Selecting a Privacy Officer

Written By Martin P.J. Kratz

A privacy officer is the individual whose principal privacy related task is to be responsible for ensuring that a business complies with applicable mandatory privacy law. As described below, depending on an organization's approach to privacy, the privacy officer may have other privacy-related functions as well.

Both the federal PIPEDA and the Alberta PIPA, provide considerable flexibility for a business in crafting and staffing the role of the privacy officer. A number of points may be helpful for a business to consider in designing the role of and in selecting a privacy officer.

Q. does the privacy officer really need to be an "officer" or can s/he play a
different role in the corporation?

A: We often refer to them as privacy officers, since this is seen by many businesses as a way to seek to elevate the importance of the privacy issue. The "individual responsible" referred to in both the federal and provincial legislation need not be an officer of the corporation but does need to have sufficient authority and resources to perform the assigned functions properly.

Q: Must a single privacy officer handle all of the complex issues for customers,
employees and otherwise?

A: There may be one or more privacy officers. In addition, a privacy officer may delegate some of the functions to one or more individuals. In jurisdictions where privacy obligations extend to employee personal information, it is becoming common to split the Human Resources and customer facing privacy issues and obligations within an organization, as there are different considerations in each field.

Q: Can a single person be the privacy officer of several businesses, say in a
corporate group?

A: Neither PIPEDA nor PIPA prohibit a person from being a privacy officer of several entities. In deciding whether this may be appropriate in any case, the key issues will include: (i) the person's accessibility and responsiveness to access requests and complaints etc.; and (ii) whether the person has sufficient knowledge of the business to enable him or her to limit or resolve any complaints or access requests of the business.

Q: Is the role of the privacy officer a full time or part time role?

A: The answer depends on the size of the organization, the scope of the privacy policy and program, the tasks assigned to the role and the likelihood of privacy- related issues that require specialized attention. Where businesses have divided the role among different functions, such as Human Resources and customer relationships, it may be that the role becomes part of an existing function. In other cases a separate position may need to be contemplated.

Q: What is the role of a privacy officer?

A: The job description for a privacy officer will vary with the organization and depend on the tasks assigned to the position. In some cases the role may be limited to ensuring compliance with the privacy laws and policies and responding to requests by individuals for access or correction of their personal information. In other cases the role may also include taking a leading role in the development and updating of privacy policies, liaising with government officials on privacy-related matters, addressing privacy assessments for new processes, systems or business units and addressing training and awareness requirements.

Q: What kind of background should a privacy officer have?

A: The answer depends on the role assigned to the position. A knowledge of privacy law and policy is important. Other attributes useful in performing the function are marketing, communications, management and systems skills or experience.