Search the Apprenticeships
Data protection and information governance practitioner

Data protection and information governance practitioner

This is not the latest approved version of this apprenticeship. View the latest version

This apprenticeship has been retired

Overview of the role

Provide regulatory and technical advice providing assurance to key stakeholders and regulators.

Details of standard

Occupation summary

This occupation is found in organisations of all sizes across all sectors where personal and commercial data is processed. Data protection and information governance practitioners work in varied environments including in an office, onsite, or remotely.

The broad purpose of the occupation is to provide regulatory and technical advice and guidance providing assurance to key stakeholders and regulators of compliance with information governance (IG) and data protection (DP) requirements. Organisations must comply with information governance legislation to protect the confidentiality, integrity and availability of its information assets. The data protection and information governance practitioner (DP&IGP) will contribute to the annual work plan and assist in the planning and organisation of IG, ethics and DP activities. The DP&IGP will also provide advice and training with regard to improving data management and will support the senior team in the development and delivery of operational and strategic information requirements. The role requires work to be undertaken under explicit and legally defined timeframes (for example, data breaches must be reported within 72 hours and Data Subject Access Requests must be fulfilled within one calendar month).

In their daily work, an employee in this occupation interacts with a range of internal stakeholders including members of their own team, other departments such as IT, legal, HR, marketing, senior management and the board of directors. They also interact with external stakeholders such as members of the public, customers, Supervisory Authorities, The Information Commissioner’s Office (ICO), technology vendors, academics, industry bodies, external legal departments, human rights organisations, consumer rights organisations and law enforcement.

An employee in this occupation will be responsible for assisting the organisation in its compliance with information governance and data protection best practice and associated laws and regulations. They will oversee and manage the day-to-day coordination of information requests such as data subject rights, freedom of information and environmental information regulations. In addition, they will oversee compliance with Information and Records Management for example the development and maintenance of retention schedules. They assist in the maintenance and administration of the organisations’ information and governance framework such as corporate information management, records of processing activity, developing privacy notices, conducting information audits and data breach investigations. On occasion the DP&IGP supports projects through ensuring privacy by design and default. They may also conduct a data protection impact assessment (DPIA) and third-party supplier due diligence. They analyse data and develop briefings for senior leadership on data protection and information governance controls. They may investigate information governance complaints and incidents from internal or external stakeholders. This role will work on their own and in a range of team settings. They work within agreed budgets and available resources. The DP&IGP work without high levels of supervision, usually reporting to senior stakeholders. They may occasionally be responsible for decision making, but more often will guide or influence the decisions of others.

Typical job titles include:

Data protection lead Data protection manager Information compliance officer Information governance lead Information governance officer Privacy officer

