Salary: $5,198,035p.a
JOB PURPOSE
Under the general leadership and direction of the Permanent Secretary, the Data Protection Officer will be responsible to monitor compliance and data practices in an independent manner, of the Ministry, the Regional Health Authorities and its other agencies and their functions with regard to the provisions of the Data Protection Act 2020 of the Government of Jamaica. The incumbent will also serves as the primary point of contact within the Ministry for all data subjects including members of staff, clients/patients, suppliers any relevant public bodies on issues related to data privacy and data protection. The Data Protection Officer also reviews policies that enforce compliance with applicable legislation and train staff to increase awareness of data privacy and protection requirements.
KEY OUTPUT
- Internal Data Protection Framework established
- Internal DPA compliance monitored
- Advice regarding Data Protection Impact Assessments (DPIAs) provided
- Data protection and compliance training developed
- Compliance Gap Assessment Report produced
- Data Subject Access Request (DSAR) Log reviewed
- Monthly/Quarterly DPA Compliance Status Reports submitted
- Legislative advice on Data Protection and privacy related issues provided
- Robust and comprehensive Data Quality and Protection controls established
- Technical advice/information provided
- Reports, Cabinet Submissions/Notes, technical papers, and publications prepared and issued
- Annual/Quarterly/Monthly performance Reports prepared
Key responsibility areas INCLUDES:
- Establishes and maintains various Data Protection/Privacy Policy Committees/Technical Working Groups that provides policy insight and makes recommendations for the implementation of improved procedures and systems;
- Prepares and delivers presentations related to Data Protection/Privacy Policy as needed;
- Participates in meetings, seminars, workshops and conferences as required;
- Prepares reports and programme documents as required; Leads and direct internal reviews to ensure compliance with applicable standards and address potential issues
- Reviews internal policies and procedures to support compliance with applicable laws, regulations, and standards
- Recommends to the OIC corrective measures necessary to address areas of non-compliance with the Authority’s data privacy and data protection obligations and monetary fines/penalties applicable
- Implements strategies and a privacy governance framework to manage personal and sensitive personal data used in compliance with the Data Protection Act 2020;
- Reviews data protection impact assessments by applying data quality controls as prescribed in the Data Governance Framework to determine compliance with regulatory requirements;
- Collaborates with the Information Communication and Technology (ICT) Teams in the maintenance of a cyber-security incident management plan to ensure timely remediation of incidents including impact assessments, security breach response, complaints, claims or notifications and responding to subject access requests;
- Monitors to ensure that the Ministry’s ICT Systems and procedures comply with the relevant data privacy and protection law, regulation and policy;
- Monitors to ensure that the Ministry’s procedures and policies for processing personal and sensitive personal data are in compliance with the data protection standards of the Act and its Regulations and the Good Practice guidelines of the Ministry;
- Evaluates existing policies and procedures to coordinate internal practices and to ensure compliance with regulations;
- Reviews the Ministry’s internal control mechanisms to ensure that they are aligned with standards and provisions outlined in the Data Protection Act;
- Reviews and documents the legal basis for processing personal and sensitive personal data;
- Provides legislative advice and guidance to the Executive Management Team as to gaps identified from the outcome of the Data Protection and Privacy Impact Assessment process;
- Serves as the primary point of contact for the Information Commissioner on all data protection matters;
- Establishes a process for receiving, documenting, tracking, investigating and taking action on all complaints concerning the organization’s privacy policies and procedures;
- Identifies compliance breaches as they arise and advise management on rules and controls and escalates to the Information Commissioner as the need arises;
- Consults with the Office of the Information Commissioner to resolve any doubt about how the provisions of the Act and its regulations are to be applied;
- Receives and responds to comments and queries from data subjects related to the processing of personal data;
- Provides guidance and assistance to data subjects, RHAs and BPOs in exercising their rights under the Act (Section 6-13) as it relates to: The right to Access, The right to prevent processing, The right in relation to automated decision making and The right to rectification;
- Provides advice/information to the Ministry and its employees on their obligations under the Act and data protection provisions;
- Develops and implements approved certification mechanisms to demonstrate compliance;
- Keeps abreast of amendments to policies, procedures and legislation and any pertinent developments within the dynamic environments;
- Monitors and evaluates Ministry’s efforts at corrective actions to ensure that findings and recommendations (weaknesses and or deficiencies) are effectively dealt with;
- Prepares reports and presentations on findings and analysis;
- Facilitates the training of staff on the components of the Act, Regulations and policies;
Minimum Required Education and Experience
- Undergraduate Degree in Information Security, Law, Computer Science, Information Technology, Data Privacy, or a related field.
AND
- At least one (1) International Association of Privacy Professionals (IAPP) certifications:
- Certified Information Privacy Professional (CIPP)
- Certified Information Privacy Manager (CIPM)
- Certified Information Privacy Technologist (CIPT)
OR
- At least one (1) ISACA certification in Governance and Risk Management:
- Certified in Risk and Information Systems Control (CRISC)
- Certified in Governance of Enterprise IT (CGEIT
- Certified Information Security Manager (CISM)
And
- At least 3-5 years’ work experience in Privacy, Compliance, Information Security, Auditing, or a relevant field (Finance, Law, Business Administration, Information Technology)
- Sound knowledge of the Access to Information Act and anti-corruption
- Experience in the following areas is an asset:
- Mapping/ understanding business processes and data handling or processing needs in a relevant/ related industry.
- Cybersecurity – dealing with real security incidents, risk assessments, counter measures, and data protection impact assessments.
Applications with résumés are to be submitted no later than Friday, June 14, 2024 to:
Senior Director
Human Resource Management & Development
Ministry of Health & Wellness
10A Chelsea Avenue
Kingston 10
The Ministry of Health thanks all applicants for their interest; however, please note that only short-listed candidates will be contacted.