- Job Title: Senior Information and Privacy Manager
- Work Unit: Compliance and Special Investigations
- Ministry: Alberta Office of the Information and Privacy Commissioner
- Competition Number: 1056342
The Information and Privacy Commissioner (the Commissioner) is an Officer of the Legislature and reports directly to the Legislative Assembly. The Commissioner and the Office of the Information and Privacy Commissioner (OIPC) are independent of the Government of Alberta and provide oversight of Alberta’s public, health and private sectors to ensure compliance with the Freedom of Information and Protection of Privacy Act (the FOIP Act), the Health Information Act (HIA), and the Personal Information Protection Act (PIPA).
Reporting to the Director, the position assists the Commissioner in the performance of her legislative and regulatory responsibilities set out in the Acts. Through relationship building, strong leadership and effective mediation/investigation and communication skills, the position influences and effects change in the development and implementation of initiatives, programs, policies, goals and proposed legislative schemes in the public, health and private sectors.
The position is authorized to:
- Review the decisions of the "head" of the public body/organization/custodian;
- Review privacy impact assessments, providing comments and making recommendations.
- Review and advise on privacy breaches
- Conduct investigations to ensure legislative compliance;
- Issue findings and make recommendations to the head or the head's representative;
- Review and comment on initiatives, policies, procedures and practices of public bodies, health custodians (custodians) and private sector organizations (organizations);
- Consult and advise on complex and multi-jurisdictional access and privacy issues;
The position educates and informs stakeholders (including the public, public bodies, organizations and custodians) on access and privacy matters; conducts presentations, workshops and information sessions about the practical application of the Acts; assists in the development of educational/guidance materials and tools; and responds to enquiries from public bodies, custodians, organizations, non-profits, community groups, members of the public, elected officials, special interest groups and media on rights and obligations under the three Acts.
The work performed by the position is integral to the Commissioner's ability to ensure the privacy and access rights of Albertans are upheld; ensure that public bodies/organizations/custodians comply with their duties and responsibilities under the Acts; and, provide fair, independent and impartial reviews. The position's specific accountabilities include:
- Reviewing and investigating public bodies, custodians and organizations for legislative compliance.
- Investigating privacy breaches and self-reported breaches (including evaluating risks of harm to affected individuals; making recommendations regarding notifying affected individuals; requiring the implementation of security measures to ensure future compliance).
- Conducting information security audits or privacy compliance reviews of programs and initiatives of public bodies, custodians, and organizations.
- Producing written findings and recommendations that may be published.
- Informing the Directors, Assistant Commissioner and Commissioner about access and privacy issues of significance.
- Reviewing and providing comment on privacy impact assessments
- Consulting, commenting on, and making recommendations regarding, policies, procedures and practices related to initiatives, applications, and technology use
- Reviewing and commenting on technical, administrative and physical safeguards
- Commenting on risk assessment and mitigation related to system implementation and design
- Educating and informing the public and public bodies, custodians and organizations on the Acts
- Preparing and issuing public documents such as investigation reports, case summaries and practice notes.
- Researching, writing and developing educational/guidance materials and tools.
- Conducting presentations, workshops and information sessions regarding the rights and practical application of the Acts.
- Speaking at conferences.
- Developing relationships with public bodies, custodians, organizations and other stakeholder groups, including participation at meetings (e.g. network meetings).
- Responding to media queries as required.
- Responding to enquiries and requests for information
- Conducting and/or leading research projects when required by the Director, Assistant Commissioner or Commissioner
- Researching and reviewing relevant materials, cases and legal decisions/rulings;
- Compiling and analyzing statistics and results;
- Producing reports and developing guidance tools to assist and inform the public or stakeholders (public bodies, custodians and organizations).
- Managing a diverse and demanding workload in a timely and efficient manner.
Knowledge / Experience
University degree in a relevant field and 6 years of progressively responsible related experience. Equivalencies will be considered.
- Expert knowledge of access and privacy laws and principles, and particularly FOIP, HIA and PIPA.
