Data Protection Officer
The Data Protection Officer (DPO) is responsible for ensuring the College complies with data protection legislation and Department for Education (DfE) expectations, including the UK GDPR, Data Protection Act 2018, PECR, and associated statutory guidance.
The postholder supports the College’s statutory duties as a publicly funded education provider, ensuring transparency, accountability, and appropriate safeguarding of personal data relating to learners (including children and vulnerable adults), staff, employers, and partners. The DPO operates independently, reporting concerns to the highest level of management and governance in accordance with Article 38 of UK GDPR.
This position is subject to a probationary period of 6 months.
A full enhanced disclosure check via the Disclosure & Barring Service will be required for this post.
Flexible working arrangements are available.
This job description is a guide to the duties you will be expected to perform immediately on your appointment. These may change in the future in line with the strategic direction and development of the College:
Strategic Leadership and Governance
- Lead the development and implementation of a College wide Data Protection Framework aligned with DfE and public sector accountability requirements.
- Advise the Principal, Senior Leadership Team, and Governing Body on data protection risks, compliance obligations, and assurance arrangements.
- Ensure data protection governance supports the College’s funding, safeguarding, inspection, and statutory responsibilities.
Compliance and Accountability
- Oversee compliance with the UK GDPR, Data Protection Act 2018, PECR, Freedom of Information Act, and relevant DfE guidance.
- Ensure Records of Processing Activities (ROPAs) are maintained in line with Article 30 and reflect FE specific processing (e.g. ILR, learner records, safeguarding, SEND, HR, biometric systems).
Safeguarding and Learner Data
- Provide expert guidance on lawful, fair, and transparent processing of data relating to learners, including children and vulnerable adults.
- Ensure alignment between data protection, safeguarding practice, Keeping Children Safe in Education principles, and information sharing obligations.
- Advise on appropriate data retention, sharing, and disclosure decisions where safeguarding and welfare considerations apply.
Third Party, Partner, and Subcontracted Provision
- Oversee data protection compliance across third party suppliers, employer partners, awarding bodies, and subcontractors.
- Ensure Data Processing Agreements, information sharing agreements, and assurance mechanisms meet DfE expectations.
- Monitor and mitigate risks associated with shared and outsourced provision.
Data Protection Impact Assessments (DPIAs)
- Advise on and oversee DPIAs for new or high risk processing, including digital learning platforms, monitoring technologies, biometrics, and data sharing initiatives.
- Ensure risks to learners and staff are identified, mitigated, and escalated appropriately.
Training, Awareness, and Culture
- Promote a positive, proportionate, and learner centred data protection culture across the College.
- Develop and deliver training to staff, managers, and governors to support compliance, accountability, and inspection readiness.
- Ensure roles and responsibilities for data protection are clearly understood across curriculum and support services.
Incident Management and Requests
- Act as the College’s primary point of contact for data protection enquiries, breaches, and Subject Access Requests (SARs).
- Ensure breaches are assessed, reported, and managed in line with statutory timescales and ICO guidance.
- Provide advice to staff handling complex or sensitive requests involving safeguarding, students, or third parties.
Regulatory Liaison and Reporting
- Act as the main contact point with the Information Commissioner’s Office (ICO).
- Cooperate fully with ICO enquiries, audits, and investigations.
- Provide regular, clear reports to Senior Leadership and the Governing Body on compliance status, risks, breaches, and improvement actions.
This job description and person specification is current at the date of issue. Changing organisational needs may require the job description to change, within reason, after prior consultation with the post holder.
The person we are hoping to appoint will meet all the following essential requirements and some or all of the desirable requirements.
Qualifications and Experience
- Degree in Law with a minimum of 2 years’ relevant experience, or
- At least 5 years’ senior experience in data protection, information governance, or compliance within a public sector or education setting.
- Professional certification such as CIPP/E, CIPM, Advanced Certificate in GDPR, or equivalent.
Knowledge and Expertise
- · Strong, current knowledge of UK GDPR, EU GDPR, PECR, and public sector information governance.
- Demonstrable understanding of the Further Education sector, including DfE accountability frameworks.
- Ability to apply legal requirements proportionately in an education and safeguarding context.
- Commitment to continuous professional development and keeping up to date with regulatory and sector changes.
Skills and Behaviours
- Credibility and confidence to advise and challenge senior leaders and governors.
- Strong judgement, independence, and professional integrity, in line with the statutory role of the DPO.
- Excellent communication and stakeholder management skills.
- Pragmatic, solution focused approach aligned with College objectives and learner outcomes.
Additional Requirements
- Flexible approach to working, including availability to respond to incidents or regulatory matters as required.