Privacy Jobs in Australia: What happened in 2019?

Australian Privacy Jobs Report

This report outlines the trends from our analysis of privacy jobs advertised between December 2018 and December 2019. It shows a small increase in the total number of advertised roles, a shift to compliance roles from legal positions with most positions still being middle management rather than senior roles.  Sydney had the greatest number of advertised roles over the period analysed followed by Melbourne, with a big gap to the ACT and other capital cities.

Key Findings:

• The total number of advertised positions increased marginally from 24 in December 2018 to 31 in December 2019.
• Over the last 12 months, government was the biggest advertising employer, followed by Banking & Financial Services and Technology.
• Around 20% of jobs were for short terms contracts (either 3 or 6 months). Government positions were more likely to be on a contract rather than permanent basis.
• There was a continued move from legal to risk/compliance positions. In December 2019, over half the advertised jobs were for compliance roles rather than legal or technical positions.
• The high variance of job titles and skills expectations remain, indicative of an immature
• Experience continues to be a key requirement, with few references to industry certifications or qualifications (other than law degrees for legal roles).
• Generally, no positions were expressed to be entry level roles. However, in December 2019 there was on graduate position plus an internship.

Very few advertisements specify salary ranges, perhaps indicating upwards pressure on remuneration for privacy professionals.

Introduction

Although increased media attention and evidence of a more aggressive regulator might be expected to lead to increases in advertised privacy jobs in Australia, our research suggests otherwise.  The Privacy 108 quarterly analysis of on-line advertisements for privacy positions, commencing in December 2018, reveals a low number advertised jobs for privacy professionals, mostly in the banking and financial sector, with little increase in total advertised positions over the period.

Combined with information from our survey from privacy practitioners, recruiting for privacy practitioners is more likely to be done via word of mouth and using networks rather than advertising.

This report considers data about advertised jobs collected in December 2019 and the trends that are starting to become apparent by comparing the data collected over the last five (5) quarters (from December 2018).

Our Analysis

As part of our ongoing research into the state of the Australian privacy profession, Privacy 108 analyses the privacy job market, comparing on-line job adverts quarterly from December 2018, to December 2019.[1]  Job listings provide a useful snapshot into how both private and public sector organisations value privacy, the resources they are willing to commit to developing and managing privacy programs, and to building their privacy maturity.

Our findings from the most recent data are summarised below.

Number of Roles

The total number of jobs climbed slightly again, growing from 29 in September 2019 to 31 in December 2019. This showed an increase of 7 jobs from the 24 positions advertised in December 2018.

11 positions were offered via recruiters and the rest were directly advertised.

Just as in September 2019, there is some evidence that advertised positions are not being filled. Positions were still being advertised in December 2019 that had been advertised in the previous quarter.  These included positions with Google and Dell. This suggests some difficulty in recruiting appropriately qualified candidates.

Again, it looked like the same position was advertised multiple times.  For example, Deloitte advertised what looked like the same position as Privacy and Data Protection Senior Analyst and Privacy and Data Protection Specialist.  We have left in both positions. A Victorian State government job was advertised as located in both the ACT and Victoria.  We’ve left in both instances of this job although in may have been for a single position.

As for previous periods, most of the advertised roles were for full time positions. Around ¼ were contract or temporary roles.   Most of the contract positions were with government agencies (see more detailed statistics in Annexure A).

The contract positions were mostly for discrete projects.  For example, a not-for-profit organisation was looking for a privacy professional for a 6-month contract to ‘build and implement a Privacy Framework.’

Many jobs referred to flexible conditions including flexible work hours (offered by banks and the larger employers) and one ad referred to the position as being ‘9-to-5’ as an major plus!

Where are the jobs?

Although the total number of advertised positions did not significantly change, there was again some movement in where the available roles were located.  There was a significant increase in jobs in Sydney, compared to the previous quarter, while roles in Melbourne remained consistent. Over the course of the 12 months examined, Melbourne had more consistency in the number of advertised jobs.  However, over the period, Sydney had most positions (60) followed by Melbourne (42), ACT (13) and Brisbane (9).  These figures indicate the big gap between positions available in the Southern Capitals versus the rest of Australia.

The Canberra job markets went from no jobs in the previous quarter to 4 positions in December 2019.  This was a consistent pattern over the course of the year, with a variance of between 0 advertised jobs (in December 2017 and September 2019) and 4 or 5 jobs in March, June and December 2019.

Positions in the minor capital cities remained low and inconsistent.  Brisbane peaked with 5 advertised positions in September 2019 but there no advertised position in March and December 2019. There was one (1) advertised position in Darwin in December 2019 which was the first time a position had been advertised in the Northern Territory.

The number of regional jobs remained relatively constant with between 1 and 2 jobs advertised each quarter, mostly with either local government or state agencies or a regional bank.

Unusually in December 2019 there was one overseas located position advertised.

Who is hiring?

We segmented the job postings by sector.[2]

Government and utilities were the biggest advertiser in 2019 with 37 out of the total 133 advertised position over the period from December 2018 to December 2019.  This sector includes Federal, State and Local government agencies as well as State owned corporations. Most of the government advertised positions were for legal roles and required expertise in privacy plus freedom of information, public interest disclosures and right to information as well as other more specific legislation.  The Government sector also were more likely to have regional positions, together with Federal Government positions located in the ACT.

Employers in the Banking and Technology sectors were the next biggest hirers.  These jobs were much more likely to be located in Sydney and Melbourne. General corporates were the next biggest advertising group.  There were very few advertised positions with Higher Education and Not-for-profit organisations, both of which sectors typically process large amounts of personal information.

Job Titles

We are interested in identifying the extent to which recognised positions, with attached skills and experience requirements, are developing.   Commonly understood job titles and skills is evidence of a maturing workforce.

