Data Protection Officer

Overview

As a non-profit organization, Medic’s mission is to advance good health and human flourishing by building open source technology with and for hard-to-reach communities. We value humanity, creativity, initiative, solidarity, and openness. Being responsible stewards of people’s data is critically important to our mission. Medic seeks a Data Protection Officer (DPO) to ensure organization accountability and compliance with our Data Protection Policy and relevant data protection laws. We seek a DPO who will proactively find ways that our organization can work with data more responsibility and in support of the principles laid out at Responsible Data.io.

The DPO will report to Medic’s Chief Programs Officer. The DPO responsibilities include advising on compliance with relevant data protection laws and acting as a point of contact with supervisory authorities and data subjects. The DPO will create and update on Medic policies and deliver training to the full team to ensure compliance with legislation and Medic’s values.

Key Responsibilities

• Understand relevant guidelines and data protection laws in countries where Medic operates:
  • Track updates to core data protection laws (e.g. GDPR, Kenya Data Protections Act, HIPAA, Uganda Data Protections Act)
  • Update Medic policies and procedures to comply with regulations
• Identify, evaluate and maintain records of Medic’s data processing activities, in conjunction with partners/ third parties as appropriate
• Provide advice and instructions on how to conduct Data Protection Impact Assessments (DPIAs)
• Monitor data management procedures and compliance within Medic
• Provide advice and guidelines for implementing privacy by design for all products, Applications, and systems
• Ensure all queries from data subjects seeking to exercise their rights are responded to within required timeframes
• Lead Medic’s external compliance with data protection laws and guidelines:
  • Establish terms and ensure compliance with data and security terms in Partner contracts (MOU, Scope Of Work – SOW, Data Use Agreements – DUA etc.)
  • Comply with requests from Partners and/or data subjects within legal timeframes (e.g. delete data subjects information from Medic databases)
  • Comply with supervisory authority (e.g. submits proper applications and reports data breaches within legal timeframes)
• Submit quarterly updates and recommendations on data protection work to Medic’s Board and CEO that include summaries of:
  • Ongoing projects, with emphasis on any gaps in DPIA compliance and remediation plans
  • Any legislative policy updates and internal policy changes
  • Maintenance of DPO’s “culture of independence” including sharing any: arising conflicts of interest (particularly from other duties), internal “threats” to independence, internal conflicts where DPO unable to carry out duties, or projects or assignments where DPO was or felt penalized for conducting DPO duties
• Ensure internal compliance with data protection laws and guidelines:
  • Organizational assessment:
    • Conduct Internal Risk Assessment on overall Medic administrative, physical, and technical practices (e.g. HIPAA Security Risk Assessment Tool)
      • Update or create relevant policies on an annual basis to address findings from risk assessments
      • Review and update Risk Assessment on an annual basis
  • Liaise with Research and Development Partners (e.g. sub-processors and research partners) to ensure compliance
  • Oversee regular auditing to ensure CHT complies with relevant laws and guidelines
  • For ongoing projects: conduct routine and systematic audits
    • Ensure Medic has conducted Data Protection Impact Assessments (e.g. DPIA template) for all projects and partnerships
    • Ensure Project Managers (and other members of staff) comply with recommendations from DPIAs
  • For completed projects:
    • Conduct routine risk monitoring on stored data
    • Delete data that is no longer being used or to comply with terms in partner contracts, and ensure follow up with any sub-processors and/or research partners
  • Conduct and update internal staff training
    • Review and update internal staff Data Protection Training at least annually
    • Participate in team meetings and seek out routine opportunities to remind staff on Medic’s data values and compliance
    • Offer consultation on how to deal with privacy breaches
  • Create and maintain strong Record keeping procedures
    • Tracking data and security terms in Partner contracts (MOU, SOW, DUA etc.)
    • Ensure DPIAs are stored and appropriately cataloged for easy retrieval
    • Ensure DPOs contact details are published on Medic’s website and correctly shared on key documents (MOUs, SOW, DUAs etc) and internal documents
  • Create and ensure adherence to remediation plan(s) for any data breaches that comply with local regulation
  • Liaise with regional legal advisors to ensure policies and procedures legally comply

Skills Knowledge and Expertise

• Background in Information Technology, Library Sciences, Legal or other relevant fields and 3-5 years of relevant experience in data protection and legal compliance is a must have.
• Data protection/ privacy certification is required. ISO/IEC 27001 Information Security Management certification is an added advantage.
• Expertise in national and other data protection laws and practices for serving countries and an in-depth understanding of the GDPR .
• Understanding of Health sector information management and data security & protection needs.
• Upholds high professional ethics
• Establishes and maintains strong relationships and networks.
• Self-motivated, drives continued improvement and communicates/ engages confidently at all levels
• Ability to handle confidential information
• Ethical, with the ability to remain impartial and report all noncompliances
• Organizational skills with attention to detail
• Knowledge of data management and protection in the context of global health a plus

Why Medic?

Purpose & Impact

• Ability to create and see real impact in your work
• Freedom to take initiative and innovate, bonus of an agile, small team
• Work for a globally awarded social enterprise recognized for developing a solution that can create global systems change in the health sector

The Team

• Work with a value and mission driven team that is consistently described as warm, incredibly kind and supportive
• Exposure to a diverse team: over 15 different nationalities
• Opportunities for global travel: all team meet-up + functional team meet-up + field visits

Work/Life & Growth

• Generous leave time: vacation, maternity/paternity, bereavement, & sick days
• Professional development funds & opportunities + 5 days off for prof dev
• Home Office Set up Stipend.
• Flexible, remote schedules