Skip to content

Do I Have to Nominate a Privacy Officer For My Business?

Privacy is the collection, use, management and protection of your customers’ personal information. It is an important part of managing your business and maintaining the trust of your customers when they do business with you. Therefore, you should nominate a privacy officer for your business. Doing so is a good way of ensuring you comply with Australian privacy laws. This article explains whether you need to nominate a privacy officer for your business and what the role entails.

Do You Need to Comply With the Australian Privacy Principles?

The Privacy Act 1988, which includes the Australian Privacy Principles (APPs), regulates the handling of personal information about individuals. The APPs apply to certain entities in Australia, including:

  • entities with an annual turnover of more than $3 million, including charities and not-for-profit organisations;
  • health service providers, including gyms;
  • some small businesses, including businesses selling or purchasing personal information; and
  • entities that ‘opt-in’ and choose to comply with the APPs.

This list is not exhaustive. Other entities also need to comply with the APPs. It is best to seek legal advice to clarify whether your business needs to comply. If your business is an APPs entity, then you must fulfil certain obligations when collecting, storing and managing the personal information of your customers.

Do I Need to Nominate a Privacy Officer?

The APPs do not require APPs entities to appoint a privacy officer. Nor do they set out the scope within which a privacy officer must act. However, the Office of the Australian Information Commissioner (OAIC) has issued guidelines, setting out recommended practices and systems for APPs entities to ensure compliance with their obligations under the APPs.

One of the recommendations is for businesses to appoint a privacy officer, or multiple officers depending on the size of your business.

If you are an APPs entity, you must have a privacy policy. The policy must set out, among other matters, how your customers can:

  • contact your business to ask questions about their personal information;
  • access their personal information; and
  • make complaints about any breach of the APPs by your business.

Having a privacy officer means your customers have a simple point of contact for concerns relating to privacy and compliance with the APPs.

Continue reading this article below the form
Loading form

What if My Business is Not an APPs Entity?

Even if your business is not an APPs entity, the OAIC recommends you appoint someone who is responsible for ensuring customers’ personal information is protected.

They do not have to be called a privacy officer, but they should specifically deal with issues relating to how the business handles the privacy of customers.

The Responsibilities of a Privacy Officer

A privacy officer should receive training before taking on the role. They should know what the APPs contain and what the business needs to do to comply with them.

A privacy officer may:

  • conduct regular staff training on your business’ obligations under the APPs, including correct policies and processes for handling personal information;
  • handle any complaints or questions from customers as they arise under your business’ privacy policy;
  • action any reasonable customer requests for personal information;
  • maintain records of the personal information your business holds;
  • handle any internal privacy issues; and
  • respond to any data breaches that occur.

A privacy officer is not personally liable for whether the business complies with the APPs. Your business must ensure that it complies with its APPs obligations regardless of whether you nominate a privacy officer.

Key Takeaways

You do not need to nominate a privacy officer under Australian privacy law. However, it is recommended as best practice for your business, regardless of whether you are an APPs or non-APPs entity. This is because it shows that your business is committed to ensuring a culture of privacy compliance.

It is also useful to have a key contact to deal with customer complaints and concerns relating to your business’ privacy policy. If you have any questions, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Lauris De Clifford

Lauris De Clifford

Read all articles by Lauris

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards