Search for University Jobs in Senior Administration

Overview

Tufts Technology Services (TTS) is a university-wide service organization committed to delivering adaptable, results driven technology solutions in support of Tufts’ mission of teaching, learning, research, innovation, and sustainability. With staff working remotely, hybrid and on campus across Tufts University, as well as a 24x7 IT Service Desk, we collaborate with schools and divisions to meet the demands of a global, mobile, and diverse community. We promote a collaborative, forward-thinking, flexible work environment, embrace diversity and inclusion, and encourage personal and professional development.

Fostering a culture of organizational citizenship and making others successful, demonstrating integrity, ethical conduct and optimism, active contribution and continuous learning enables staff to serve the goals and values of the University and creates a fulfilling and positive work experience for all.

What You'll Do

The Privacy Officer and Director IT Security Compliance is a strategic leader within the Office of Information Security (OIS) and the Office of the CIO. This position plays a critical part in shaping university wide initiatives to understand, assess, and enhance data compliance, governance, and privacy practices, enabling researchers, faculty, staff, students, and clinicians to advance Tufts University’s diverse mission. This role is responsible for defining the strategic direction, scope, and depth of the privacy and IT security compliance program, optimizing the approach of current activities, proposing new approaches, and establishing a scalable operating model that leverages the current staffing structures (matrixed and/or direct reports). In the capacity of the Privacy Officer, this position maintains a dotted line reporting relationship to the CIO and serves as the designated privacy official responsible and accountable for the Tufts privacy program and strategy. This includes oversite of policies and procedures that safeguard the privacy interests of students, patients, employees, and the broader community. This position leads the development, implementation, operations, and continuous improvement of the Tufts privacy and IT security compliance program in alignment with applicable international, federal, and state regulations, as well as institutional policies and procedures. 

Additionally, the position directs and is responsible for the university-wide IT security compliance efforts, monitoring the evolving US and Global regulatory landscapes and collaborating with OIS to ensure that Tufts’ IT systems and data management practices remain compliant, resilient, and appropriate for the financial model and risk tolerance of the university. This role also sets the vision for security and privacy awareness initiatives and provides strategic guidance and operational support on research projects, technology solutions, and incident response to ensure alignment on privacy and security standards.

The Privacy Officer is a member of the CIO Council, and as such participates in TTS leadership, strategy and planning activities. 

University Privacy Officer:

• Serves as the university’s official Privacy Officer and official HIPAA Privacy Officer.
• Responsible for building and leading a privacy program that defines, develops, maintains, and implements policies and advises on processes throughout the university that enable consistent, effective privacy practices which minimize risk and ensure the confidentiality of personally identifiable information (PII), protected health information (PHI), and other personal data based on local, regional, national, and global laws and based on Tufts risk tolerance.
• Partners with the CIO, Office of University Counsel, University Compliance Officer, Office of Information Security, and HIPAA Security Officer to make decisions based on the interpretation of laws, contractual obligations, and evaluation of risk to the university for new projects, routine operations and for incident response and reporting.
• Is responsible for researching the business context and relevant factors to make, enable, and advise on appropriate risk-based decisions for privacy matters impacting contracts, projects, and operational processes including the clinical operations for covered-entities or HIPAA-related entities at the university. 

IT Security Compliance Program Leadership:

• Responsible for defining, developing, monitoring, and reporting on the Tufts IT Security Compliance program. This includes monitoring local, federal, and international legislative and regulatory changes that affect Tufts information security and privacy practices as well as continuous development of business and technical acumen of Tufts programs and processes. 
• Serve as the subject matter expert on data privacy, HIPAA privacy, and on IT security compliance requirements involving university programs, activities, and technical infrastructure. 
• Advises and is involved as needed in programs throughout the university that involve IT processes and access to data with privacy and information security compliance requirements, especially those in the research community, clinical operations, student educational programs, international programs, and developing areas such as student success modeling and enhanced university planning based on human data factors.
• Stay current by leveraging higher education and industry professional organizations, social forums, classes, conferences, certifications, and public materials, and by building relationships and sharing knowledge with other universities and industry professionals.