Occupation duties

Duty	KSBs
Duty 1 Support senior management by contributing to the development of policies and guidance to ensure the organisation complies with its statutory and regulatory information governance (IG) and data protection (DP) responsibilities	K1 K6 K7 K8 K11 K12 K16 S1 S2 S3 S7 S9 S13 B1 B2 B5 B6
Duty 2 Work with internal stakeholders to review and maintain retention schedules, providing specialist support, advice and guidance to ensure appropriate disposal of data in compliance with legislation, regulation and good practice	K1 K7 K11 K16 S1 S4 S7 S9 S12 B1 B2
Duty 3 Develop and deliver in-house IG and DP training and awareness packages for all internal stakeholders such as IT, legal, HR, marketing, senior management and the board of directors	K1 K5 K6 K7 K9 K10 K11 K12 K13 K14 S2 S3 S7 S9 S13 B1 B2 B3 B4 B5 B6
Duty 4 Co-ordinate and support the organisation’s formal and documented record of processing activities in line with legislation, regulation and good practice.	K1 K4 K11 K15 S1 S2 S3 S9 S14 B2 B5 B6
Duty 5 Analyse data and present the outcomes to their key stakeholders on key risk, trend and performance indicators such as training, information requests, data breaches and records management	K1 K2 K4 K5 K11 K13 K16 S1 S2 S3 S6 S7 S9 S11 S14 B1 B2 B3 B6
Duty 6 Manage, co-ordinate and respond to information requests such as Freedom of Information (FOI), Individual Rights (IR), Environmental Information Regulation (EIR) and Data Protection (DP), within the statutory deadlines	K1 K3 K5 K7 K8 K9 K10 K11 K12 K14 K15 K16 S1 S2 S3 S4 S5 S6 S7 S8 S9 S12 S13 B1 B2 B3 B5 B6
Duty 7 Undertake or assist in the completion of data protection impact assessments (DPIA) in order to identify and mitigate any potential risks to the organisation and continue to monitor the status of the risk	K1 K3 K4 K5 K6 K7 K8 K10 K11 K12 K13 K15 K16 S1 S2 S3 S4 S5 S7 S9 S11 S12 S14 B1 B2 B3 B5 B6
Duty 8 Investigate reported personal data breaches providing advice and guidance to the organisation. Determine the need to escalate, as appropriate, to the Supervisory Authority.	K1 K2 K4 K5 K8 K9 K11 K12 K13 S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12 S14 B1 B2 B3 B5 B6
Duty 9 Undertake routine and ad-hoc data protection audit and testing controls for both internal functions and third-party suppliers, producing audit reports for senior managers	K1 K2 K3 K4 K8 K11 K15 S1 S2 S3 S6 S8 S9 S11 S12 B1 B2 B3 B5 B6
Duty 10 Provide day to day support and specialist advice across the organisation for all matters regarding IG and DP such as compliance with data protection principles	K1 K3 K4 K5 K6 K7 K8 K10 K11 K12 K13 K14 K16 S2 S7 S8 S9 S13 B1 B2 B3
Duty 11 Contribute to continuous improvement of systems and processes to ensure procedures, policies and guidance are updated in line with technology advancements, legislative and social changes	K1 K2 K3 K6 K8 K12 K15 K16 S2 S3 S7 S9 S11 S14 B1 B2 B3 B4
Duty 12 Provide support for the completion and submission of industry or regulatory toolkits and control frameworks or standards	K1 K2 K3 K4 K5 K6 K7 K8 K9 K11 K12 K14 K15 S1 S2 S3 S9 S12 B1 B2 B3 B5 B6

KSBs

Knowledge

K1: Relevant regulatory and legislative requirements such as data protection, GDPR, confidentiality, cyber security, for the handling and processing of data and its application. Back to Duty

K2: Technology and software used to provide appropriate representation of data and manipulate them into formats (tables, graphs and portfolios) for publication. Back to Duty

K3: The processing of data in technology and software and risks associated with it. Back to Duty

K4: Risk assessment methodologies and approaches to risk treatment or mitigation pertaining to processing data and the impact to the business, recommending appropriate risk treatment or mitigation. Back to Duty

K5: The roles of the key stakeholders in their organisation and how they interact with their own role. Back to Duty

K6: Privacy by design principles and practices such as records of processing and data protection impact assessments (DPIAs). Back to Duty

K7: Fundamental rights of information requests such as Freedom of Information (FOI), Individual Rights (IR), Environmental Information Regulation (EIR), Data Interoperability and Data Protection (DP). Back to Duty

K8: Industry or regulatory toolkits and control frameworks or standards. Back to Duty

K9: How their role fits into the organisation, its governance structures and escalation and the impact that it has. Back to Duty

K10: How their role adds value and the benefit of it to the business Back to Duty

K11: Communication techniques and approaches to interact with a range of key internal and external stakeholders in order to meet their requirements including using current and emerging technologies to support communication. Back to Duty

K12: Role of the Regulators Back to Duty

K13: The value of feedback from those they regulate, and the beneficiaries of regulation such as stakeholders in informing future activities. Back to Duty

K14: The support requirements and training needs of their stakeholders. Back to Duty

K15: The need for continuous improvement of systems and procedures to ensure that regulatory requirements are met. Back to Duty

K16: The importance of horizon scanning for future changes and developments in relation to data legislation and case law interpretation. Back to Duty

Skills

S1: Use IT systems to manage, share and store information in accordance with data protection requirements and organisation policies. Back to Duty

S2: Communicate complex subjects in simple terms through different media (such as face to face meetings, emails, reports and presentations) to enable key stakeholders to understand what is required. Back to Duty

S3: Prepare documentation and materials for review and ratification. Back to Duty

S4: Working at times under time pressure, prioritising their workloads in order to raise and resolve areas of concern such as individual rights, breach management, FOI requests and information sharing. Back to Duty

S5: Being able to accept and deal with changing priorities related to both their own work and to the organisation, showing the flexibility to maintain high standards in a changing environment. Back to Duty

S6: Undertake data collection, data analysis, data presentation and date storage such as data incidents. Back to Duty

S7: Interpret regulation and legislation, share best practice and advise stakeholders on its application. Back to Duty

S8: Identify organisation needs and how these are applied to enquiries. Back to Duty

