Data Protection Officer at Medic Mobile

The DPO will report to Medic’s Chief Programs Officer. The DPO responsibilities include advising on compliance with relevant data protection laws and acting as a point of contact with supervisory authorities and data subjects. The DPO will create and update on Medic policies and deliver training to the full team to ensure compliance with legislation and Medic’s values. 

Key Responsibilities

• Understand relevant guidelines and data protection laws in countries where Medic operates: 
  • Track updates to core data protection laws (e.g. GDPR, Kenya Data Protections Act, HIPAA, Uganda Data Protections Act) 
  • Update Medic policies and procedures to comply with regulations
• Identify, evaluate and maintain records of Medic’s data processing activities, in conjunction with partners/ third parties as appropriate
• Provide advice and instructions on how to conduct Data Protection Impact Assessments (DPIAs)
• Monitor data management procedures and compliance within Medic
• Provide advice and guidelines for implementing privacy by design for all products, Applications, and systems
• Ensure all queries from data subjects seeking to exercise their rights are responded to within required timeframes 
• Lead Medic’s external compliance with data protection laws and guidelines:
  • Establish terms and ensure compliance with data and security terms in Partner contracts (MOU, Scope Of Work - SOW,  Data Use Agreements - DUA etc.) 
  • Comply with requests from Partners and/or data subjects within legal timeframes (e.g. delete data subjects information from Medic databases)
  • Comply with supervisory authority (e.g. submits proper applications and reports data breaches within legal timeframes) 
• Submit quarterly updates and recommendations on data protection work to Medic’s Board and CEO that include summaries of:
  • Ongoing projects, with emphasis on any gaps in DPIA compliance and remediation plans 
  • Any legislative policy updates and internal policy changes 
  • Maintenance of DPO’s “culture of independence” including sharing any: arising conflicts of interest (particularly from other duties), internal “threats” to independence, internal conflicts where DPO unable to carry out duties, or projects or assignments where DPO was or felt penalized for conducting DPO duties
• Ensure internal compliance with data protection laws and guidelines:
  • Organizational assessment:
    • Conduct Internal Risk Assessment on overall Medic administrative, physical, and technical practices (e.g. HIPAA Security Risk Assessment Tool)
    • Update or create relevant policies on an annual basis to address findings from risk assessments
    • Review and update Risk Assessment on an annual basis
• Liaise with Research and Development Partners (e.g. sub-processors and research partners) to ensure compliance 
• Oversee regular auditing to ensure CHT complies with relevant laws and guidelines
• For ongoing projects: conduct routine and systematic audits
• Ensure Medic has conducted Data Protection Impact Assessments (e.g. DPIA template) for all projects and partnerships
• Ensure Project Managers (and other members of staff) comply with recommendations from DPIAs
  • For completed projects:
    • Conduct routine risk monitoring on stored data 
    • Delete data that is no longer being used or to comply with terms in partner contracts, and ensure follow up with any sub-processors and/or research partners  
  • Conduct and update internal staff training
    • Review and update internal staff Data Protection Training at least annually
    • Participate in team meetings and seek out routine opportunities to remind staff on Medic’s data values and compliance 
    • Offer consultation on how to deal with privacy breaches
  • Create and maintain strong Record keeping procedures
    • Tracking data and security terms in Partner contracts (MOU, SOW, DUA etc.) 
    • Ensure DPIAs are stored and appropriately cataloged for easy retrieval
    • Ensure DPOs contact details are published on Medic’s website and correctly shared on key documents (MOUs, SOW, DUAs etc) and internal documents
  • Create and ensure adherence to remediation plan(s) for any data breaches that comply with local regulation
  • Liaise with regional legal advisors to ensure policies and procedures legally comply

Skills Knowledge and Expertise

• Background in Information Technology, Library Sciences, Legal or other relevant fields and 3-5 years of relevant experience in data protection and legal compliance is a must have.
• Data protection/ privacy certification is required. ISO/IEC 27001 Information Security Management certification is an added advantage.
• Expertise in national and other data protection laws and practices for serving countries and an in-depth understanding of the GDPR .
• Understanding of Health sector information management and data security & protection needs.
• Upholds high professional ethics
• Establishes and maintains strong relationships and networks.
• Self-motivated, drives continued improvement and communicates/ engages confidently at all levels
• Ability to handle confidential information
• Ethical, with the ability to remain impartial and report all noncompliances
• Organizational skills with attention to detail
• Knowledge of data management and protection in the context of global health a plus