Senior Privacy Advisor

About The Position

Requirements

• Completion of a degree in Public Policy, Computer Engineering, Information Management, Information Technology, or related field – or a combination of education, training and experience deemed equivalent.
• Demonstrated experience/training in providing technical advice in connection with emerging technologies, including an ability to understand technical requirements, assess evolving privacy risks and ensure legislative compliance while enabling responsible innovation.
• Knowledge of and ability to interpret and apply legislation and government regulations guiding privacy protection and access to information (e.g. Freedom of Information and Protection of Privacy Act (FIPPA), the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada's Anti-Spam Legislation (CASL).
• Experience assessing privacy compliance for new programs, information systems, or services, ideally in a public sector environment.
• Experience preparing a range of written materials, documentation, reports, briefing notes, training materials; brief senior management and staff on a range of privacy issues/matters; provide information/documentation to the IPC.
• Strong interpersonal skills, with a sense of political acuity and the ability to present complex facts, information and explanations to different audiences including, matters brought before Ontario's Information and Privacy Commissioner and senior management.
• Collaboration and relationship management skills to demonstrate aptitude for building trusted relationships and a reputation for sound judgement and pragmatism with internal clients and partners. Ability to work effectively and in partnership with colleagues, diverse teams (including legal counsel and information technology, internal audit, and risk professionals) and partners to build consensus and influence decisions; foster a culture of information privacy awareness.
• Knowledge of data digitization, data mining, information flow and security concepts, to review and advise on the agreement of our technology/information management/security projects/plans to privacy practices and legislative compliance requirements.

Nice To Haves

• Any relevant designations from IAPP such as CIPT/C, CIPP/C, AIGP, are an asset.

Responsibilities

• Promote interpretation, and compliance with legislative requirements of the Freedom of Information and Protection of Privacy Act (FIPPA), and guidance from Ontario's Information and Privacy Commissioner.
• Promote the development of privacy best practices above and beyond FIPPA and related legislative requirements, including requirements of the private-sector Personal Information Protection and Electronic Documents Act (PIPEDA), guidance from the Federal Office of the Privacy Commissioner of Canada, guidance from the Ontario Public Service and related directives, and industry best practices.
• Maintain current knowledge of the application of privacy legislation and regulations and industry changes and anticipate the impact on privacy issues to organizational/corporate practices.
• As privacy subject matter expert, provide support to Metrolinx departments and project team members to ensure compliance with Metrolinx privacy policies, legislative and contractual obligations, and support standards and methodologies and implementation of best practices on an on-going basis.
• Model Metrolinx’s values and core competences, especially in dealings with external partners, and in the handling of personal and confidential information.
• Support the privacy program governance framework under the leadership of the Director, Privacy Program.
• Implement strategic privacy projects, including policies, best practices, and risk mitigation strategies across our departments.
• Work effectively with other data governance partners such as AI Governance, Security, Records Management, and others to ensure a fulsome review and assessment of projects assigned.
• Monitor and conduct privacy research activities to identify and assess jurisdictional/private sector and industry best practices, risks and impacts related to program delivery, to inform and enhance the effectiveness of Metrolinx's privacy policy, legal commitments, and program delivery.
• Identify contentious issues, monitor changes to best practices and legal requirements, brief staff and senior management, and implement revisions/mitigation strategies.
• Identify and assess privacy risks and provide advisory and consultative support to risk owners to develop appropriate mitigation plans. Conduct post-implementation analysis and reviews to ensure recommendations have been implemented.
• Investigate privacy incidents to identify privacy breaches and support response plans through all phases of the incident response process, including privacy analysis, root cause analysis, development of mitigation strategies, and reviewing associated communications and reporting.
• Lead investigations and respond to privacy inquiries, privacy complaints and breach incidents, and act as the primary contact for Ontario's Information and Privacy Commissioner; log follow-up activities and resolutions and provide advice to staff and senior management.
• Review, propose, and coordinate appropriate action plans to address findings of privacy audits and monitoring, in collaboration with Internal Audit and departments.
• Ensure assigned risks are added to the Enterprise Risk Register and monitor to ensure compliance with risk mitigation plans and associated timelines.