Potential occupational standard
Occupational standard in development
Approved occupational standard
Occupational standard without apprenticeship
Custom occupational card
Apprenticeship
Higher Technical Qualification
T Level
Technical Qualification
Career starter apprenticeship
Royal apprenticeship
Occupational progression
Technical education progression
Mid green occupation
Dark green occupation
Favourite occupation
View glossary of terms
home Business and administration
Data protection and information governance practitioner

Data protection and information governance practitioner

Business and administration

Level 4 - Higher Technical Occupation

Provide regulatory and technical advice providing assurance to key stakeholders and regulators.

Print to PDF View occupation in map

Reference: OCC0967

Status: assignment_turned_inApproved occupation

Average (median) salary: £73,571 per year

SOC 2020 code: 1137 Information technology directors

SOC 2020 sub unit groups:

  • 1137/01 Information security directors
  • 2135/02 Cyber security management and governance specialists
  • 2135/04 Secure system development specialists

Technical Education Products

ST0967:

Data protection and information governance practitioner

(Level 4)

Approved for delivery

Employers involved in creating the standard:

Greater Manchester Combined Authority Transport for Greater Manchester Magairports Royal London Provident Europcar Education Wise Cygnet Health Cheshire Police Royal Mail Bolton Council Istorm solutions Rentokil Train with premier The Medicines and Healthcare products Regulatory Agency Royal Wolverhampton NHS Trust Luton Borough Council Virgin Health Care The Specialist Hub BJM Consultancy

Summary

This occupation is found in organisations of all sizes across all sectors where personal and commercial data is processed. Data protection and information governance practitioners work in varied environments including in an office, onsite, or remotely.

The broad purpose of the occupation is to provide regulatory and technical advice and guidance providing assurance to key stakeholders and regulators of compliance with information governance (IG) and data protection (DP) requirements. Organisations must comply with information governance legislation to protect the confidentiality, integrity and availability of its information assets. The data protection and information governance practitioner (DP&IGP) will contribute to the annual work plan and assist in the planning and organisation of IG, ethics and DP activities. The DP&IGP will also provide advice and training with regard to improving data management and will support the senior team in the development and delivery of operational and strategic information requirements. The role requires work to be undertaken under explicit and legally defined timeframes (for example, data breaches must be reported within 72 hours and Data Subject Access Requests must be fulfilled within one calendar month).

In their daily work, an employee in this occupation interacts with a range of internal stakeholders including members of their own team, other departments such as IT, legal, HR, marketing, senior management and the board of directors. They also interact with external stakeholders such as members of the public, customers, Supervisory Authorities, The Information Commissioner’s Office (ICO), technology vendors, academics, industry bodies, external legal departments, human rights organisations, consumer rights organisations and law enforcement.

An employee in this occupation will be responsible for assisting the organisation in its compliance with information governance and data protection best practice and associated laws and regulations. They will oversee and manage the day-to-day coordination of information requests such as data subject rights, freedom of information and environmental information regulations. In addition, they will oversee compliance with Information and Records Management for example the development and maintenance of retention schedules. They assist in the maintenance and administration of the organisations’ information and governance framework such as corporate information management, records of processing activity, developing privacy notices, conducting information audits and data breach investigations. On occasion the DP&IGP supports projects through ensuring privacy by design and default. They may also conduct a data protection impact assessment (DPIA) and third-party supplier due diligence. They analyse data and develop briefings for senior leadership on data protection and information governance controls. They may investigate information governance complaints and incidents from internal or external stakeholders. This role will work on their own and in a range of team settings. They work within agreed budgets and available resources. The DP&IGP work without high levels of supervision, usually reporting to senior stakeholders. They may occasionally be responsible for decision making, but more often will guide or influence the decisions of others.

Employers involved in creating the standard:

Greater Manchester Combined Authority Transport for Greater Manchester Magairports Royal London Provident Europcar Education Wise Cygnet Health Cheshire Police Royal Mail Bolton Council Istorm solutions Rentokil Train with premier The Medicines and Healthcare products Regulatory Agency Royal Wolverhampton NHS Trust Luton Borough Council Virgin Health Care The Specialist Hub BJM Consultancy

Typical job titles include:

Data protection lead
Data protection manager
Information compliance officer
Information governance lead
Information governance officer
Privacy officer

Keywords:

Administation
Assurance
Buesiness
Data
Governance

Knowledge, skills and behaviours (KSBs)

