Stanford University is not just about finding your "next job," but where we hope you will discover a rewarding career, as well as life-changing experience filled with rich traditions, a deep passion for collaboration and innovation, an unparalleled respect for diversity and creative freedom, and a culture of excellence. As one of the world's premier research institutions, Stanford devotes tremendous resources toward the betterment of humanity. Hundreds of initiatives -- in everything from medicine to engineering, the environment, peace, and national security -- create an atmosphere humming with intelligence and excitement.
Stanford seeks a seasoned, innovative leader to serve as the University's Chief Privacy Officer (CPO). As CPO, you will work in an entrepreneurial academic community to provide proactive leadership, direction, guidance, and support to administration, faculty, and staff in all aspects of privacy for the University, steer and enhance an effective privacy program, and, in turn, advance Stanford's leadership presence in this realm. The CPO leads a team of five full-time equivalent privacy professionals to support the protection of information entrusted to the University related to students, faculty, administration and staff, research participants, and other key constituents. The CPO leads the University Privacy Office (UPO) in the ongoing implementation, coordination, and management of a comprehensive privacy program to meet state, federal, and international laws and regulations related to privacy, as well as Stanford's Minimum Privacy Standards. The CPO cultivates and leverages robust collaborations across the Stanford ecosystem.
The position sits within the Office of the Chief Risk Officer (OCRO) and reports to Stanford's Senior Associate Vice President and Chief Risk Officer. UPO is one of seven functional units within OCRO, which also includes Enterprise Risk Management (ERM), Internal Audit, the Office of Ethics and Compliance, Risk Management and Insurance, Global Risk Management, and Information Security (which reports dually to University Information Technology). OCRO's role spans Stanford and enjoys strong institutional support and commitment. OCRO strives to be a valued partner and advisor. Across the Stanford ecosystem, OCRO supports Stanford's missions by providing strategic consultation, independent assurance, and a catalyst for coordinated, balanced action on risk and compliance matters.
While managing the institutional risk associated with privacy, the CPO enables innovation and discovery related to data and promotes academic freedom, balanced with ever-evolving compliance obligations and other privacy considerations. The CPO identifies and develops initiatives to prevent, detect, and respond to internal and external privacy risks through the continuous development and evolution of a comprehensive privacy program, policies and procedures, annual oversight and monitoring plans, and privacy education and awareness-building for Stanford University. The CPO's priorities include:
Protection of confidential data
Safeguard members of the Stanford community by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.
Establish and maintain practices to protect personal and institutional information in a manner consistent with University values and applicable laws and regulations.
Anticipate and address privacy issues as they arise, respond to internal and external inquiries, concerns, and complaints, and prepare formal responses.
Adherence to privacy laws and regulations
Stay current and drive proactive action in the dynamic regulatory environment.
Oversee and monitor Stanford's compliance with applicable state, federal, and international laws, University policies and procedures, and privacy standards.
Educate and guide faculty, staff, and students; increase awareness and proficiency around privacy issues to reduce risk and incidents.
Protect the integrity of data collected, created, transmitted, released, and stored by Stanford entities and affiliates.
Investigation and response to privacy incidents
Lead complex investigations into privacy-related allegations and incidents, working closely with the Office of the General Counsel (OGC), conduct interviews as needed, and follow cases thoroughly to resolution, including working outside of normal business hours to meet tight regulatory reporting deadlines.
Keep meticulous regulatory documentation to afford a reasonable basis for analysis, judgment, and conclusions in the case of violations.
Take a lead role in preparing formal responses to external federal and state investigative bodies; recommend corrective action plans and subsequent monitoring plans to management.
Steward operational controls so that privacy program components and activities meet state, federal, and international privacy laws in addition to Department of Education Office of Civil Rights guidance.
Collaboration with key stakeholders
Capitalize on the vibrant spirit of partnership across Stanford to serve as a trusted colleague.
Partner with and obtain legal advice from the Office of the General Counsel.
Prioritize service to the academic and research enterprise, including support for schools and the Research Data Governance and Privacy function.
Coordinate continuously with the Privacy Office for Stanford Health Care and Stanford Medicine Children's Health (Hospital Privacy).
Work closely with the Chief Information Security Officer, staff of the Information Security Office (ISO), and other information security and privacy leaders across Stanford to ensure policies and procedures, incident response, and other provided services are utilizing best practices and new technologies, and that Stanford's privacy and security functions are coordinated in their messaging relative to privacy.
Develop strategy and policy in concert with OGC, ISO, Hospital Privacy, the Office of the Vice Provost and Dean of Research and other research-supporting functions, the Student Services Center, the University Human Resources Benefits Office, and other relevant university offices.
Communication with oversight bodies and committees
Represent UPO on relevant campus committees; provide thought leadership and expertise.
Lead presentations and discussions regarding privacy matters with the University's Board of Trustees Audit, Compliance and Risk Committee, University Cabinet, Faculty Senate and committees, and others.
Serve as representative to the Privacy Governance Council.
Provide leadership in representing the University in relevant national organizations.
Build, mentor, and develop a world class privacy team. Hire and retain staff, and be accountable for the performance of the team. Provide career coaching and personal development for direct reports. Develop succession plans.
Develop and implement a strategic vision and plans for the privacy program in accordance with best practices; set long-range direction and make high-level decisions; propose and manage the implementation of complex and significant programmatic change.
