective balance between privacy of individuals and the public interest and the Council’s legitimate interests. Works with Service Areas to produce effective Data Protection Impact Assessments to ensure business activities are designed to be lawful and strike an effective balance between privacy and of the public and the Council’s legitimate interests with particular focus on projects with the potential to breach privacy rights or increase information security risk.

Works with the Legal Service and the Police to ensure Public Interest Immunity disclosures are made in accordance with requirements of the Courts.