December 2020 Quarterly Report: Job Trends for Australian Privacy Professionals

Summary of Key Findings in our analysis of job trends for Australian Privacy Professionals:

• Sydney and Melbourne continue to dominate for advertised privacy roles.
• The move towards compliance roles slowed.
• The number of roles advertised declined significantly this quarter.
• Most advertised jobs required legal experience.
• The Federal Government wasn’t advertising. With the increased focus on tracking and tracing COVID-19, we had expected some movement.
• The salary ranges, from $75,000 – $120,000, shows that businesses are hiring for mid-range roles. Roles for Senior Privacy Officers were scarce.
• There was a greater focus on cyber security, suggesting data breach notification responsibilities may be influencing hiring.
• No entry level or graduate positions were advertised.
• No role specified any of the recognised privacy certifications such as CIPM or CIPT.

 

With increased media attention and evidence of a more aggressive regulator, you might expect to see increases in advertised privacy jobs in Australia. This is particularly true when you think about the privacy implications of the massive amounts of health data being collected during the COVID-19 pandemic – alongside increases in trace and track technologies. Interestingly, our research suggests otherwise.

This report looks at trends in privacy hiring in Australia, comparing the data about advertised privacy roles from December 2020 to that from each of the 9 previous quarters. We delve into the trends that have emerged since we started collecting this data in December 2018 – and explore what that means for privacy professionals in Australia

  Our Analysis

As part of our ongoing research into the state of the Australian privacy profession, Privacy 108 analyses the privacy job market. We compare online job adverts on Seek and Indeed at a point of time each quarter from December 2018, to December 2020. The job adverts need to contain either ‘privacy’ or ‘data protection’ in the title.

These job listings provide a useful snapshot into:

• How both private and public sector organisations value privacy;
• The resources organisations are willing to commit to developing and managing privacy programs; and
• The resources organisations are willing to commit to building their privacy maturity.

 

Privacy Jobs Advertised in December 2020

The number of advertised privacy jobs dropped in December 2020, falling to the lowest number we’ve seen since we started compiling this data. It even fell below the advertised positions in June 2020, in the middle of the COVID pandemic.

14 privacy positions were advertised in Australia in December 2020. This is a significant decrease from the 25 advertised positions in September 2020.

 

 

Possible Reasons for the Declining Number of Privacy Roles in Australia

The fall in December advertised positions may reflect a drop in activity as we approach the end of the calendar year. This is consistent with the figures from December 2018, which increased in the following quarter but were flat in December 2019.

It will be interesting to track the activity in the next quarter to see if privacy jobs recover to their pre-COVID level.

Insights We Can Glean From Last Quarter

In September 2020, there were at least four organisations seeking multiple privacy professionals to work with their internal teams, albeit some were on a temporary basis. We suggested that this could indicate a new focus on skilling up privacy teams within organisations, as well as a move away from them relying on external expert advisers, such as lawyers and consultants.

The December 2020 data did not show as many organisations looking for multiple positions. BUPA advertised two positions, one for a Senior Legal Adviser – Privacy and Regulatory, and the other for a Legal Adviser – Privacy and Regulatory.  Griffin Legal, an ACT law firm, also was offering flexible positions, including part-time and full-time opportunities.

The Cities Where You’ll Find Privacy Jobs in Australia

Sydney and Melbourne continue to have the most advertisements for privacy roles. There was one advertised role in Canberra, for a privacy lawyer to work in a law firm. There were no advertised roles in other capital cities nor where there any roles advertised in regional Australia.

 

What this data tells us about privacy hiring:

In both June 2020 and September 2020, there were no positions advertised in the ACT. In December 2020, there was only one position with an ACT law firm.

It is surprising that there have been so few advertised privacy positions with Federal Government agencies over the last 9 months.  With the increased focus on managing COVID-19, tracking and tracing and working from home, it would be reasonable to expect a rise privacy positions in Federal government agencies located in Canberra – even if the positions advertised were just short-term. There is no evidence of this from the job advertisements collected.

 

Most Roles are for Mid-Level Privacy Professionals

A review of the job tiles for roles advertised highlights that privacy remains a mainly middle management position, rather than a senior leadership role, in Australian organisations.

