Privacy Jobs in Australia: Signs of post-COVID recovery?

This report outlines trends from our analysis of advertised privacy jobs between December 2018 and September 2020. It shows a small increase in the total number of advertised roles, suggesting a slow post-COVID recovery.  The shift to compliance roles from legal positions continues, with most positions still being middle management rather than senior roles and located in Sydney or Melbourne.

Key Findings:

  • Sydney and Melbourne had most advertised roles over the period analysed, although the numbers in each city were about half of those from previous quarters.
  • State Government was the biggest advertiser, followed by the banking/finance sector.
  • There were no Federal government advertised roles. With the increased focus on managing COVID-19 and tracking and tracing, some movement might have been expected.
  • At least four organisations advertised multiple positions suggesting the building of internal privacy skills.  Two were looking for three new privacy team members.
  • Few senior level positions, with privacy remaining more of a middle-management than a senior leadership role in Australian organisations.
  • There was an increase in ‘privacy’ jobs with a cyber security focus.
  • The number of contract versus full time jobs increased, perhaps indicating an interest in growing privacy teams and programs (at least via use of short term resources).

Introduction

Although increased media attention and evidence of a more aggressive regulator might be expected to lead to increases in advertised privacy jobs in Australia, our research suggests otherwise.  The Privacy 108 quarterly analysis of on-line advertisements for privacy positions, commencing in December 2018, reveals a low number of advertised jobs for privacy professionals, mostly in the State government and banking and financial sectors, with little increase in total advertised positions over the period.

This report considers data about advertised jobs collected each quarter from December 2018 to September 2020 and the trends that are starting to become apparent by comparing the data collected over the last eight (8) quarters.

Number of  Privacy Jobs – Slow Recovery from COVID

Advertised privacy jobs rose in September 2020, following the 30% drop in June 2020, although not returning yet to pre-COVID numbers. 25 positions were advertised, up from 19 positions advertised three months earlier.

Unusually, in September 2020, a number of organisations advertised multiple positions.

Endeavour Group Limited (Dan Murphy’s, BWS etc.) advertised two positions one for an analyst and the other for a senior analyst.  Both positions were part of the data governance & privacy team and were driven by ‘the increasing focus within Woolworths, and amongst regulators, on data governance and protection, particularly in the area of PII data.’ A financial service business was looking for a trainee, a senior data protection analyst and a data protection manager/consultant.  The roles are to be part of the expansion of the business’s data protection service.

There was another ad for three (3) Privacy and FOI Officers to work with a State Government client on a 4-month assignment based in central Geelong.  The positions are to assist with the coordination & management of the organisations’ privacy function and to implement the strategy (as opposed than developing or rolling out a new privacy framework). RSM, describing itself as the 6th largest network of independent audit, tax and consulting firms internationally, also advertised three (3) positions in their Privacy and Security Management team.

This increase in multiple positions with the same organisations suggests a new focus on skilling up new or existing privacy teams within organisations.   This could be driven by the implementation and growing awareness of the EU General Data Protection Regulation (GDPR) and other regulation (as indicated by the Endeavour Group advertisement), as well as an increased focus on compliance.  It could also indicate a move away from relying on external expert advisers, such as lawyers and consultants.

Location of Privacy Jobs

Sydney continued to be the location for the majority of advertised jobs, closely followed by Melbourne. Unlike previous quarters, there were six (6) positions advertised in Perth. No positions were advertised in Canberra or Brisbane. There were four (4) advertised positions in regional towns, bolstered by the three jobs with the Victorian government agency in Geelong.

September 2020 – Location of Advertised Jobs

Location

No. of advertised Jobs

Sydney*

7

Melbourne

5

Perth

6

Adelaide

3

Regional Vic

3

Regional NSW

1

Total

25

*One of the advertised positions was available in either in Sydney or Melbourne.  We have included it in Sydney for the purposes of the location analysis.

Although there were slightly more advertised positions in Sydney than in Melbourne, the total advertised positions in each of those cities was approximately half of the numbers advertised in both March 2020 and December 2019.

The total number of positions advertised was impacted by the increase in number of jobs available in Adelaide, Perth and Regional Victoria (Geelong). In Perth, two employers were responsible for five (5) of the advertised positions.

