elevenM’s Brett Watson outlines some of the key considerations when hiring a dedicated privacy officer.
Many organisations have decided that keeping up with community expectations means their privacy function needs a standalone resource, like a privacy officer. There are many reasons for coming to this conclusion — perhaps your organisation has been considering the news and commentary about recent data breaches in Australia. Maybe your organisation has recently been through an audit or a capability assessment that has highlighted some gaps in your privacy management. Or maybe whoever handles privacy in your organisation (possibly amongst a few other responsibilities) is crying out ‘please help!’
Commonwealth Government Agencies have had this resource since 2018, when the Australian Government Agencies Privacy Code came into effect and required agencies to designate a privacy officer. Organisations with European interests are also familiar with the requirement to appoint a data protection officer under Article 37 of the General Data Protection Regulation.
Under proposal 15.2 in the Attorney-General’s Department’s Privacy Act Review Report, all Australian organisations would be required to appoint a senior employee responsible for privacy. What this looks like in practice will vary between small and large organisations. Smaller organisations may be able to absorb a privacy officer function into existing roles if their privacy risk exposure is low, whereas larger organisations would likely to be expected to have at least one dedicated privacy officer, perhaps with a supporting team.
What is a privacy officer?
A privacy officer:
- understands the relevant privacy principles that apply to your organisation (such as the APPs)
- understands your organisation — its operations, strategy and purpose
- combines 1 and 2 to manage your organisation’s privacy risk and to enable business functions.
We use the terminology ‘privacy officer’ here, but ‘privacy manager’ and ‘privacy advisor’ are commonly used by organisations, depending on their job architecture. ‘Privacy counsel’ is also commonly used, generally where the privacy role will sit within an organisation’s legal function and legal qualifications are expected.
What does a privacy officer do?
Depending on your organisation’s needs, a privacy officer can be involved in a range of tasks. These could include:
- providing advice on privacy issues
- conducting or steering privacy impact assessments
- organising privacy training for your organisation’s staff
- handling privacy enquiries, access requests and complaints.
Sounds great, when can I advertise?
Hiring a privacy officer is a great idea, but it isn’t a silver bullet for managing privacy in isolation. Here are some tips for getting the most out of the recruitment process.
Be patient
Australia has a longstanding and well-known shortage of cyber-security workers. While there hasn’t been the same level of research into privacy workers, limited research from overseas and anecdotal evidence from clients and contacts suggests privacy expertise is similarly in short supply. It is worth remembering that privacy as a discipline in its own right (read: career choice) is younger and not as well established as many other organisational functions.
This means that you might need to be patient while looking for someone with suitable skills and experience for your organisation. Some organisations have addressed this issue by offering a development opportunity internally — this would involve taking someone who knows the organisational processes well and has the right kind of professional background (for example, in law, compliance, governance or risk) and training them, or putting them through professional training, in privacy. This approach is not appropriate for all organisations, and you should consider the complexity of your personal information handling practices, and the maturity of your processes before taking this route. However, it can be a good option for certain organisations.
Qualifications
There is no single qualification (tertiary or otherwise) that is a pre-requisite for privacy officers. Privacy officers will often have qualifications in law, communications, policy, or risk, which are usually supplemented by working experience in privacy. An accreditation by the International Association of Privacy Professionals (such as Certified Information Privacy Manager) is a reliable sign that a candidate understands privacy fundamentals.
Aside from technical qualifications, consider the skillset that your privacy officer will need to succeed in the specific context of your organisation. For example, does your organisation need someone with superior writing skills for briefs to the executive, or does your organisation do most of its debate and decision making on privacy orally, in meetings? Does your organisation have well established information processes, or will the privacy officer need to develop a privacy program for your organisation?
No Officer without a Commander Champion
As well as requiring a privacy officer, the Australian Government Agencies Privacy Code also requires agencies to designate a privacy ‘champion’. The privacy champion is a senior official or executive who has agency-wide responsibility for culture and leadership on privacy issues.
Hiring a privacy officer is unlikely to make a tangible impact on privacy at your organisation unless the privacy officer can escalate privacy issues to someone in senior leadership who will advocate for them. Before hiring a privacy officer consider how privacy issues will be escalated upwards, who the ‘champion’ for your new team member will be, and how you will develop and implement a culture of privacy awareness.
Where to put them?
If your organisation hasn’t had a standalone privacy role before, there may be questions about where in the organisational chart they will best fit. Privacy roles typically appear within organisations’ assurance functions such as legal, risk or cyber. Where a role sits in the structure will ultimately depend on broader organisational factors (including the reporting line to the privacy champion).
While there is no single ‘right’ answer, we suggest that there can be a ‘wrong’ answer. Consider where the privacy risk is in your organisation. That is, the business units that handle the most personal information, or the most sensitive personal information. Is it marketing? sales? product? HR?
In most cases it is best to avoid a structure where your privacy officer has a direct reporting line into the business unit that holds your organisation’s main privacy risk. As with any compliance, risk or assurance issue, it is always best to avoid organisational/internal conflicts of interest. A privacy officer can and should work closely with other business units, particularly ones with elevated privacy risk. However, separating privacy from these business units in your organisational structure will allow for effective upward escalation if necessary. For example, if a privacy officer identifies a privacy risk relating to marketing that will ultimately be escalated to an executive, and that executive is concurrently responsible for marketing, there is reasonable prospect of a conflict of interest, and the privacy risk may not be fully explored, debated and resolved.
What to do in the meantime…
You might have some internal work to do before you can on-board a privacy officer, or you might have some waiting to do before you find the right person. In the meantime, you can make progress by:
- appointing a privacy champion, and getting privacy on the executive agenda
- starting to think about/work on mapping the personal information you collect, hold and disclose — this is information that any privacy officer or team will need to do their job effectively
- start work on your privacy culture — getting people thinking and talking about privacy, and make it clear that privacy is an organisational priority, not an afterthought to be tacked on to processes.
Contact us
If you’re interested in learning more about how elevenM can help your business, contact us at hello@elevenM.com.au or on 1300 003 922.