In previous reports, the most common job titles included ‘officer’ and ‘analyst’.  However, in December 2020, there were more roles for consultants and legal counsel. Generally, there was an increase in legal positions with both law firms and other consulting businesses, which shows up as an in increase in consultant positions. If the consultant and counsel positions are added together, they account for over half of the advertised position.

That this (likely) reflects is that businesses are returning to the use of external advisers, rather than building up in-house skills.

Privacy Positions for Non-Lawyers

Most of the non-legal consultant positions were geared towards candidates with some data breach or cybersecurity expertise.  For example, advertised consultant positions included opportunities for individuals to join a Cyber Security and Privacy Risk Services Team, a Cyber Data Protection Team, and a National Cybersecurity and Information Security Office.

Let’s consider the advertised Cyber Security & Privacy Practice Manger role.

The responsibilities for that role include:

• Client management, and
• Business development.

The requirements include that “You will be skilled and experienced at managing the whole project lifecycle for cyber security and information security services.”

This position is clearly more skewed to cyber security than privacy. No specific privacy experience is outlined and the tertiary qualification required is a relevant bachelor’s degree or equivalent.

This suggests that the increase in privacy roles may be driven by increased awareness of data breach notification obligations and concern about cyber security.  It may also indicate a growing trend to group together the management of cyber security and privacy obligations, as part of the same consulting service offering.

This combination of privacy and data security skills indicates some conflation of data security and privacy responsibilities, which could lead to confusion in the recruitment and skills areas.

Trends in Privacy Positions for Senior Privacy Professionals

As we outlined above, most privacy roles we’ve seen advertised this quarter – and in the preceding quarters, are for middle management positions.

Just 3 of the 14 positions advertised in December 2020 were for positions described as ‘managers’ or ‘leaders’. This number seems low, even on the basis that more senior positions may not be advertised on-line. But it is consistent with previous quarters.

One of the senior positions for Cyber Security & Privacy Practice Lead, discussed above, had been advertised in the previous quarter.  As has been noted previously, it is not uncommon for roles to be advertised for more than one quarter, suggesting issues in identifying appropriate applicants.

This is particularly the case for more senior roles.

 

Are Companies Looking to Recruit Compliance, Legal or Technology Professionals?

To help identify where the role sits within organisations, and the main focus of the role, we categorise each job on the basis of whether it is a compliance, legal or technical position. From September 2019 to September 2020, there has been a rise in positions with a compliance focus, matched by a decrease in legal roles.

This trend was reversed in December 2020.

The return to legally focused roles or backgrounds is consistent with the suggestion above that there is a return to use of external advisers rather than building up in-house skills, at least in the currently uncertain times.

A Significant Drop in Technology-Focused Privacy Positions

Another noteworthy finding, is the drop in technology-focused roles (where responsibilities include the implementation of privacy enhancing technologies, programs or technical solutions).

September 2020 saw a rise in technical roles, in comparison to previous periods.   However, only one position advertised in December 2020 could be regarded as technical: a 6-month contract role to project manage the implementation of three different privacy solutions.

 

Which Sectors are Hiring Privacy Professionals?

In our September 2020 analysis, there was a rise in government jobs – mostly with State Government agencies. The number of positions in the banking/financial services sector also increased.

This trend reversed in December 2020, with a significant fall in jobs advertised in the government and banking/financial services sectors.

The fall in banking/financial services recruitment may suggest that resourcing requirements have been filled in the short term. We are interested to see if activity remains depressed in the next quarter.

The number of positions with professional services organisations remained relatively stable. This supports the contention that there is return to use of external advisers rather than building up in-house skills, at least amid the uncertain times we’re currently experiencing.

 

Privacy Hires vs Privacy Contractors

In September 2020, the relative strength of the privacy job market could be attributed to the number of contract of temporary jobs.  In that period, the percentage of contract or temporary advertised positions  more than doubled, from an average of around 20% to 44%. 11 out of the 25 advertised jobs were for contract or temporary positions.

In December 2020, there was only one contract position offered. The role was to project manage the implementation of three solutions for data governance, data quality, and privacy.