As at June 2020, there were no advertised positions in the ACT, suggesting that federal government agencies may have other priorities.  With the increased focus on managing COVID-19, tracking and tracing and working from home, there might have been an expectation that there be more positions within federal government agencies located in Canberra.

What type of privacy jobs are available?

Based on the advertisements reviewed, privacy remains a mainly middle-management rather than a senior leadership role in Australian organisations.

The most common job titles included ‘officer’ and ‘analyst’.  A typical analyst job position described it as ‘tasked with working within the data governance & privacy team to implement a robust data governance & privacy framework’ across the organisation.  A Privacy and Compliance Officer role required an individual to ‘assist with the coordination & management of the organisations privacy function & implement the strategy.’

Job Titles – March to September 2020

Mar-20 Jun-20 Sep-20

Analyst

5 2

6

Consultant

1 1

1

Counsel

7 2

2

Engineer

2 1

 0

Manager/Leader/Director

3

3

5

Officer

9

7

11

Specialist

4

3

 0

 Total

31

19

25

Only 5 of the 25 positions were for positions described as managers or leaders. This number seems low, even on the basis that more senior positions may not be advertised on-line.

One of the advertised senior positions was for a Group Senior Privacy Officer position. This role required someone to ‘strategically lead the business through the operational management of the compliance and privacy frameworks, policies and procedures.’  One of the other senior positions was for a Cyber Security & Privacy Practice lead.  The responsibilities for that role mostly related to client management and business development. Based on the experience required for this role (i.e. a Senior Cyber Security Consultant with professional services consulting experience) the position was more skewed to cyber security than privacy. No specific privacy experience was required and the tertiary qualification was a relevant bachelor’s degree or equivalent.

Privacy Job – Compliance, Legal or Technology related?

To help identify where the role sits within organisations, and the main focus of the role, we categorise each job on the basis of whether it is a compliance, legal or technical position. From September 2019 to September 2020, there has been a rise in positions with a compliance focus, matched by a decrease in legal roles.

This suggests a move from organisations relying on law firms and external consultants to provide privacy advice to building their own internal privacy teams, in most cases as part of the organisational compliance and risk function.  The drop in legal roles may also be linked to the drop in government advertisers, with government privacy positions often forming part of the legal department.

Type of roles – September 2019 to September 2020

Sep-19 Dec-19 Mar-20 Jun-20 Sep-20
Compliance

8

16 18 12 13
Legal

10

8 9 4

3

Technology

11

7 4 3

9

 Total 29 31 31 19

25

 

September 2020 saw a rise in technical roles, in comparison to previous periods.   Several roles required IT security or cyber security expertise, rather than privacy experience.  A role titled ‘Cyber Security and Data Protection Officer’ required a person to ‘assess, plan, and enact security measures to help protect the organisation from security breaches and attacks on its network and computer systems.’ This role involves simulating attacks to identify vulnerabilities, testing software to help safeguard the organisation’s data and assisting users in adhering to regulations and processes to ensure the system stays secure.

This overlap of privacy and data security skills indicates an increased expectation that data security specialists will also have privacy responsibilities.

Sectors employing Privacy Professionals

In comparison to the June 2020 quarter, where there was a significant drop in advertised government jobs, September 2020 saw a rise in government jobs, followed by jobs in the banking/financial services sector.

Interestingly, the increase in government roles were all with State government agencies (although a number of positions were contract rather than full time).  As already noted, there were no Federal government department positions advertised in either June 2020 or September 2020.

The number of positions with professional services organisations remained relatively stable, although the number of roles advertised by law firms declined.  This is consistent with the earlier observation that the rise in compliance roles suggests a shift to developing in-house privacy teams rather than relying on external advisers.

Sector Dec-18 Mar-19 Jun-19 Sep-19 Dec-19 Mar-20 Jun-20 Sep-20
Banking/Financial Services 6 6 2 6 4 6 4 7
Government & Utilities 7 6 11 5 8 12 2 9
Professional Services (Law Firms; Consulting) 3 1 2 5 4 7 4 5
Technology/Telecom 1 4 6 7 6 2 1 2
Higher Education 1 2 0 1 0 2 0
Health 1 1 0 2 0 1 1 0
Not for Profit 1 0 0 2 1 2 0
Corporate (including retail) 2 6 4 4 6 2 3 2
Total 22 24 27 29 31 31 19 25

 

Full time vs Contract Privacy Jobs

The percentage of advertised positions of a contract or temporary nature more than doubled, from an average of around 20% to 44%. This may indicate short term projects being put on hold in the previous quarter, which saw a large dip in the number of contract or temporary roles advertised, which in turn was perhaps a result of organisations being less inclined to pursue short term privacy related initiatives during the COVID period.

