Head of Information Governance

Norfolk and Norwich University Hospital

Job summary

The Head of Information Governance / Data Protection Officer provides corporate strategic leadership, statutory accountability, and professional authority for Information Governance, data protection, and data security across the Norfolk and Waveney Acute Hospitals Collaborative.

The postholder is the organisation’s designated Data Protection Officer (DPO) under UK GDPR and the Data Protection Act 2018 and operates independently in this statutory capacity. The role holds corporate responsibility for ensuring the lawful, fair, and transparent processing of personal data, including highly sensitive health information, across multiple Acute Trusts.

The postholder provides authoritative advice and assurance to Trust Boards, Executive Directors, Caldicott Guardians, Senior Information Risk Owners (SIROs), and system partners, ensuring that robust governance frameworks are embedded across digital transformation, clinical services, research activity, and corporate functions.

The role carries significant corporate accountability for safeguarding patient, staff, and organisational information assets. Misinterpretation, governance failure, or non-compliance at this level could result in regulatory enforcement action, substantial financial penalties, service disruption, reputational damage, loss of public trust, and patient harm.

Main duties of the job

Lead the development and implementation of the Collaborative’s Information Governance and Data Protection Strategy, ensuring alignment with NHS policy, national legislation, ICS objectives, and digital transformation priorities.

Act as the statutory Data Protection Officer, providing independent oversight and advice regarding compliance with UK GDPR, Data Protection Act 2018, PECR, Caldicott Principles, and NHS information governance standards.

Provide authoritative and independent advice on complex data protection matters, including lawful basis for processing, special category data, information sharing agreements, cross-border data transfers, research governance, and system-level data integration.

Person Specification

Qualifications

Essential

  • Educated to Master’s degree level (or equivalent depth of specialist knowledge developed through extensive senior experience) in Information Governance, Data Protection Law, Information Security, Public Sector Governance, or a related discipline, demonstrating highly specialised theoretical and practical knowledge across legal, regulatory, and digital domains (AfC Knowledge Level 7-8 equivalent).
  • Recognised professional qualification in data protection or information governance (e.g., CIPP/E, CIPM, ISEB Data Protection, BCS Practitioner Certificate in Data Protection), evidencing expert-level understanding of UK GDPR, Data Protection Act 2018, Caldicott Principles, Freedom of Information Act, Records Management Code of Practice, and associated NHS regulatory frameworks.

Experience

Essential

  • Substantial senior leadership experience in Information Governance, Data Protection, or Information Risk Management within a large, complex NHS or public sector organisation, operating across multiple services and stakeholder groups.
  • Proven track record of acting as a statutory Data Protection Officer or equivalent senior IG lead, providing independent oversight and advice to Boards, Audit Committees, SIROs, Caldicott Guardians, and executive teams.

Skills

Essential

  • Expert knowledge of UK GDPR, Data Protection Act 2018, Caldicott Principles, Freedom of Information legislation, Records Management standards, NHS DSPT requirements, and wider NHS regulatory frameworks

Attitude

Essential

  • Demonstrates the highest standards of professional integrity, confidentiality, and ethical conduct, recognising the sensitive and often emotive nature of information governance work.

Disclosure and Barring Service Check

This post is subject to the Rehabilitation of Offenders Act (Exceptions Order) 1975 and as such it will be necessary for a submission for Disclosure to be made to the Disclosure and Barring Service (formerly known as CRB) to check for any previous criminal convictions.

Certificate of Sponsorship

Applications from job seekers who require current Skilled worker sponsorship to work in the UK are welcome and will be considered alongside all other applications. For further information visit the UK Visas and Immigration website (Opens in a new tab).

From 6 April 2017, skilled worker applicants, applying for entry clearance into the UK, have had to present a criminal record certificate from each country they have resided continuously or cumulatively for 12 months or more in the past 10 years. Adult dependants (over 18 years old) are also subject to this requirement. Guidance can be found here Criminal records checks for overseas applicants (Opens in a new tab).

Closing Date: 19 July 2026

To apply for this job please visit apps.trac.jobs.