Does a company or business need a privacy officer? Changes to privacy officer requirements under new Privacy Act…

An organisation experienced a serious privacy breach which had to be notified to the Office of the Privacy Commissioner (OPC).  The organisation had not appointed a privacy officer as they are required to under the Privacy Act.

When the privacy breach occurred the organisation did not have anyone to lead the response and had no single point of contact with the OPC.  This led to confusion within the organisation about how to respond to the privacy breach and who needed to be notified of what had happened.  As part of its response to the breach, the OPC required the organisation to promptly appoint a privacy officer.

Why is a privacy officer required?

An “agency” in terms of the Privacy Act is any organisation or person that deals with personal information in the course of its business. To comply with the Privacy Act, all agencies must appoint at least one privacy officer who is in charge of making sure that the agency meets its privacy obligations and appropriately reports any privacy breaches.

Do they have to be from within the organisation?

Since the new Privacy Act came into force at the end of 2020, a privacy officer can now be appointed from outside the agency, meaning they do not have to be an employee of that agency.  Previously a privacy officer could only be someone within the organisation.

This change allows agencies to appoint experienced, professional, privacy officers if they do not have the right capabilities within their organisation.

Privacy officers have become even more important now that the Privacy Commissioner has the power to investigate and act on privacy breaches.

What does a privacy officer do?

The role of a privacy officer entails:

• Ensuring compliance with the Privacy Act, including knowing the privacy principles;
• Dealing with privacy-related complaints, and requests for access to and correction of personal information;
• Liaising with the Privacy Commissioner, particularly in the event of a privacy breach;
• Providing training about privacy issues; and
• Advising the business or organisation about privacy matters.

It is important to be aware of your organisation’s privacy compliance obligations, and make sure that you have appointed a privacy officer who is up to the task. 

If your organisation does not have a privacy officer, or your privacy officer needs support or training, take advice from an experienced privacy professional.