The Privacy Act 2020 requires all organisations that collect and process personal information to appoint one or more Privacy Officers.
A Privacy Officer is the first point of contact for privacy matters in your organisation and co-ordinates a range of functions to help the organisation comply with the Privacy Act.
Is a Privacy Officer responsible for compliance with the Privacy Act?
Compliance with the Privacy Act is the organisation’s responsibility – it does not rest solely on the Privacy Officer. The organisation is expected to provide Privacy Officers with the necessary resources, time and support to enable them to carry out their role effectively.
What does a Privacy Officer need to do?
Under the Privacy Act, a Privacy Officer’s responsibilities include:
- encouraging the organisation to comply with the information privacy principles (a summary of which can be found at privacy-act-changes.pdf (PDF).
- dealing with requests made under the Privacy Act
- working with the Privacy Commissioner in relation to any privacy investigations
- ensuring the organisation complies with the Act
What skills and knowledge does a Privacy Officer need?
A Privacy Officer should have a good understanding of the Privacy Act and be able to translate these requirements into the day to day operations of the organisation. The Office of the Privacy Commissioner provides useful resources for organisations to help them understand their obligations under the Privacy Act. These can be accessed at https://www.privacy.org.nz/responsibilities/privacy-resources-for-agencies/essential-resources-for-agencies/
A Privacy Officer will also need to understand the systems and processes your organisation uses to handle personal information, and how to manage personal information access requests and privacy complaints in a fair, transparent and compliant manner.
Some practical things a Privacy Officer should consider:
- What safeguards does your organisation have in place to reduce privacy risks?
Consider what technological and operational security measures and access controls are in place to prevent the loss or unauthorised access, disclosure, use or other misuse of personal information.
- Does your organisation require privacy training?
If multiple people in your organisation handle personal information, it is important they understand their obligations under the Privacy Act. The Office of the Privacy Commissioner has free online privacy education tools that can be accessed at elearning.privacy.org.nz
- Does your organisation have a data breach response plan?
Do you know what to do or who to contact in the event of a data breach? Having a documented plan in place (even if it’s just a basic one) will help your organisation efficiently and effectively manage a data breach and comply with any mandatory reporting obligations you may have under the Privacy Act.
- How does your organisation monitor compliance with the Privacy Act?
- Keep privacy front of mind.
Consider the impact of privacy on any new initiatives and ensure privacy is embedded into the development, design and operation of new systems or practices.