The Chief Privacy Officer (CPO) is responsible for ensuring organizational compliance with all applicable information privacy and freedom of information legislation and internal policies related to the protection of personal information. The CPO leads the development, implementation, and continuous improvement of the associated privacy programs, policies, and procedures to safeguard data and mitigate privacy risk across the organization.

At this critical juncture, during the organization’s transition to a new health information system and in the context of rapid change associated with artificial intelligence, the CPO plays a pivotal role in ensuring that privacy control requirements are embedded across Sunnybrook’s information management system design, configuration, workflows, audit and compliance processes. This includes overseeing privacy impact assessments, supporting system and procedural change‑management activities, and ensuring the new system meets legislative and best‑practice standards for the protection of personal health information.

This role provides subject-matter expertise, guidance, and training to staff on privacy best practices, and acts as the primary point of contact for privacy-related concerns, inquiries, and incident management. When privacy incidents occur, the CPO coordinates appropriate responses with Legal Counsel, Senior Leadership, external partners, and the Information and Privacy Commissioner of Ontario as necessary.

Key Responsibilities:

• Develop and maintain privacy programs, policies, and procedures.

• Oversee compliant processes for managing personal and sensitive information.

• Lead investigations of privacy incidents, assess risks, implement mitigations, and ensure required reporting.

• Conduct privacy audits and assessments to ensure adherence to legislation and policies.

• Provide organization‑wide training on privacy requirements and best practices.

• Participate in the institutional review and approval of research activity.

• Review and approve integrated care systems and data sharing initiatives.

• Provide strategic leadership and direction to the Privacy Office team, including the Privacy Office Manager and Privacy Analyst, ensuring clear priorities, effective workflow management, and high‑quality service delivery across all privacy functions.

• Develop, mentor, and coach staff to build organizational privacy expertise; foster a collaborative, high‑performing team culture grounded in accountability, continuous learning, and operational excellence.

Qualifications:

• Undergraduate degree required; Graduate degree preferred.
• Minimum 5 years of experience in privacy, compliance, or related fields, preferably in healthcare or regulated sectors.
• Experience conducting privacy impact assessments and leading privacy investigations.
• Knowledge of relevant privacy legislation and regulatory requirements (e.g., PHIPA, FIPPA).
• Relevant certifications such as CIPP/C, CIPT, CDPSE or equivalent (preferred).
• Relevant knowledge and experience in the acquisition, development and management of information technology.

Knowledge and Skills:

• Strategic leadership: Ability to lead the Privacy Office, set clear priorities, and foster a culture of privacy excellence and continuous improvement.
• Organizational influence: Skilled at influencing senior leaders, cross‑functional teams, and stakeholders on privacy issues and strategic decision‑making.
• Exceptional communication: Capable of translating complex privacy concepts and risks into clear guidance for diverse audiences.
• Strategic negotiation & representation: Adept at negotiating and representing the organization with patients, external stakeholders and regulators.
• Advanced analytical problem‑solving: Ability to evaluate complex privacy issues and develop risk‑based solutions.
• Sound judgment and discretion: Demonstrated capacity to manage sensitive, confidential, or high‑risk matters.