The Child and Family Agency was established on 1st January 2014 and is responsible for a range of statutory functions including provision of child protection, alternative care, specified regulatory services and a range of family support services. The Agency has commenced a major improvement programme with significant focus on Practice, Culture and Structure.

The Agency currently has responsibility for a budget of circa €1.2billion and delivers its services through over 5,500 people in 259 locations across the Country.

The Child and Family Agency has responsibility for the following range of services:

• Child Protection and Welfare
• Parenting, Family Support and Early Help Services
• Alternative Care
• Birth Information & Tracing and Adoption
• Tusla Education Support Services (TESS)
• Children’s Service Regulation
• Counselling and Therapeutic Supports

Further information is available on www.tusla.ie

Data Protection Unit
Tusla, Child and Family Agency, invites applications from suitably qualified persons for a key role within its Data Protection Unit (DPU). This role will appeal to candidates looking to work as part of a multi-disciplinary team implementing a strategic transformation programme of agency-wide improvements to ensure Tusla has effective people, processes, and systems in place to support its statutory and regulatory obligations. The role offer an opportunity to work in a fast paced, dynamic environment across a variety of projects and assignments in the area of Data Protection and Freedom of Information (FOI) including, but not limited to DPU Operations; Data Protection and FOI Compliance; and the GDPR Programme, which includes Operating Model Design and Implementation; Data Protection Impact Assessments (DPIAs); Third-Party Privacy Risk Management; Regulatory Engagement; and Change Management, Training & Communications. Whilst the location/base of the role is flexible, attendance at Tusla Head Office in Dublin will be a requirement of the successful candidate at a frequency agreed with the Lead Deputy Data Protection Officer.

Tusla processes a large volume of highly sensitive personal data on a daily basis in order to deliver the critical services it provides to Children and Families across the State. In doing this, Tusla must ensure that it has adequate organisational and technical measures in place; that the rights and freedoms of Tusla service users are respected and that privacy risks to those rights and freedoms are minimised; and that a fit for purpose operating model for Data Protection and FOI is implemented. These are the three objectives of Tusla's GDPR Programme, a multi-annual strategic transformation programme which is now in its third phase of implementation. The GDPR programme focuses on driving a wide range of improvements in Tusla's data protection and FOI compliance and control environment, including for example:

• Data Protection Operating Model Design and Implementation, such as policy and process enhancements or organisation design changes, including the development of the regional privacy network;
• Data Protection Impact Assessments and Third-Party Privacy Risk Management, to assess complex data processing activities and third-party data sharing arrangements to identify the required privacy safeguards and controls;
• Regulatory Engagement with the Data Protection Commission and the Office of the Information Commissioner in relation to Tusla's regulatory obligations; and
• Change Management, Training & Awareness, to embed best practice data protection across Tusla and ensure all staff fully understand their roles and responsibilities in relation to data protection and FOI compliance.

Main Duties and Responsibilities
Stakeholder Engagement

• Support the DPO and Deputy DPO in leading on internal and external stakeholder engagement with regard to matters of data protection, FOI and Artificial Intelligence governance within Tusla.
• Collaborate with stakeholders to embed data protection requirements and Privacy by Design and by Default into key processes and controls.
• Consult and build a strong relationship with the Data Protection Commission (DPC) and Office of the Information Commissioner (OIC). Support the DPO and Deputy DPO in acting as the point of contact for the DPC on all data protection issues, in accordance with Article 39.1(d) and (e) of the GDPR.

