Norfolk and Norwich University Hospital
Job summary
The Head of Information Governance / Data Protection Officer provides corporate strategic leadership, statutory accountability, and professional authority for Information Governance, data protection, and data security across the Norfolk and Waveney Acute Hospitals Collaborative.
The postholder is the organisation’s designated Data Protection Officer (DPO) under UK GDPR and the Data Protection Act 2018 and operates independently in this statutory capacity. The role holds corporate responsibility for ensuring the lawful, fair, and transparent processing of personal data, including highly sensitive health information, across multiple Acute Trusts.
The postholder provides authoritative advice and assurance to Trust Boards, Executive Directors, Caldicott Guardians, Senior Information Risk Owners (SIROs), and system partners, ensuring that robust governance frameworks are embedded across digital transformation, clinical services, research activity, and corporate functions.
The role carries significant corporate accountability for safeguarding patient, staff, and organisational information assets. Misinterpretation, governance failure, or non-compliance at this level could result in regulatory enforcement action, substantial financial penalties, service disruption, reputational damage, loss of public trust, and patient harm.
Main duties of the job
Lead the development and implementation of the Collaborative’s Information Governance and Data Protection Strategy, ensuring alignment with NHS policy, national legislation, ICS objectives, and digital transformation priorities.
Act as the statutory Data Protection Officer, providing independent oversight and advice regarding compliance with UK GDPR, Data Protection Act 2018, PECR, Caldicott Principles, and NHS information governance standards.
Provide authoritative and independent advice on complex data protection matters, including lawful basis for processing, special category data, information sharing agreements, cross-border data transfers, research governance, and system-level data integration.
Person Specification
Qualifications
Essential
- Educated to Master’s degree level (or equivalent depth of specialist knowledge developed through extensive senior experience) in Information Governance, Data Protection Law, Information Security, Public Sector Governance, or a related discipline, demonstrating highly specialised theoretical and practical knowledge across legal, regulatory, and digital domains (AfC Knowledge Level 7-8 equivalent).
- Recognised professional qualification in data protection or information governance (e.g., CIPP/E, CIPM, ISEB Data Protection, BCS Practitioner Certificate in Data Protection), evidencing expert-level understanding of UK GDPR, Data Protection Act 2018, Caldicott Principles, Freedom of Information Act, Records Management Code of Practice, and associated NHS regulatory frameworks.
Experience
Essential
- Substantial senior leadership experience in Information Governance, Data Protection, or Information Risk Management within a large, complex NHS or public sector organisation, operating across multiple services and stakeholder groups.
- Proven track record of acting as a statutory Data Protection Officer or equivalent senior IG lead, providing independent oversight and advice to Boards, Audit Committees, SIROs, Caldicott Guardians, and executive teams.
Skills
Essential
- Expert knowledge of UK GDPR, Data Protection Act 2018, Caldicott Principles, Freedom of Information legislation, Records Management standards, NHS DSPT requirements, and wider NHS regulatory frameworks
Attitude
Essential
- Demonstrates the highest standards of professional integrity, confidentiality, and ethical conduct, recognising the sensitive and often emotive nature of information governance work.
Closing Date: 19 July 2026
To apply for this job please visit apps.trac.jobs.