K1: Relevant regulatory and legislative requirements such as data protection, GDPR, confidentiality, cyber security, for the handling and processing of data and its application.
K2: Technology and software used to provide appropriate representation of data and manipulate them into formats (tables, graphs and portfolios) for publication.
K3: The processing of data in technology and software and risks associated with it.
K4: Risk assessment methodologies and approaches to risk treatment or mitigation pertaining to processing data and the impact to the business, recommending appropriate risk treatment or mitigation.
K5: The roles of the key stakeholders in their organisation and how they interact with their own role.
K6: Privacy by design principles and practices such as records of processing and data protection impact assessments (DPIAs).
K7: Fundamental rights of information requests such as Freedom of Information (FOI), Individual Rights (IR), Environmental Information Regulation (EIR), Data Interoperability and Data Protection (DP).
K8: Industry or regulatory toolkits and control frameworks or standards.
K9: How their role fits into the organisation, its governance structures and escalation and the impact that it has.
K10: How their role adds value and the benefit of it to the business
K11: Communication techniques and approaches to interact with a range of key internal and external stakeholders in order to meet their requirements including using current and emerging technologies to support communication.
K12: Role of the Regulators
K13: The value of feedback from those they regulate, and the beneficiaries of regulation such as stakeholders in informing future activities.
K14: The support requirements and training needs of their stakeholders.
K15: The need for continuous improvement of systems and procedures to ensure that regulatory requirements are met.
K16: The importance of horizon scanning for future changes and developments in relation to data legislation and case law interpretation.

S1: Use IT systems to manage, share and store information in accordance with data protection requirements and organisation policies.
S2: Communicate complex subjects in simple terms through different media (such as face to face meetings, emails, reports and presentations) to enable key stakeholders to understand what is required.
S3: Prepare documentation and materials for review and ratification.
S4: Working at times under time pressure, prioritising their workloads in order to raise and resolve areas of concern such as individual rights, breach management, FOI requests and information sharing.
S5: Being able to accept and deal with changing priorities related to both their own work and to the organisation, showing the flexibility to maintain high standards in a changing environment.
S6: Undertake data collection, data analysis, data presentation and date storage such as data incidents.
S7: Interpret regulation and legislation, share best practice and advise stakeholders on its application.
S8: Identify organisation needs and how these are applied to enquiries.
S9: Interpret and apply sector guidance appropriately.
S10: Undertake investigations and interviews in order to assess a data breach.
S11: Gather, analyse, use and share data to inform risk assessment and make judgements on actions to take.
S12: Make decisions on data protection and information governance issues raised and ensure that any areas of concern are escalated to the stakeholders.
S13: Provide day to day support, specialist advice, guidance and training across the organisation and external stakeholders for all matters regarding information governance and data protection.
S14: Identify potential data solutions and evidence the way in which they could improve data management.

B1: Acts in a professional manner with integrity and confidentiality.
B2: Works collaboratively with others across the organisation and external stakeholders.
B3: Has accountability and ownership of their tasks and workload.
B4: Seeks learning opportunities and continuous professional development.
B5: Works flexibly and adapts to circumstances.
B6: Takes responsibility, shows initiative and is organised.

Duties

Duty D1

Support senior management by contributing to the development of policies and guidance to ensure the organisation complies with its statutory and regulatory information governance (IG) and data protection (DP) responsibilities.

Duty D2

Work with internal stakeholders to review and maintain retention schedules, providing specialist support, advice and guidance to ensure appropriate disposal of data in compliance with legislation, regulation and good practice.

Duty D3

Develop and deliver in-house IG and DP training and awareness packages for all internal stakeholders such as IT, legal, HR, marketing, senior management and the board of directors.

Duty D4

Co-ordinate and support the organisation’s formal and documented record of processing activities in line with legislation, regulation and good practice.

Duty D5

Analyse data and present the outcomes to their key stakeholders on key risk, trend and performance indicators such as training, information requests, data breaches and records management.

Duty D6

Manage, co-ordinate and respond to information requests such as Freedom of Information (FOI), Individual Rights (IR), Environmental Information Regulation (EIR) and Data Protection (DP), within the statutory deadlines.

Duty D7

Undertake or assist in the completion of data protection impact assessments (DPIA) in order to identify and mitigate any potential risks to the organisation and continue to monitor the status of the risk.

Duty D8

Investigate reported personal data breaches providing advice and guidance to the organisation. Determine the need to escalate, as appropriate, to the Supervisory Authority.

Duty D9

Undertake routine and ad-hoc data protection audit and testing controls for both internal functions and third-party suppliers, producing audit reports for senior managers.

Duty D10

Provide day to day support and specialist advice across the organisation for all matters regarding IG and DP such as compliance with data protection principles.

Duty D11

Contribute to continuous improvement of systems and processes to ensure procedures, policies and guidance are updated in line with technology advancements, legislative and social changes.

Duty D12

Provide support for the completion and submission of industry or regulatory toolkits and control frameworks or standards.

Occupational Progression

This occupational progression map shows technical occupations that have transferable knowledge and skills.

In this map, the focused occupation is highlighted in yellow. The arrows indicate where transferable knowledge and skills exist between two occupations. This map shows some of the strongest progression links between the focused occupation and other occupations.

It is anticipated that individuals would be required to undertake further learning or training to progress to and from occupations. To find out more about an occupation featured in the progression map, including the learning options available, click the occupation.

Progression decisions have been reached by comparing the knowledge and skills statements between occupational standards, combined with individualised learner movement data.

Technical Occupations

Levels 2-3

Higher Technical Occupations

Levels 4-5

Professional Occupations

Levels 6-7

This is the focused occupation.
assignment_turned_in

Level 4

Progression link from focused occupation.
assignment_turned_in

Level 4

Progression link from focused occupation.
assignment_turned_in

Level 4

Business and administration