- Experience in interpreting and applying legislation.
- Knowledge of trends, developments, issues, legal decisions and precedents relating to access, privacy, security and information technology.
- Knowledge of the rules of natural justice and administrative fairness.
- Investigation experience, including the ability to prepare investigative plans, gather evidence, conduct interviews, analyze information, and make finding and recommendations on complex and sensitive issues, preferably in areas related to information access, privacy and security.
- Experience in information security auditing and/or privacy compliance reviews.
- Management-level knowledge of information security best practices and technologies. Experience with complex or multi-stakeholder information technology and information sharing initiatives.
- Ability to establish and build effective relationships with stakeholders, including the public, media, interest groups and senior level representatives in the public/health/private sectors and other jurisdictions.
- Ability to manage a complex, diverse and demanding workload, including setting and adjusting workload priorities and tasks in response to increasing demands and changing issues.
- Experience with computer programs including word processing and case management programs.
- Superior verbal and written communication skills and the ability to explain legislation and complex legal and factual issues in terms that are understandable to parties.
- Superior interpersonal skills, including the ability to manage conflict, maintain objectivity in politically sensitive or adversarial situations, demonstrate tact and diplomacy.
- Professional designation in information technology and/or information systems auditing would be considered an asset.
Leadership and Business Know-How
The position must apply the legislation in a complex and multi-stakeholder environment.
The access and privacy legislative framework in Alberta is extremely complex. The FOIP Act applies to the public sector. HIA applies to the health sector and PIPA applies to the private sector. However, there are public bodies subject to the FOIP Act that are also custodians under HIA. In addition, dependent on contractual or agency relationships, private sector organizations may be "employees" of public bodies for the purposes of FOIP or "affiliates" of custodians under HIA. The application of the legislation becomes more complicated given the increasing partnerships involving public, health and private sectors. The position provides leadership in clarifying the application of the legislation to various parties/initiatives.
In addition to the complexity of the legislative framework and the public bodies/custodians/organizations subject to the legislation, the position provides leadership in ensuring that legislated information rights of persons to access information, third parties to object to the disclosure of their information, and individuals to file privacy complaints are upheld.
The position reviews decisions and actions of the "heads" of public bodies, custodians and organizations.
The "head" of public bodies, custodians and organizations are typically: ministers, deputy ministers, Chief Administrative Officers, Chief Executive Officers, corporate Presidents, etc.
The position must independently determine issues, relevant circumstances, gather the requisite supporting information and documentation, analyze complex matters and make sound and reasonable findings and recommendations. While the position may seek input from colleagues, the Director, other Directors, Legal Counsel and the Assistant Commissioner, the position is ultimately responsible for making findings and recommendations.
The position must not only interpret and apply the relevant provisions of the Acts correctly but must also consider Orders and decisions issued by the OIPC and the courts to assist in their review and findings. The position may also need to consider if other Alberta legislation or Orders/decisions from other Canadian jurisdictions are relevant.
The position must show leadership in building effective relationships with stakeholders (this includes public bodies, health custodians, organizations, non-profits, public, elected officials, etc.).
The position utilizes his/her expert knowledge of the application of the Acts and understanding of the challenges and issues of the stakeholders to build effective relationships in order to influence and effect change in initiatives, policies and procedures for the public body, organization or custodian. The position's findings and recommendations are not limited to the respective public body/custodian/organization but can also influence and effect change throughout a sector or among industry groups, at provincial, national and even international levels.
The position provides advice and guidance to stakeholders
The position must be aware of the latest trends, developments, issues, legal decisions and precedents relating to access, privacy, security and information technology so as to provide guidance and advice to public bodies, custodians and organizations through consultation, published guidance resources, presentations at conferences and workshops, participation on committees or working groups, etc. The position advises on access and privacy best practices, especially with respect to the design and implementation of new and emerging technologies and information management initiatives.
The position must effectively manage a significant and diverse caseload.