Data Protection Advisory

• Support the DPU in informing and advising all employees of Tusla on their obligations under the GDPR, as per Article 39.1(a).
• Support the DPU in navigating the complex legislative environment within Tusla that surrounds the GDPR and provide advice on these issues to senior stakeholders.
• Propose to the DPO and Deputy DPO technical and organisational measures to ensure appropriate security of Tusla personal data as well as developing and implementing organisational controls, policies and procedures that may be required to implement to mitigate any risks identified.
• Provide support in the management and delivery of the GDPR Programme of work.
• Act as the Data Protection representative on various governance forums.
• Advise on decisions that pose data protection implications for the Agency including opening on service and functional processes and systems to assist in designing same cognisant of data protection legislative requirements.
• Play a key role in assessing and understanding the technical and operational requirements in the data landscape and operating environment of Tusla, from a data protection and privacy compliance perspective and how these will likely impact Tusla’s staff and service users.

GDPR Assessment and Compliance

• Support Tusla in discharging its responsibilities under Article 5(1)(f) of the GDPR by leading SME input of identification of data protection and privacy risks generally and in particular, the risk of unauthorised or unlawful processing, accidental loss, destruction, or damage to Tusla personal data.
• Assist in improving Tusla’s compliance with the GDPR, Law Enforcement Directive and Data Protection Act 2018.
• Support in monitoring compliance with data protection and privacy laws as per Article 39.1(b) of the GDPR, develop and implement a Data Assurance Programme.
• Lead the development of data privacy impact assessments (DPIAs) as per Article 39.1(c) of the GDPR and assess implementation of recommendations through compliance assurance visits.
• Support in discharging responsibilities under Article 28 of the GDPR by identifying associated data protection and privacy risks and ensuring that sufficient guarantees of appropriate technical and organisational measures are in such a manner that processing will meet the requirements of the GDPR.
• Assist in the preparation of data protection compliance, breaches and other relevant management information to senior management and the Data Protection Commission and support associated briefings and engagement.
• Report on significant data protection and privacy risk and compliance issues and relevant updates and significant programme developments to DPU management.
• Develop and maintain a privacy risk register and associated standard operating procedures (SOPs) and policies required.
• Drive the implementation of the periodic revision of the Agency’s Data Protection Management System to reflect changes in laws, regulatory or company policy and standards and ensure timely adoption and execution.
• Oversee the development and maintenance of accountability mechanisms, including but not limited to a central register of records of processing activity (ROPA).

Business Unit Effectiveness

• Drive the enhancement of policies, procedures, standards, guidelines, best practices, templates, and checklists to enable the Agency to meet data protection obligations and ensure consistency in application.

Health & Safety

• Comply with and contribute to the development of policies, procedures, guidelines and safe professional practice and adhere to relevant legislation, regulations and standards.
• Have a working knowledge of the Health Information and Quality Authority (HIQA) Standards as they apply to the service for example National Standards for Child Protection and Care and comply with associated Tusla – Child and Family Agency protocols for implementing and maintaining these standards as appropriate to the role.
• To support, promote and actively participate in sustainable energy, water and waste initiatives to create a more sustainable, low carbon and efficient health service.

The above Job Description is not intended to be a comprehensive list of all duties involved and consequently, the post holder may be required to perform other duties as appropriate to the post which may be assigned to him/her from time to time and to contribute to the development of the post while in office.

Please refer to the Candidate Information pack attached to this campaign for full and further detail.

Applicants must by the closing date of application have the following:

• Have a minimum Level 8 qualification on the National Framework of Qualifications in Ireland (or equivalent in another jurisdiction) in a relevant discipline (management, regulation, compliance, law, computer science).

           And / Or

• Have a formal Data Protection certification / qualification qualified i.e. ACOI Compliance Professional or CIPP-E, CIPM or other equivalent data protection certification holder and relevant prior experience as in a complex data privacy environment within the public or private sector.

           And

• Minimum 3 years’ senior management experience in data protection regulation and compliance including drafting of data protection policies and procedures.
• Experience in the design and implementation of complex cross functional compliance and control frameworks, preferably in relation to privacy risk management.
• Experience in specialist data protection, legal or technical skills.
• Have the requisite knowledge and ability (including a high standard of suitability and management ability) for the proper discharge of the duties of the office