Role/Job title EPR Programme Information Governance Lead Work Location Lincolnshire (United Kingdom) Role type - Permanent/Fixed Term/ Contracting Contracting Mode of working Hybrid /office based Hybrid If Hybrid, how many days are required in office? To be agreed based on project needs (typically 1-2 days per week onsite) Number of positions 1 Unit PS (RoW)Public Sector Rest of the World Duration of assignment 6 months Any other working conditions - travel/on call/shifts No To be published on job boards from below onwards The Role This role will require ULTH EPR Programme Information Governance Lead who leads IG activity across the design, testing, implementation, and adoption of the EPR, ensuring ULTH continues to meet its statutory obligations regarding Information Governance and Data Protection. As the programmes IG subject-matter expert, the post-holder will interpret national policy and guidance and lead the development and/or revision of IG-related programme collateral, including Data Privacy Impact Assessment documents, Data Sharing/Data Processing agreements, and Data Security & Protection Toolkits (DSPTs). The post-holder will also lead risk mitigation and oversee the management of data risks associated with implementing the EPR across the Trust. Your responsibilities: Provide leadership and guidance to programme delivery teams to ensure success. Serve as the programmes first point of contact for all data protection matters. Foster a strong data protection culture by informing and advising programme leadership on their legal obligations under Data Protection legislation. Provide expert advice to the Trust EPR Programme Senior Responsible Owner (SRO), the Programme Director, and all members of the Trust EPR Programme team responsible for decisions about personal data processing. Ensure the monitoring and reporting of compliance with the law and Trust policies, raising awareness up to Trust EPR Programme Board level (via the Compliance Advisory Group). Lead any required changes to IG training and to policies relating to audit and incident investigation. Co-operate with the Information Commissioners Office (ICO), the UK regulator of information rights. Act, alongside the Trust DPO, as an additional point of liaison for data subjectsincluding patients, staff, and others whose information is processed by the Trust within the scope of the EPR Programme. Ensure data protection is considered wherever there is a risk to personal data, including: a. In-depth Data Protection Impact Assessments. b. Legally binding contracts. c. Signed Data Sharing Agreements. d. Clear accountability for data within integrated working arrangements. e. Representing the ULTH EPR Programme on IG matters. The post-holder manages any additional Information Governance (IG) resources employed by ULTH to deliver programme-related IG activities. The post-holder manages Clear proposals and draft documentation for the creation and/or modification of IG policies and procedures. Provide expert IG advice, strategic leadership, and support to the Trust EPR Programme. Exercise overall line management of any additional IG resources employed by the Trust, ensuring efficient, quality-driven service delivery and performance. Support the Trust on the strategic direction of Information Governance as it relates to EPR implementation and adoption. Maintain up-to-date expert knowledge of Data Protection legislation and NHS practice, and how they apply to the Trust EPR, providing support, advice, and assurance of compliance across the Trust. Act as the first point of contact within the EPR Programme for all data protection matters. Ensure data protection is embedded by default and by design in the Trust EPR (including associated third-party systems) and related information processes. Support the Trust in responding to direct contact from data subjects relating to the Trust EPR. Ensure appropriate confidentiality is maintained in performing all tasks. In carrying out duties, ensure responsibilities remain independent and report any potential conflicts of interest to the highest management level. Update, develop, and establish policies, procedures, and other measures to ensure compliance with the GDPR (as it relates to EPR implementation and adoption), including but not limited to: records of processing activities; data protection by design and default; data protection impact assessments; and fair processing notices. Monitor compliance with these measures and report as required, providing updates to the EPR Board and attending/reporting to Trust IG groups as needed. Serve as the EPR Programmes data protection expert on projects and initiatives involving new or innovative information processes, using data protection impact assessments where required and where there is reliance on or linkage to the EPR (e.g., implementation of an EDMS). Ensure appropriate data sharing/processing agreements are in place, working with procurement to include data processing provisions in contracts with data processors and to ensure data sharing agreements are in place with other data controllers. Ensure all data sharing agreements are formally reviewed at contract review meetings and challenge where this is not the case. Lead the development of data protection impact assessments and ensure proposed mitigations are recorded and managed. Where required (and by agreement with the Trust DPO/Head of IG), consult the Information Commissioners Office (ICO) where proposed processing poses a high risk in the absence of mitigations. Ensure any additional programme IG resource operates effectively in supporting these functions. Take account of the risks associated with processing in the performance of all tasks. Provide specialist advice to the EPR Programme on compliance obligations. Advise projects and business change initiatives on when a data protection impact assessment is required. At a high level, ensure the EPR Programme can demonstrate compliance with all GDPR requirements via the Data Security and Protection Toolkit. Key components include, but are not limited to below points: Policies and procedures that comprehensively address GDPR requirements and are current and available. Information provided to patients and other data subjects that is fit for purpose, up to date, and signposts procedures addressing data subjects rights under the GDPR. A database that records and can provide on requestdetails of all processing activities with the data required by the GDPR. Evidence that privacy by design and by default principles are incorporated into all processing. Evidence that Data Protection Impact Assessments are conducted where appropriate, with conclusions that mitigate risk and are assured. Lead operational IG for the EPR Programme, advocating for IG as a critical activity that all staff must understand when handling person-identifiable staff and patient information in an environment where most data is classified as sensitive under data protection legislation. Strive to ensure information processing related to the Trust EPR is as transparent as possible to data subjects, making all reasonable efforts to ensure patients and staff understand how their information will be used in line with fair processing under data protection legislation. Actively support the Trust in establishing a clear strategy and improvement plan for a co-ordinated approach to implementing Information Governance within the Trust, thereby meeting legal and regulatory obligations in relation to: UK General Data Protection Regulation (UK GDPR) UK Data Protection Act 2018 Caldicott Report 1997 (and amendments 2013 and 2016) DoH Confidentiality Code of Practice Records Management Code of Practice 2023 Freedom of Information Act 2000 CQC regulations Ensure appropriate escalation of information risks, as well as key points for the SIROs IG report to the Board, where required. Ensure close liaison with, and support for, the Trust Caldicott Guardian, as appropriate, in promoting the ethical, lawful, and safe use of patient information. Facilitate close liaison between the IG team and the Information Security and Clinical Safety teams Your Profile Essential skills/knowledge/experience: Making complex IG decisions and acting upon them. Applying information law to healthcare settings dealing with contentious and sensitive issues communicating with patients, all levels of staff, other organisations, and regulator. Excellent interpersonal skills with the ability to use specialist knowledge to negotiate, persuade and motivate staff at all levels. Developed written and verbal communication skills for delivering messages to a range of stakeholders both internal and external and to write reports up to Board level. Able to assimilate new systems and technologies in a fast-changing technical world Flexibility in a rapidly changing environment in respect of Data Protection legislation Ability to analyse a variety of legislation and national best practice and apply to organisational policies and processes, and to use to recommend and inform decision making in relation to operational processes and system design. Post holder will largely be responsible for managing their own time in a manner which supports the requirements of the EPR programme and activities. Must be able to undertake long term VDI usage Desirable skills/knowledge/experience: Professional Information Governance knowledge acquired through postgraduate level qualification or evidence of significant equivalent experience. Further Professional qualifications in Information Governance in line with British Computing Society (BCS) Practitioner Qualifications in Data Protection.