Privacy and IT Security Compliance operational duties:

• Track, promote, and communicate to appropriate stakeholders at least annually the strategic posture and overall compliance stance for in-scope privacy and IT security components of regulations such as US state privacy laws, GDPR, PIPL, HIPAA, GLBA, FERPA, PCI, etc.
• Develop materials and training programs to enable researchers and others to self-assess and self-design research projects and methods to address needed security and privacy practices. Review research proposals and contracts as needed for security and privacy concerns. Oversee vendor security reviews and currency of list of privacy and security approved IT tools for use by researchers. 
• Oversee IT security and privacy support to the Tufts Institutional Research Boards (IRBs) to monitor and advise on privacy and security in research studies, especially concerning the privacy and confidentiality requirements of the research Common Rule. 
• Partners with Office of the CIO, procurement, Office of University Counsel, and Tech Transfer to develop and maintain appropriate processes for contracts, click through agreements, vendor privacy statements, and vendor terms and conditions for IT security, compliance, and privacy concerns. 
• Promote and partner with TTS directorates as needed for development of materials, services, and programs to include privacy and security best practices in request and project reviews, and in the design, implementation, and entire lifecycle of handling in-scope data. 
• Promote and partner in projects to implement compliance with new rules and regulations such as GLBA Safeguards Rule and proposed new areas such as NSPM-33. 
• Partner with Office of Information Security to conduct required formal and informal risk assessments and ensure results and follow-up actions are tracked and managed.
• Participate in incident response and coordination with OIS, CIO, Risk Management Office, and Office of University Counsel. Do analysis if breach notifications are likely. In partnership with Office of University Counsel, ensure incidents are tracked and incident and routine reports are sent to appropriate agencies such as HHS.
• Oversee development, delivery, and tracking of security and privacy awareness and training programs. 

What We're Looking For

Basic Requirements:

• The knowledge and skills that are typically acquired through a bachelor’s degree and 10+ years of experience in roles that involve IT Security compliance, privacy, and IT technology
• Familiarity of typical expectations of data privacy and IT security components of common laws and regulations
• Experience reading laws and regulations and interpreting applicability
• Reasonable knowledge of technology aspects of regulatory requirements and experience working with IT subject matter experts to create program requirements, documents, and success criteria
• The contextual awareness and cultural skills sufficient to lead privacy strategy in the higher education research institution context, across educational, research, administrative, and clinical domains
• Comfortable balancing risk, protection, and business needs with the ability to remain calm and effective under stress
• Experience maintaining a high level of integrity and demonstrating trust and sound business judgement on handling sensitive and confidential information
• Ability to work independently, prioritize workflows, meet demanding deadlines, and manage multi-faceted projects and community needs
• Ability to analyze, explain, and present complex information and recommendations clearly
• Excellent analytical, verbal, and written communication skills including active listening and emotional intelligence
• Demonstrated solution-oriented skills in collaboration, teamwork, and problem-solving to achieve goals
• Demonstrated skills in providing excellent service to customers and ability to establish and maintain open and trusting work relationships
• Strong attention to detail
• Demonstrated leadership and management skills including the ability to understand when and how to escalate concerns through appropriate chains of command
• Perpetually curious and driven to learn new skills especially involving privacy and cybersecurity 
• Enjoy working with and being an integral member of a tight-knit team 

Preferred Qualifications:

• Juris Doctor (JD) degree or Master’s degree or similar advanced, graduate degree
•  Experience in research compliance, practices, and procedures
• Detailed knowledge and understanding of the importance of global privacy laws and US regulations, including but not limited to HIPAA, GDPR, PIPL, PCI, FERPA, GLBA
• Experience working with NIST 800-171 and CMMC
• Experience working in privacy program at a HIPAA Covered Entity
• Experience working in a privacy program which complied with GDPR
• Experience successfully building and leading a privacy function that embeds data privacy and security as a competitive advantage and strategic business enabler 
• Ability to apply a risk-based analysis to privacy issues and demonstrate creativity and flexibility in developing solutions that satisfy both business needs and legal obligations
• Passionate about privacy and Information Security, is a continuous learner, and understands how data, technology, and people are likely to interact
• Privacy certifications, such as CIPP, CIPM, and/or CIPT offered by IAPP
• Healthcare privacy and information certifications, such as CHPS offered by AHIMA, or CHPC offered by HCCA
• Information Security certifications such as CISSP, CAP, and/or HCISSP offered by ISC2
• Familiarity with non-profit or academic environments

Pay Range

Minimum $141,000.00, Midpoint $176,300.00, Maximum $211,500.00

Salary is based on related experience, expertise, and internal equity; generally, new hires can expect pay between the minimum and midpoint of the range.