S9: Interpret and apply sector guidance appropriately. Back to Duty

S10: Undertake investigations and interviews in order to assess a data breach. Back to Duty

S11: Gather, analyse, use and share data to inform risk assessment and make judgements on actions to take. Back to Duty

S12: Make decisions on data protection and information governance issues raised and ensure that any areas of concern are escalated to the stakeholders. Back to Duty

S13: Provide day to day support, specialist advice, guidance and training across the organisation and external stakeholders for all matters regarding information governance and data protection. Back to Duty

S14: Source data solutions and seeks to make recommendations to the business to improve data management. Back to Duty

Behaviours

B1: Acts in a professional manner with integrity and confidentiality. Back to Duty

B2: Works collaboratively with others across the organisation and external stakeholders. Back to Duty

B3: Has accountability and ownership of their tasks and workload. Back to Duty

B4: Seeks learning opportunities and continuous professional development. Back to Duty

B5: Works flexibly and adapts to circumstances. Back to Duty

B6: Takes responsibility, shows initiative and is organised. Back to Duty

Qualifications

English and Maths

Apprentices without level 2 English and maths will need to achieve this level prior to taking the End-Point Assessment. For those with an education, health and care plan or a legacy statement, the apprenticeship’s English and maths minimum requirement is Entry Level 3. A British Sign Language (BSL) qualification is an alternative to the English qualification for those whose primary language is BSL.

Professional recognition

This standard aligns with the following professional recognition:

Information and Records Management Society for Individual member grade
The British Computer Society for Associate member grade

Additional details

Occupational Level:

Duration (months):

Review

this apprenticeship will be reviewed in accordance with our change request policy.

End-point assessment (EPA plan)

Rigorous robust and independent assessment undertaken by an apprentice at the end of training to test that the apprentice can perform in the occupation they have been trained in and can demonstrate the duties, and knowledge, skills and behaviours (KSBs) set out in the occupational standard

End-point assessment organisation (EPAO)

An organisation approved to deliver end-point assessment for a particular apprenticeship standard. EPAOs must be on the register of end-point assessment organisations

Holistic or synoptic

Assessment of an apprentice’s knowledge, skills and behaviours in an integrated way i.e. assessing several KSBs at the same time

Knowledge, skills and behaviours (KSB)

What is needed to competently undertake the duties required for an occupational standard

Valid

Referred to in relation to assessment methods; fit for purpose

Change request policy

Most changes to an apprenticeship are made as a result of a holistic review of it. We prioritise the need for such reviews based on a range of factors. These include:

the time since the apprenticeship was developed or last reviewed (taking account of its typical duration)
the existence of any known problems with it (e.g. lower than expected starts, low achievement rate, high withdrawal rate, any issues with the availability of training or end-point assessment provision)
whether the apprenticeship is currently subject to a dispensation
the relative significance of the apprenticeship based on how many users it has

The availability of an employer group to support a review and its potential impact on any related technical education product also inform the timing of a review.

Details of apprenticeships that are currently being revised or adjusted are available in our revisions and adjustments status report.

Status: Retired

Level: 4

Reference: ST0967

Version: 1.0

Date updated: 19/08/2024

Route: Business and administration

Typical duration to gateway: 18 months (this does not include EPA period)

Maximum funding: £10000

LARS Code: 676

EQA Provider: Ofqual

Data protection information governance practitioner assessment plan v1.0 (retired)

File size: 347.3 KB

Employers involved in creating the standard: Greater Manchester Combined Authority Transport for Greater Manchester Magairports Royal London Provident Europcar Education Wise Cygnet Health Cheshire Police Royal Mail Bolton Council Istorm solutions Rentokil Train with premier The Medicines and Healthcare products Regulatory Agency Royal Wolverhampton NHS Trust Luton Borough Council Virgin Health Care The Specialist Hub BJM Consultancy

Print the occupational standard (including PDF)

Version log

Version	Change detail	Earliest start date	Latest start date
1.1	Occupational standard and end-point assessment plan revised Amendment to S14 required to mitigate EPA delivery issues. Two grading descriptor have been amended to mitigate delivery issues.	19/08/2024	Not set
1.0	Approved for delivery	30/03/2022	18/08/2024

Share this page

LinkedIn X Facebook Email

Crown copyright © 2024. You may re-use this information (not including logos) free of charge in any format or medium, under the terms of the Open Government Licence. Visit www.nationalarchives.gov.uk/doc/open-government-licence