Provide regulatory and technical advice providing assurance to key stakeholders and regulators.
This occupation is found in organisations of all sizes across all sectors where personal and commercial data is processed. Data protection and information governance practitioners work in varied environments including in an office, onsite, or remotely.
The broad purpose of the occupation is to provide regulatory and technical advice and guidance providing assurance to key stakeholders and regulators of compliance with information governance (IG) and data protection (DP) requirements. Organisations must comply with information governance legislation to protect the confidentiality, integrity and availability of its information assets. The data protection and information governance practitioner (DP&IGP) will contribute to the annual work plan and assist in the planning and organisation of IG, ethics and DP activities. The DP&IGP will also provide advice and training with regard to improving data management and will support the senior team in the development and delivery of operational and strategic information requirements. The role requires work to be undertaken under explicit and legally defined timeframes (for example, data breaches must be reported within 72 hours and Data Subject Access Requests must be fulfilled within one calendar month).
In their daily work, an employee in this occupation interacts with a range of internal stakeholders including members of their own team, other departments such as IT, legal, HR, marketing, senior management and the board of directors. They also interact with external stakeholders such as members of the public, customers, Supervisory Authorities, The Information Commissioner’s Office (ICO), technology vendors, academics, industry bodies, external legal departments, human rights organisations, consumer rights organisations and law enforcement.
An employee in this occupation will be responsible for assisting the organisation in its compliance with information governance and data protection best practice and associated laws and regulations. They will oversee and manage the day-to-day coordination of information requests such as data subject rights, freedom of information and environmental information regulations. In addition, they will oversee compliance with Information and Records Management for example the development and maintenance of retention schedules. They assist in the maintenance and administration of the organisations’ information and governance framework such as corporate information management, records of processing activity, developing privacy notices, conducting information audits and data breach investigations. On occasion the DP&IGP supports projects through ensuring privacy by design and default. They may also conduct a data protection impact assessment (DPIA) and third-party supplier due diligence. They analyse data and develop briefings for senior leadership on data protection and information governance controls. They may investigate information governance complaints and incidents from internal or external stakeholders. This role will work on their own and in a range of team settings. They work within agreed budgets and available resources. The DP&IGP work without high levels of supervision, usually reporting to senior stakeholders. They may occasionally be responsible for decision making, but more often will guide or influence the decisions of others.
Duty | KSBs |
---|---|
Duty 1 Support senior management by contributing to the development of policies and guidance to ensure the organisation complies with its statutory and regulatory information governance (IG) and data protection (DP) responsibilities. |
|
Duty 2 Work with internal stakeholders to review and maintain retention schedules, providing specialist support, advice and guidance to ensure appropriate disposal of data in compliance with legislation, regulation and good practice. |
|
Duty 3 Develop and deliver in-house IG and DP training and awareness packages for all internal stakeholders such as IT, legal, HR, marketing, senior management and the board of directors. |
|
Duty 4 Co-ordinate and support the organisation’s formal and documented record of processing activities in line with legislation, regulation and good practice. |
|
Duty 5 Analyse data and present the outcomes to their key stakeholders on key risk, trend and performance indicators such as training, information requests, data breaches and records management. |
|
Duty 6 Manage, co-ordinate and respond to information requests such as Freedom of Information (FOI), Individual Rights (IR), Environmental Information Regulation (EIR) and Data Protection (DP), within the statutory deadlines. |
K1 K3 K5 K7 K8 K9 K10 K11 K12 K14 K15 K16 |
Duty 7 Undertake or assist in the completion of data protection impact assessments (DPIA) in order to identify and mitigate any potential risks to the organisation and continue to monitor the status of the risk. |
K1 K3 K4 K5 K6 K7 K8 K10 K11 K12 K13 K15 K16 |
Duty 8 Investigate reported personal data breaches providing advice and guidance to the organisation. Determine the need to escalate, as appropriate, to the Supervisory Authority. |
|
Duty 9 Undertake routine and ad-hoc data protection audit and testing controls for both internal functions and third-party suppliers, producing audit reports for senior managers. |
|
Duty 10 Provide day to day support and specialist advice across the organisation for all matters regarding IG and DP such as compliance with data protection principles. |
|
Duty 11 Contribute to continuous improvement of systems and processes to ensure procedures, policies and guidance are updated in line with technology advancements, legislative and social changes. |
|
Duty 12 Provide support for the completion and submission of industry or regulatory toolkits and control frameworks or standards. |
K1: Relevant regulatory and legislative requirements such as data protection, GDPR, confidentiality, cyber security, for the handling and processing of data and its application.
