Chief Privacy Officer

Job Description:

Job Summary:

The Chief Privacy Officer (CPO) will collaborate with legal, compliance, IT, procurement, the Provostâ™s office including both research compliance and faculty research, and other University functions to develop, implement and administer a comprehensive privacy and data governance program at the University in compliance with all applicable laws including, without limitation, HIPAA, FERPA, GDPR and state privacy laws.

The CPO is the Universityâ™s first privacy officer and will be the senior privacy resource for the University. This person will work with University leadership to identify and address emerging data privacy issues and questions. This individual will collaborate with other University stakeholders to build a data governance program, develop sound privacy policies, procedures and practices that anticipate future innovation in both University administration and emerging areas of research, including bioinformatics and data science. This individual will maintain the Universityâ™s privacy policies and procedures, facilitate data governance activities, and partner with University leadership to ensure that the Universityâ™s program adopts a risk-based analysis consistent with the Universityâ™s mission and values.

This individual must be comfortable working with a wide range of constituents and dealing with broad scope of issues involving both faculty research and data sets as well as administrative data (student records, employee records, financial data, legal data, etc.). The CPO will collaborate with University stakeholders to consider the ethical, legal, regulatory, technological and other implications of these issues and their impact on a wide range of stakeholders as well as the institution. In this capacity, the CPO must be a solution oriented person capable of seeing multiple perspectives who will apply regulatory requirements to ensure the appropriateness of use, protection and confidentiality of data and other information assets across the organization.

The CPO will report to the Vice President and General Counsel and, recognizing the institution-wide nature of the responsibility, will work closely with the Provostâ™s Office, University faculty members, and other members of University leadership. This position will require a high level of knowledge of HIPAA privacy obligations, particularly in the context of research. This position will not be responsible for the University of Chicago Medicineâ™s (âœUCMâ) HIPAA Privacy Program but will be expected to coordinate closely with UCMâ™s Chief Privacy Officer and UCMâ™s HIPAA Privacy Program (e.g., when developing a response to privacy and security incidents that involve data from both the University and UCM). This position requires an individual capable of enhancing the overall awareness and culture of privacy and data governance at the University through training and education.

Responsibilities:

• Build, implement, coordinate, and manage a comprehensive privacy and data governance/privacy program to meet federal, state, and international laws, regulations, and rules regarding privacy
• Develop and maintain privacy policies, procedures and practices for research and administrative data, respectively
• Draft, review, and maintain privacy policies for the Universityâ™s various websites and online services
• Facilitate University-wide data governance program and related meetings, programs, and working groups
• Serve as senior privacy resource for the University and work with University leadership to identify and address emerging data privacy issues and questions consistent with the Universityâ™s values, mission and legal requirements
• Collaborate with faculty, information technology and security, the privacy team at the Medical Center, legal counsel, University research administration, the Provostâ™s office, procurement, compliance and internal audit
• Collaborate with the information security officer to ensure alignment between security and privacy compliance programs including policies, practices, investigations, and acts as a liaison to the information systems department.
• Establish with the information security officer(s), an ongoing process to track, investigate and report inappropriate access and disclosure of protected health information. Monitor patterns of inappropriate access and/or disclosure of protected health information.
• Advise University research administration in negotiating data sharing contracts for research
• Guide procurement in negotiating IT vendor, cloud storage, and consulting and services agreements that involve personally identifiable information
• Maintain current knowledge of applicable federal, state, and international privacy laws as well as developments and high-profile incidents at similar institutions   
• Inform relevant unit leaders and their teams of industry trends and updates on data privacy issues and topics
• Provide business units with appropriate tools and methodologies to ensure ongoing compliance
• Develop and manage privacy training materials and conduct ongoing privacy training and awareness activities for researchers and administrative units
• Collaborate with the Universityâ™s Chief information Security Officer to update and maintain the Universityâ™s incident response plan
• Conduct periodic assessment of operations for privacy compliance; assist with investigations when appropriate
• Develop and manage procedures for vetting and auditing vendors for compliance with privacy and data security policies and legal requirements
• Lead, manage, and contribute to other projects and initiatives as assigned

Competencies:

• Expert on privacy matters related to large complex, customer oriented, research-intensive organizations entrusted with large volumes of sensitive, confidential data of a critical nature to the enterprise and its constituents ideal.  An understanding of HIPAA, FERPA, GDPR and other privacy laws and regulations in higher education and healthcare is critical
• Success operationalizing a privacy and data governance program is ideal
• Outstanding communication and presentation skills; demonstrated ability to build successful relationships with a wide range of persons across multiple constituencies
• Experience with academic research working with an academic medical center preferred.
• Ability to define and implement a multi-year strategic program and a corresponding set of strategic goals
• Excellent issue-spotting, analytical and problem solving skills
• Ability to understand, research, analyze, interpret and apply complex federal, state and international privacy laws, rules and regulations and the constantly evolving risk profiles
• Digital and technical proficiency
• Ability to facilitate debate, consensus and decision-making and manage governance activities
• Excellent judgment in a high-pressure environment; comfortable identifying institutional level decisions or questions of first impression that require input from senior leadership
• Dedication to treating internal and external constituents as clients, maintaining a customer service approach
• Experience working with HIPAA, FERPA, GDPR, state privacy laws, and ideally experience with their application in both research and administrative contexts
• Demonstrated success in training and educating a range of stakeholders on a comprehensive privacy or related plan
• Demonstrated ability to manage appropriate responses to different incidents and investigations preferred
• Excellent project management skills; demonstrated ability to prioritize work and meet deadlines in a fast-paced environment
• Experience working with metrics and success implementing evidence-based changes preferred

Education, Experience or Certifications:

Education:

• Bachelor's degree required
• JD or master's degree in business or related field preferred

Experience:

• Ten or more years of progressively responsible experience in privacy, compliance or related areas in a large research university, academic medical center, or other relevant complex organization required

Certifications:

• Certified Information Privacy Professional qualification a plus

Required Documents:

• Resume/CV
• Cover Letter
• Professional References Contact Information

The University of Chicago is an Affirmative Action/Equal Opportunity/Disabled/Veterans Employer and does not discriminate on the basis of race, color, religion, sex, sexual orientation, gender identity, national or ethnic origin, age, status as an individual with a disability, protected veteran status, genetic information, or other protected classes under the law. For additional information please see the University's Notice of Nondiscrimination.

Staff Job seekers in need of a reasonable accommodation to complete the application process should call 773-702-5800 or submit a request via the Applicant Inquiry Form.

The University of Chicago's Annual Security & Fire Safety Report (Report) provides information about University offices and programs that provide safety support, crime and fire statistics, emergency response and communications plans, and other policies and information. The Report can be accessed online at: securityreport.uchicago.edu. Paper copies of the Report are available, upon request, from the University of Chicago Police Department, 850 E. 61st Street, Chicago, IL 60637.