Routinely brief the Chief Risk Officer in a timely manner on matters of potential non-compliance, as well as updates to privacy laws and regulations.
Minimum Education and Experience
Ten or more years of increasingly responsible privacy program leadership experience.
Demonstrated, successful experience in a large, complex research-intensive university or academic medical center with substantial research activitiesrequired.
Success operationalizing a privacy program is desired.
A track record of active and appropriate responses to privacy violation allegations, incidents, and investigations, including working with counsel and stakeholders. Experience with privacy issues related to academic and medical research and health information; knowledge of protection of student information. Expertise in each of HIPAA, FERPA, GDPR, PIPL, and California Civil Code section 1798.82 preferred.
Experience coordinating activities between a university and hospital is a plus.
Demonstrated strengths as a team leader in hiring, developing, and managing a high-producing team of privacy experts; experience in managing staff and providing leadership to achieve goals and vision of the organization.
Demonstrated ability to build successful relationships with a wide range of staff across a complex organization while maintaining the ability to be decisive and forthright in a consensus-driven environment.
Demonstrated success in educating a range of stakeholders on a comprehensive privacy plan as well as leading active and appropriate responses to a variety of incidents and investigations.
Bachelor's degreerequired. An advanced degree in law (JD), privacy, or a related fieldpreferred.
Certified Information Privacy Professional designation is a plus.
Membership and leadership in national privacy organizations are a plus.
Knowledge, Skills, and Abilities
Expert knowledge of state, federal, and international privacy statutes, laws and regulations, industry standards, trends, and regulatory requirements. Working knowledge of industry-accepted privacy and security frameworks.
Ability to understand, research, analyze, interpret, and apply complex federal, state, and international privacy laws, rules, regulations, and guidelines and constantly changing risk profiles and evolution.
Knowledge of academic research environment and risks, and comfort in navigating the intersection of research, clinical data, and privacy.
A thorough understanding of industry best practices in privacy and demonstrated success in strategic planning, program evaluation, and improvement to create and implement a vision for privacy operations.
Ability to lead and motivate others and earn the respect of colleagues at all levels.
Excellent strategic skills to craft and lead implementation of organizational strategies and plans for campus-wide initiatives.
Highly effective written, oral, and interpersonal communication skills to address a variety of sophisticated audiences.
Proven presentation experience and comfort with senior leadership audiences. Effective facilitation skills with diverse groups.
Exceptional interpersonal, negotiation, and political acumen skills. Able to influence people, solve problems, troubleshoot, think creatively, and resolve conflicts.
Comfortable with ambiguity and lack of clarity; a flexible approach to problem solving and an understanding of the dynamic and emerging nature of privacy.
Strong project management skills to effectively manage multiple ongoing projects and coordinate activities among many significant stakeholders.
Dedication to treating both internal and external stakeholders as clients, while maintaining a flexible customer service approach and orientation that emphasizes service satisfaction and quality.
Demonstrated ability to effectively prioritize work and meet deadlines in a fast-paced environment.
Digital proficiency and sound business judgment.
Enthusiasm for "privacy by design" practices and privacy engineering; agile; appreciation for the complexity of how information flows.
Driven by metrics and outcomes, with success in implementing evidence-based changes.
Understanding that this privacy leadership role does not involve the practice of law, which is a function performed by Stanford's Office of the General Counsel.
Ability to passionately model and demonstrate consistently high standards of professional ethics, integrity, and trust embodied in the values, philosophy, mission, and vision of Stanford University.
Remote work arrangements may be considered.
The job duties listed are typical examples of work performed by positions in this job classification and are not designed to contain or be interpreted as a comprehensive inventory of all duties, tasks, and responsibilities. Specific duties and responsibilities may vary depending on department or program needs without changing the general nature and scope of the job or level of responsibility. Employees may also perform other duties as assigned.
Consistent with its obligations under the law, the University will provide reasonable accommodation to any employee with a disability who requires accommodation to perform the essential functions of the job.
Stanford is an equal employment opportunity and affirmative action employer. All qualified applicants will receive consideration for employment without regard to race, color, religion, sex, sexual orientation, gender identity, national origin, disability, protected veteran status, or any other characteristic protected by law.
This role is open to candidates anywhere in the United States. Stanford University has five Regional Pay Structures. The compensation for this position will be based on the location of the successful candidate. The expected pay range for this position is $162,000 to $265,000 per annum/hour. Stanford University provides pay ranges representing its good faith estimate of what the university reasonably expects to pay for a position. The pay offered to a selected candidate will be determined based on factors such as (but not limited to) the scope and responsibilities of the position, the qualifications of the selected candidate, departmental budget availability, internal equity, geographic location, and external market pay for comparable jobs.
Why work at Stanford?Stanford University has changed the world, over and over again.We are one of Silicon Valley's largest employers - and also one of the most unique. Our mission is to educate future leaders and promote interdisciplinary, world-class research and teaching. This passion makes Stanford an intensely creative, rewarding, and challenging place to work. At the same time, our traditions of respect and collaboration sustain a humane, supportive environment in which to pursue your life and your career.At Stanford you'll work with bright, diverse, dedicated people. You'll find encouragement to learn and grow. You'll enjoy excellent benefits and an outstanding environment. How will it change you?