Back to Duty
K2: Technology and software used to provide appropriate representation of data and manipulate them into formats (tables, graphs and portfolios) for publication.
Back to Duty
K3: The processing of data in technology and software and risks associated with it.
Back to Duty
K4: Risk assessment methodologies and approaches to risk treatment or mitigation pertaining to processing data and the impact to the business, recommending appropriate risk treatment or mitigation.
Back to Duty
K5: The roles of the key stakeholders in their organisation and how they interact with their own role.
Back to Duty
K6: Privacy by design principles and practices such as records of processing and data protection impact assessments (DPIAs).
Back to Duty
K7: Fundamental rights of information requests such as Freedom of Information (FOI), Individual Rights (IR), Environmental Information Regulation (EIR), Data Interoperability and Data Protection (DP).
Back to Duty
K8: Industry or regulatory toolkits and control frameworks or standards.
Back to Duty
K9: How their role fits into the organisation, its governance structures and escalation and the impact that it has.
Back to Duty
K10: How their role adds value and the benefit of it to the business
Back to Duty
K11: Communication techniques and approaches to interact with a range of key internal and external stakeholders in order to meet their requirements including using current and emerging technologies to support communication.
Back to Duty
K12: Role of the Regulators
Back to Duty
K13: The value of feedback from those they regulate, and the beneficiaries of regulation such as stakeholders in informing future activities.
Back to Duty
K14: The support requirements and training needs of their stakeholders.
Back to Duty
K15: The need for continuous improvement of systems and procedures to ensure that regulatory requirements are met.
Back to Duty
K16: The importance of horizon scanning for future changes and developments in relation to data legislation and case law interpretation.
Back to Duty
S1: Use IT systems to manage, share and store information in accordance with data protection requirements and organisation policies.
Back to Duty
S2: Communicate complex subjects in simple terms through different media (such as face to face meetings, emails, reports and presentations) to enable key stakeholders to understand what is required.
Back to Duty
S3: Prepare documentation and materials for review and ratification.
Back to Duty
S4: Working at times under time pressure, prioritising their workloads in order to raise and resolve areas of concern such as individual rights, breach management, FOI requests and information sharing.
Back to Duty
S5: Being able to accept and deal with changing priorities related to both their own work and to the organisation, showing the flexibility to maintain high standards in a changing environment.
Back to Duty
S6: Undertake data collection, data analysis, data presentation and date storage such as data incidents.
Back to Duty
S7: Interpret regulation and legislation, share best practice and advise stakeholders on its application.
Back to Duty
S8: Identify organisation needs and how these are applied to enquiries.
Back to Duty
S9: Interpret and apply sector guidance appropriately.
Back to Duty
S10: Undertake investigations and interviews in order to assess a data breach.
Back to Duty
S11: Gather, analyse, use and share data to inform risk assessment and make judgements on actions to take.
Back to Duty
S12: Make decisions on data protection and information governance issues raised and ensure that any areas of concern are escalated to the stakeholders.
Back to Duty
S13: Provide day to day support, specialist advice, guidance and training across the organisation and external stakeholders for all matters regarding information governance and data protection.
Back to Duty
S14: Identify potential data solutions and evidence the way in which they could improve data management.
Back to Duty
B1: Acts in a professional manner with integrity and confidentiality.
Back to Duty
B2: Works collaboratively with others across the organisation and external stakeholders.
Back to Duty
B3: Has accountability and ownership of their tasks and workload.
Back to Duty
B4: Seeks learning opportunities and continuous professional development.
Back to Duty
B5: Works flexibly and adapts to circumstances.
Back to Duty
B6: Takes responsibility, shows initiative and is organised.
Back to Duty
Apprentices without level 2 English and maths will need to achieve this level prior to taking the End-Point Assessment. For those with an education, health and care plan or a legacy statement, the apprenticeship’s English and maths minimum requirement is Entry Level 3. A British Sign Language (BSL) qualification is an alternative to the English qualification for those whose primary language is BSL.
This standard aligns with the following professional recognition:
4
18
this apprenticeship will be reviewed in accordance with our change request policy.
Version | Change detail | Earliest start date | Latest start date |
---|---|---|---|
1.1 | Occupational standard and end-point assessment plan revised Amendment to S14 required to mitigate EPA delivery issues. Two grading descriptor have been amended to mitigate delivery issues. | 19/08/2024 | Not set |
1.0 | Approved for delivery | 30/03/2022 | 18/08/2024 |
Crown copyright © 2024. You may re-use this information (not including logos) free of charge in any format or medium, under the terms of the Open Government Licence. Visit www.nationalarchives.gov.uk/doc/open-government-licence