This decline in contract or temporary role could be seasonal, with organisations reluctant to commence contracts over the December/January period. It could also reflect a continued concern with pursuing privacy related initiatives during the COVID period.

 

 

Trends in Flexible Work Arrangements

A number of roles were advertised as working from home for some period. This suggests some increased flexibility in working conditions in recognition of work-place changes wrought by COVID-19.

As an example, the Senior Legal Adviser – Privacy and Regulatory Role with BUPA included the option to ‘work from home two to three days per week, giving you ample flexibility to care for loved ones or focus on your own wellbeing.’

We’re interested to see whether this trend continues into the future.

 

Salary for Privacy Professionals

As in previous quarters, very few jobs included salary ranges.

Of the 14 positions, just two of the full-time roles included a salary range. One of the roles was with the ABC, and the other with the OVIC.

The ABC was for a lawyer with a minimum of 6 years post qualification experience, including at least 4 years’ experience negotiating and drafting complex commercial contracts involving technology and IP. The salary range for this position was $106K – $121K Plus 15.4% Nominated Super.

The other position was the Privacy Guidance Officer with OVIC, with an advertised salary range $69,917 – $84,894 plus superannuation. There were few requirements for this position other than the need for a security clearance.

Each of the part time and contract job advertised an hourly rate of just under $30 per hour.  The contract job required 10 years of project management experience.

The Records and Privacy Officer position with the Latrobe Community Health Service, which was the part time position available, required:

• Demonstrated knowledge of administration requirements, and
• An understanding of health information and record keeping.

The payment offered was $29.77 per hour.

Trends in Salaries for Australian Privacy Professionals

The salary ranges provided in December 2020 were lower than the previous quarter.

In September there was one role that had an advertised salary of AUD$250,000 – $315,000 p.a. (including superannuation & incentives), for the’ Director, Cyber Security & Privacy Consulting’ position with a US-based professional services consulting organisation.

The Department of Customer Service in NSW advertised role for a ‘Senior Coordinator Privacy and Right to Information’. The salary range offered between $110,745 – $122,038 p.a. This is similar to the salary we saw for the ABC role advertised in December, which also required the candidate to have a legal qualification.

In comparison to the $30 per hour offered for the contract and part time roles in December, the salaries offered for the three contractor positions in September 2020, offered $46 + superannuation per hour, which equates to around $112,000 p.a. for a full-time position.

 

Experience, Qualifications, and Certifications Required for Privacy Roles

As for all previous quarters, almost every position required some level of experience. There were no positions expressly pitched an entry level or graduate roles or transitional positions. This means that there are no positions being advertised that enable entry to the privacy profession.

Only one position did not require some sort of prior experience. This was the Privacy Guidance Officer position with OVIC.  The only specified requirement for this role was a security clearance.

In terms of qualifications, the legal positions all required a law degree and, in some instances, admission to practice.  Most also required specific legal experience.

Experience Required for Compliance Roles

The compliance focused roles tended to ask for more compliance and risk experience than specific privacy experience.

For example, the Lead GRC and Privacy Consultant role with Deputy asked for ‘strong experience in information security fundamentals’ and for someone who has ‘ been working in the industry for a number of years, and are looking for the next step.’

The Privacy and Data Security Consultant position with the Deloitte CISO required at least a bachelor’s degree in the field of Information Security, Law with focus in ICT or highly related programs and around 1 – 5 years of applied risk management experience.

As discussed above, the advertising of roles requiring both privacy and data security skills indicates a conflation of data security and privacy responsibilities. This may not be supported by the skills available in the marketplace.

Where a requirement for a tertiary qualification was specified it was for a law degree. We saw this in jobs where the role required legal skills.

 

Bridging the Experience Gap with Privacy Courses

Privacy108 offers training for privacy professionals looking to bridge gaps on their CV. Today’s privacy professionals need a wide breadth of skills that span technological knowledge through to an understanding of the global legal landscape. You can gain industry certifications that set you apart from the other candidates or set you up for a promotion with your current employer.

The certification and informational training courses provided are overseen by lead instructor Dr Jodie Siganto, one of Australia’s foremost privacy experts. She has significant legal experience, but you don’t have to. The courses are designed for lawyers and non-lawyers alike.