Advises on restricted transfers including any additional safeguards and ensures copies of safeguards are available to persons whose data is to be or has been transferred overseas.
SFIA Skills: Security and privacy
Control and owners (PEDP) (Level 6)
Maintains an overview of the organisation’s information assets, identifies the information asset owners and implements internal audits including controls on storing, security, maintaining records of processing activities, data protection impact assessments, transfers, contracts and handling access to personal data.
Regulatory compliance (Level 7) (IG)
Responsible for business strategy compliance with information governance policies. Takes steps to ensure the organisation complies with all relevant data security regulations including UK GDPR and confidentiality. Identifies the impact of any relevant statutory, internal or external regulations on the organisation’s use of personal information and develops approaches for compliance. Leads and plans activities to communicate and implement information management and privacy strategies. Oversees privacy notices, ROPAs and supports the DPO with the applicability of DPIAs as appropriate.
Regulatory compliance (Level 5)
Reviews and assists own organisation to maintain a privacy notice and record of processing activities (ROPA). Advises and, where necessary, assists on the application of data protection impact assessments (DPIA) and maintain records for compliance within regulatory access requirements.
Regulatory compliance (Level 6)
Identifies the impact of any relevant statutory, internal or external regulations on the organisation’s use of personal information and develops strategies for compliance. Leads and plans activities to communicate and implement information management and privacy strategies. Monitors and advises on application of privacy notice, ROPA and application of DPIAs. Acts as contact point for regulatory authority (Commissioner) on issues relating to processing, prior consultations and other matters as appropriate.
Information governance culture (IG) (Level 7)
Obtains organisational commitment to information governance at the highest level. Establishes a culture where information governance is the responsibility of every employee.
Data and information security culture (INAS)(Level 7)
Obtains organisational commitment to data information security at the highest level. Establishes a culture where data and information security is the responsibility of every employee.
Influencing partners (IG)(Level 7)
Influences key partner organisations to maintain information governance policies and practices in line with those of own organisation.
Business plans (IG)(Level 7)
Has significant input to development of business plans, ensuring that information governance is integrated into business strategy and policies.
Implementation and processes (IG)(Level 7)
Ensures that the organisation implements processes to take forward the information governance strategy and policies and complies with DSPT.
Strategy (IG)(Level 7)
Takes overall responsibility for establishing and managing information governance strategy and policies in accordance with external and internal legislation and guidance relevant to the organisation.
Advice and guidance (IG) (Level 7)
Leads and guides provision of information governance requirements across all the organisation’s information and information systems.
Risk assessment (IG)(Level 4)
Carries out risk assessments as directed, using standard processes for identifying potential information governance risks.
Policies (IG)(Level 4)
Interprets and applies approaches for the assessment of complex information artefacts and data flows against information governance policies and business objectives.
Advice and guidance (IG) (Level 4)
Provides information governance advice and guidance, sometimes complex, to colleagues and suppliers to ensure they effectively, legally and safely manage and share records and information. Encourages and coaches less experienced information governance colleagues.
Threats and breaches (IG) (Level 5)
Responds to major data security breaches in line with security and information governance policies and recommends appropriate control improvements. Supports any investigation that takes place as a result of a breach. Supports action to categorise and limit damage, according to the organisation’s security policy, which may include escalation and reporting the incident to the Information Commissioner’s Office, and records the incident and action taken.
Threats and breaches (IG) (Level 6)
Ensures the identification and monitoring of data security and data protection trends and proactively assesses impact on business strategies, benefits and risks. Manages assessment of threats to confidentiality, integrity, availability and relevant compliance. Contributes to data security control reviews, business risk assessments and reviews that follow significant breaches of data security controls.
Implementation and processes (IG)(Level 6)
Supports the development, implementation and monitoring of organisational policies and processes relating to information governance.
Performance measures(IG)(Level 6)
Determines appropriate and practical performance measures to ensure that information governance priorities set by the business can be effectively monitored.
Best practice (INAS)(Level 6)
Assesses legal and best practice issues, and promotes awareness of national and international laws, including those relating to confidentiality, privacy and copyright.
Risk assessment (IG)(Level 5)
Maintains oversight of complex data protection and confidentiality risk assessments and develops mitigating strategies for highly complex or strategic scenarios. Oversees application of the principles of risk assessment, risk management processes and decision making as they relate to information governance.
