Conversations with Privacy Officers – what we learned
By Caitlin Galpin, Senior Privacy Guidance Officer
The Privacy Officer role is important for ensuring that organisations uphold the right to privacy. This year, OVIC’s Privacy Guidance team is focusing on increasing the support it provides to privacy officers.
As part of this project, we engaged in more than twenty consultation interviews with privacy officers across the VPS to get a better understanding of the work they do, the challenges they face and how OVIC can support them in their roles.
These discussions confirmed privacy officers’ passion and commitment to upholding the right to privacy. They also provided us with insights that challenged some of the assumptions we had about the work privacy officers do. So enlightening were they that we thought it would be a good idea to share some of our observations in this blog post.
Lack of clarity and consistency in definition and understanding of the role
There are many different views about what constitutes the role and responsibilities of a privacy officer – both within organisations and across the VPS.
This can mean that different organisations support and resource the role very differently. It can also lead to an under-utilisation of the expertise of privacy officers by agency staff who do not understand the services their privacy officer provides.
The importance of building relationships and effective communication
Before the consultations, we hadn’t fully appreciated how crucial these skills are for privacy officers. They assist privacy officers in promoting their role and services, raise awareness of staff privacy obligations, and obtain executive buy-in and support.
Especially in agencies where there are no defined processes requiring staff to engage with them, privacy officers often rely on their ability to get their message out through the organisation to convince staff to take the initiative and seek out privacy advice.
Some privacy officers reported that they rely on a ‘word of mouth’ system of building awareness of the services they can offer. They noted that where they have an existing relationship or have provided advice that was helpful in the past, they are more likely to be consulted.
Lack of formal training and induction
It seems that most agencies do not have a formal privacy officer induction and that new privacy officers often learn about privacy ‘on the run’, when actively responding queries or issues.
Generally, organisations reported that it was difficult to identify what tools are required for the role.
Handling complaints or enquiries from the public is not the main component of the role
Most privacy officers do not spend a significant proportion of their time handling complaints or enquiries from members of the public. Rather, we learnt that the majority of their workload is made up of internal enquiries, assisting staff with proposed disclosures of information, or assessing the privacy impacts of projects.
More reactive than proactive
Many privacy officers balance their role with other roles in areas such as freedom of information, records management, governance, or legal.
This can limit the time that they can devote to privacy meaning that it is limited to responding when something goes wrong, such as where there is a data breach or a privacy complaint.
In such circumstances, privacy officers had an appetite to engage in more proactive work to embed good privacy practices and avoid things going wrong, such as by engaging with and training staff, or proactively reviewing privacy practices and procedures.
Organisations where there was more than one privacy officer generally reported a greater ability to focus on proactive activities to incorporate this type of privacy by design approach.
The challenge of raising the profile of the role and increasing staff awareness
A common challenge seems to be a general lack of awareness of and under-utilisation of the role of privacy officer. Some privacy officers reported that they felt staff had limited awareness about their privacy obligations or that it was hard to reach staff due to the size, structure, or complexity of the organisation.
Privacy officers reported that some agency staff see privacy as a barrier to achieving goals. This can mean that even staff who are aware of the agency’s privacy officer they may be reluctant to engage with them.
Privacy Officers have trouble finding the tools they need to perform their role
Privacy officers seek out authoritative resources and guidance, particularly when dealing with novel or complex issues.
Whilst many turn to the OVIC website as their main source for such guidance, there did not appear to be widespread awareness of all the resources that the site contains. Further, some privacy officers noted that they ‘know OVIC has the resources but I can’t readily find what I need’.
Having identified common needs during this consultation phase, OVIC is now planning how we can improve our guidance and develop new resources to assist privacy officers in their day-to-day roles.
This will include guidance about OVIC’s expectations about what the role of a privacy officer entails, which will assist VPS agencies to properly support this important function. It will also include a consolidation of existing and new resources in a toolkit, allowing privacy officers to readily access the tools and resources that they need to complete their day-to-day roles.
Please contact our Privacy Guidance team at firstname.lastname@example.org if you have any questions, feedback or input that you would like to be considered.