The position must effectively manage a constantly changing and diverse caseload in addition to special projects and other work that may be assigned to this position. The position is responsible for monitoring the timelines with respect to their caseload to ensure that the obligations placed on the Commissioner under the Acts are complied with.
This position relies on the Alberta’s three access and privacy laws; orders, investigation reports or guidance documents issued by the OIPC; established OIPC policies and procedures; and orders and related guidance documents from other Canadian jurisdictions with substantively similar access and privacy legislation. This position works with a significant degree of independence but needs to consult with the Director, Legal Counsel and the Assistant Commissioner on matters that have not been previously addressed by OIPC or that may impact other program areas.
The position must interpret and apply legislation to the circumstances of the matter under review or investigation in arriving at findings and recommendations. Resolving disputes between multiple parties can be complex given competing and diverse interests and agendas. Furthermore, the trend towards integrated information sharing and citizen centered delivery of programs increases the complexity of issues that this position must address and resolve - resulting in findings and recommendations that can cross public, health and private sectors.
Interpretation of the Acts can be a complex matter and can depend on relevant circumstances. As a result, the position must use analytical, interpretive and creative skills to arrive at findings and recommendations.
The position must be able to apply access and privacy principles and best practices to the design and implementation of new technologies and information management initiatives. This requires knowledge of the latest trends, developments, issues, legal decisions and precedents relating to access, privacy, security and information technology.
Relationships / Contacts
|Clients||Frequency||Nature and Purpose of Contact|
|Assistant Commissioner Director, Legal Counsel||As required||Inform, seek advice, make recommendations|
|Other OIPC staff||Daily||Inform, collaborate, and consult|
|Members of the public; government ministries, boards and agencies; post-secondary institutions; schools; municipalities; law enforcement; health custodians and providers; professional regulatory bodies and associations private sector organizations and business; complainants; applicants (which include elected officials, the public and members of the press); third parties, media, special interest groups and non-profit organizations||Daily||Respond to queries. Review and Investigate requests for review and complaints. Clarify and resolve disputes. Convey findings and recommendations on compliance. Determining jurisdictions and issues that fall under OIPC jurisdiction. Inform and educate.|
|Other jurisdictions||As required||Liaise, consult, collaborate|
Impact and Magnitude of Job (Scope)
The position liaises, consults, and comments on schemes, initiatives, information systems, policies and procedures in the public, health and private sectors concerning information access, privacy and security matters. The position also investigates matters related to the decisions, acts and failures to act of the head of public bodies, organizations and health custodians. The majority of these disputes are resolved by the position, thereby avoiding the more costly inquiry process.
Typical results achieved include: affirmation that a public body/custodian/organization is in compliance with the Acts; changes in policies/procedures/practices of public bodies/custodians/organizations; implementation of measures to protect personal/health information from risks including unauthorized collection, use, disclosure or destruction; notification of affected individuals (following a privacy breach); redesign of information systems.
The position can also influence and effect significant changes to initiatives, policies, goals, proposed schemes and operations and resources of public bodies, custodians and organizations; and impact the informational rights of persons (regardless of where they reside in the world). In addition, the position’s findings and recommendations can have sector and cross-sectoral implications, as well as national and even international impacts.
The position’s findings and recommendations directly impact how the Commissioner and the OIPC is perceived by the public, applicants/complainants/third parties and stakeholders. Results of reviews and investigations directly contribute to the privacy and access rights enjoyed by the public and to ensuring public bodies, custodians and organizations comply with their statutory duties.
The findings and recommendations are regularly reported by the media and can create significant reputational damage to the public bodies, custodians and organizations involved and can have significant cost implications for those entities to correct the deficiencies identified in the findings.
The Government of Alberta is committed to a diverse and inclusive public service that reflects the population we serve to best meet the needs of Albertans. Consider joining a team where diversity, inclusion and innovation are valued and supported. For more information on diversity and inclusion, please visit the Diversity and Inclusion Policy.