Threats and breaches (IG) (Level 3)
Responds to data security breaches in line with security and information governance policies. Supports any investigation that takes place as a result of a breach. Supports action to categorise and limit damage, according to the organisation’s security policy, which may include escalation and reporting the incident to the Information Commissioner’s Office, and records the incident and action taken.
Risk assessment (IG)(Level 2)
Supports risk assessment following standard procedures. Maintains and monitors risk assessment documentation.
Incident Response (Level 6)(IG)
Cooperates with the supervisory authority. Acts as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36. Consults, where appropriate, with regard to any other matter. Advises the organisation on risk mitigations and required actions.
Cooperation and relationships (PEDP) (Level 6)
Instigates and encourages cooperation where opportunities and requirements to work with subject matter experts exist to build effective relationships within the organisation. Demonstrates how collaborative working will increase the organisation’s effectiveness, reduce risk and create trust and resilience with the general public. Areas to work with should include legal, public relations, learning and development, procurement, information security, IT, security, data management and architecture.
Restricted Transfers (IG)(Level 4)
Advises on restricted transfers including any additional safeguards and ensures copies of safeguards are available to persons whose data is to be or has been transferred overseas.
Incident response (PEDP) (Level 6) (IG)
Assesses and manages the risk for any potential personal data breaches and cyber incidents. Sets in motion the agreed procedures to identify breach, including with third parties, works within statutory timeline, mitigates risk, and maintains communications with Data Protection Officer (DPO), or equivalent when not required, to comply with statutory notification to the regulatory authority (Commissioner) if breach confirmed.
Policies, procedures and governance (PEDP) (Level 6)
Consults, collaborates and offers expert advice on developing organisational policies, procedures, best practice, privacy policies, standards and guidelines ensuring recognised data protection definitions and practices are applied throughout the organisation. Has due regard to the risk associated with processing operations, taking into account the nature, context and purpose of processing.
IG Cyber Threat Understanding (IG)(Level 6)
Provides an IG perspective on cyber threats.
Incident Response (PEDP) 5
Assesses and manages the risk for any potential personal data breaches and cyber incidents. Sets in motion the agreed procedures to identify breach, including with third parties, works within statutory timeline, mitigates risk, and maintains communications with Data Protection Officer (DPO), or equivalent when not required, to comply with statutory notification to the regulatory authority (Commissioner) if breach confirmed.
Information sharing (PEDP)(Level 6)
Advises on information sharing requirements including agreements and ad hoc disclosures for example police requests.
Data protection by design and default (PEDP)(Level 6)
Monitoring compliance with data protection and default through DPIAs and associated documentation.
Training and raising awareness (PEDP)(Level 6)
Influencing culture through training and raising the awareness of staff.
Internal compliance (PEDP)(IG)(Level 6)
Monitors compliance of the organisation (or its processors) in relation to the protection of personal data, including the assignment of responsibilities to manage functions under UK GDPR.
Individual rights requests (PEDP)(IG)(Level 6)
Monitors the organisation’s compliance with individual rights requests.
Cyber threat understanding (THIN)(Level 5)
Maintains an understanding of the local threat environment and applies this knowledge to inform and provide context for wider activities. Uses local threat information in decision-making and planning.
Information governance culture (IG) (Level 6)
Champions organisational commitment to positive information governance culture. Promotes and supports a culture where information governance is a responsibility of every employee.
Individual rights requests (PEDP)(IG)(Level 5)
Processes straight forward subject access requests in accordance with GDPR requirements as applicable. Maintains compliance with appropriate timeframes, any allowed charges or refusals.
Policies (IG)(Level 3)
Follows standard approaches for the assessment of information artefacts and data flows against information governance policies and business objectives.
Information Governance Audit (PEDP) (Level 5)
Principles, practices, tools and techniques of information governance auditing and the Data Security and Protection Toolkit.
Access requests (Level 4)
Supports the processing of subject access requests in accordance with GDPR requirements.
Regulatory compliance (Level 5)
Reviews and assists own organisation to maintain a privacy notice and record of processing activities (ROPA). Advises and, where necessary, assists on the application of data protection impact assessments (DPIA) and maintain records for compliance within regulatory access requirements.
Advice and guidance (Level 3)(IG)
Provides straight forward information governance advice and guidance to colleagues and suppliers to ensure they effectively manage information.
Data security and protection toolkit (IG)(Level 4)
Uses the Data Security & Protection Toolkit (DSPT) to provide assurance that information assets are secure and handling personal information correctly.