As mentioned in previous analysis, the wide diversity of job titles is most likely due to the immaturity of privacy practice in Australia and the lack of a settled approach to structuring privacy teams across organisations.

To help with our analysis, we did further categorisation of the advertised privacy jobs based on the job title, allocating to general position titles such as officer, counsel, manager, analyst, specialist etc.

Using this categorisation we are able to see some trends over the last five reported periods

Four of the legal roles were called legal counsel.  The technical roles were typically designated as engineers.

Out of all the remaining job titles used, ‘Privacy Officer’ was the most common.  There were seven (7) roles for Privacy Officers, with some variations such as ‘Data Privacy Officer’ and ‘Information and Privacy Officer.’  Other similar role titles included ‘Privacy Manager’ and ‘Privacy Specialist.’  It is becoming clear that privacy or data protection ‘officers’, ‘managers’ and ‘specialists are the most common positions in the privacy world. See more detailed statistics in Annexure A.

Based on the prevalence of these job titles, it might be assumed that most privacy positions are mid-management level, rather than senior.    This seems to be supported by the positions advertised (although it is also likely that senior roles might be filled in a different way).

There was only one advertised position for a Chief Privacy Officer. Out of the 31 advertised positions, there were seven (7) other roles that seemed to be more senior that the role of an officer, including ‘Senior Data Privacy Expert’ and ‘Director – Cybersecurity & Privacy.’

Nature of Roles and Reporting

To help understand the type of skills being sought, we broke the job titles down further, allocating each job to one of the following categories based on the description of the role and where it was reporting:

• Risk/Compliance;
• Legal;

Compared to the previous quarter, there has been a shift towards privacy roles as part of the compliance function in organisations.  Looking at the type of role across industry sectors, it became clear that:

• Compliance roles were offered by Corporates, Government and Professional Services (with fewer in Banking and Financial Services);
• Government is mostly employing privacy people in legal and compliance roles;
• Most of the technical roles are with technology companies.

The job ad’s were reviewed to identify where the role reported, to further support the categorisation of the role.  Tracking where privacy roles sits within organisations helps us understand the role that privacy professionals might be expected to play.

Although reporting was not always disclosed, some information could be derived from the detailed job descriptions.  Not surprisingly, the technical positions usually reported into IT or IT Security (which is consistent with the proposition that as data protection becomes synonymous with security, more technical roles will be characterised as data protection positions).

There were few references to stand alone privacy teams.  A couple of positions were advertised with a Freedom of Information Privacy Team and another position was with Privacy, Risk and Compliance. Consistent with the rise in the number of compliance focused roles, a number of positions reported into compliance types functions including:

• Governance Group,
• Assurance Manager,
• Compliance, Audit, Assurance and Risk.

Out of the other roles that had an indication of where they sat in the organisation, many sat within different parts of the business, including the following:

• Information Security Services,
• Business Systems Team,
• Cyber Risk Team, and
• Infrastructure Team.

Experience and qualifications

For the first time, there was one advertised position for a graduate and a 3-month internship for a student ideally with ‘advanced level Computer Science coursework.’  However, every other advertised job required some type of experience. Examples of the experience required include:

Demonstrated experience providing quality privacy advice and processing Freedom of Information requests

Demonstrated proficiency in cyber security privacy, compliance and policy with evidence of its application in practice

Knowledge of the Australian privacy landscape and the European Union’s General Data Protection Regulation (GDPR)

10 positions specified certain periods of experience.  These included 12+ years in a related field with the majority of recent experience in consulting/professional services, 8+ years legal experience for another position.  The average experience required with 2 – 3 years in a privacy related field.

16 of the positions specified some sort of qualification in addition to experience.  For legal roles, a law degree was essential. The requirements for other positions were mostly for some general tertiary qualification, for example:

Tertiary qualifications within FOI, privacy or legal and/or demonstrated experience in a related discipline.

Bachelors or higher degree in relevant technology discipline (e.g. Business / Computer Information Systems or Information Security).

Few advertisements referred to industry certifications, other than generally, such as:

At least one relevant technical or professional certification required,

Salaries

Although many ad’s referred to ‘attractive salary and benefits’ only 2 specified a salary range making it difficult to track whether or not salaries are changing for privacy jobs.  This follows a pattern noted in the September 2019 report which indicated that only 2 of the 29 advertised positions gave any specific $ amount for salaries.  In the June 2019 advertised jobs, 11 out of 27 positions included salary information.

The increasing reluctance to give salary ranges might indicate that there is upward pressure on salaries, making it something to be negotiated on a case-by-case basis.

Conclusions

Our analysis of job’s ad’s between December 2018 and December 2019 show that the number remains is growing slowly (increasing from 24 to 31), with some move away from legal roles to compliance.  This may suggest an increased focus on implementing organisational privacy programs rather than viewing privacy as a legal problem. However, it is also consistent with government, finance and technology organisations (and their focus on risk/compliance and technical solutions) being the main advertisers.

There are continued strong indicators of an immature market, including the variety of job titles, lack of consistency in skills requirements and the continued focus on prior experience (with very few entry level jobs).

We will continue to track these trends going forward. Will reform to the Privacy Act signalled in the ACCC’s Digital Platforms Inquiry, and the growth of privacy and security regulation globally, plus the enforcement activity of the European Data Protection Authorities have an impact on the Australian privacy profession?

[1] A list of all positions with either ‘privacy’ or ‘data protection’ in the title was compiled from jobs advertised on www.seek.com.au and www.indeed.com.au.

[2][2] Sectors used for analysis are Banking and Financial Services, Professional Services (including consultants), Technology organisation (including cloud service providers), Government, Corporate (covering all non-government entities not in another category), Higher Education and Not-for-profit.