All the positions advertised in Adelaide (which were in the same organisation) and in regional Victoria were contract jobs.

Looking at the jobs through the lens of sector advertisers, all of the contract/temporary positions were in either Government or the Banking/Financial Services sectors.

For the first time since the commencement of this analysis, two of the positions referred to the option to work from home, suggesting some increased flexibility in working conditions in recognition of work-place changes wrought by COVID-19.

Salaries for Privacy Jobs

Only 6 of the advertised positions included actual salary ranges or rates offered for contract positions.

The highest advertised salary of AUD$250,000 – $315,000 p.a. (including superannuation & incentives), was offered for the’ Director, Cyber Security & Privacy Consulting’ position with a US based professional services consulting organisation (mentioned as one of the senior leadership roles earlier).

The Department of Customer Service in NSW advertised role for a ‘Senior Coordinator Privacy and Right to Information’ offered a salary of between $110,745 – $122,038 p.a.  The experience required for this role was more specific to privacy, requiring ‘extensive demonstrated knowledge’ of State privacy laws or ‘demonstrated experience regarding privacy governance and privacy risk’, as well as experience with operational privacy compliance obligations.

This was in a similar range as the salaries offered for the contractor positions with the Victorian agency based on Geelong, of $46 + superannuation per hour, which equates to around $112,000 p.a. for a full time position.  The experience required for these roles was ‘previous experience working in a similar role, with a legal background.’

A much lower salary was posted for the ‘Backup/Data Protection Customer Support Officer’ with Perfekt, a Perth based IT services organisation.  This role was clearly directed at candidates with  an IT background.

Experience, Qualification and Certifications for Privacy Jobs

As for all previous quarters, almost every position required some level of experience. Only one of the 25 positions advertised was an entry level position with no previous related experience required.  This was the ‘Training Data Analyst’ position, one of three positions advertised by an organisation in the financial services sector in Adelaide.

Every other position required some sort of experience – in either privacy, cyber security or IT services.

The most common requirement was for at least 3 years’ experience.   For example, a Data Privacy Analyst role required 3 – 5 years’ experience in a data privacy related role. A Senior Security and Privacy Analyst required a minimum 4-5 years’ Professional Services experience in Cyber / IT technical delivery, IT audit, internal controls, or risk management.

Even though privacy was mentioned within their titles, a number of roles seemed focused on cyber security rather than privacy skills, requiring only security experience.  For example, a ‘Cyber Security & Data Protection Officer’ required ‘strong knowledge of implementing security frameworks, standards, and best practices, e.g., Australian ISM, ISO27001, and GDPR. Along with this, you will have in-depth experience on Infrastructure Security design and deployments using cloud-native security services (Azure AD, Azure Security Center, Azure VNets, VNet-peering, NSG, Azure DDoS, Load Balancers, WAF, Storage security)’.

As discussed above, the advertising of roles requiring both privacy and data security skills indicates a conflation of data security and privacy responsibilities which may not be supported by the skills available in the marketplace.

Where a requirement for a tertiary qualification was specified it was for a law degree, where the role required legal skills, or in some cases computing degrees (for the more technical roles).

It is worth noting that none the advertised positions specifically referred to a requirement to hold any certification, including any IAPP certification (e.g. CIPM, CIPT or CIPP/E).

Our Analysis of Privacy Jobs in Australia

As part of our ongoing research into the state of the Australian privacy profession, Privacy 108 analyses the privacy job market, comparing on-line job adverts at a point of tine each quarter from December 2018, to September 2020.[1]  Job listings provide a useful snapshot into how both private and public sector organisations value privacy, the resources they are willing to commit to developing and managing privacy programs and to building their privacy maturity.

Our findings from the most recent data are summarised in this report.

[1] A list of all positions with either ‘privacy’ or ‘data protection’ in the title was compiled from jobs advertised on www.seek.com.au and www.indeed.com.au.