Skip to content
LegalVision

Do I Have to Nominate a Privacy Officer For My Business?

Lauris_de_Clifford

By Lauris De Clifford
Lawyer

Updated on
Reading time: 5 minutes

Meets editorial guidelines

This article meets our strict editorial principles. Our lawyers, experienced writers and legally trained editorial team put every effort into ensuring the information published on our website is accurate. We encourage you to seek independent legal advice. Learn more.

Follow us on LinkedIn
Summarise with: ChatGPT logo ChatGPT Perplexity logo Perplexity Microsoft Copilot logo Microsoft Copilot
Table of Contents

Privacy is the collection, use, management and protection of your customers’ personal information. It is an important part of managing your business and maintaining the trust of your customers when they do business with you. Therefore, you should nominate a privacy officer for your business. Doing so is a good way of ensuring you comply with Australian privacy laws. This article explains whether you need to nominate a privacy officer for your business and what the role entails.

Do You Need to Comply With the Australian Privacy Principles?

The Privacy Act 1988, which includes the Australian Privacy Principles (APPs), regulates the handling of personal information about individuals. The APPs apply to certain entities in Australia, including:

  • entities with an annual turnover of more than $3 million, including charities and not-for-profit organisations;
  • health service providers, including gyms;
  • some small businesses, including businesses selling or purchasing personal information; and
  • entities that ‘opt-in’ and choose to comply with the APPs.

This list is not exhaustive. Other entities also need to comply with the APPs. It is best to seek legal advice to clarify whether your business needs to comply. If your business is an APPs entity, then you must fulfil certain obligations when collecting, storing and managing the personal information of your customers.

Do I Need to Nominate a Privacy Officer?

The APPs do not require APPs entities to appoint a privacy officer. Nor do they set out the scope within which a privacy officer must act. However, the Office of the Australian Information Commissioner (OAIC) has issued guidelines, setting out recommended practices and systems for APPs entities to ensure compliance with their obligations under the APPs.

One of the recommendations is for businesses to appoint a privacy officer, or multiple officers depending on the size of your business.

If you are an APPs entity, you must have a privacy policy. The policy must set out, among other matters, how your customers can:

  • contact your business to ask questions about their personal information;
  • access their personal information; and
  • make complaints about any breach of the APPs by your business.

Having a privacy officer means your customers have a simple point of contact for concerns relating to privacy and compliance with the APPs.

Continue reading this article below the form

What if My Business is Not an APPs Entity?

Even if your business is not an APPs entity, the OAIC recommends you appoint someone who is responsible for ensuring customers’ personal information is protected.

They do not have to be called a privacy officer, but they should specifically deal with issues relating to how the business handles the privacy of customers.

The Responsibilities of a Privacy Officer

A privacy officer should receive training before taking on the role. They should know what the APPs contain and what the business needs to do to comply with them.

A privacy officer may:

  • conduct regular staff training on your business’ obligations under the APPs, including correct policies and processes for handling personal information;
  • handle any complaints or questions from customers as they arise under your business’ privacy policy;
  • action any reasonable customer requests for personal information;
  • maintain records of the personal information your business holds;
  • handle any internal privacy issues; and
  • respond to any data breaches that occur.

A privacy officer is not personally liable for whether the business complies with the APPs. Your business must ensure that it complies with its APPs obligations regardless of whether you nominate a privacy officer.

Key Takeaways

You do not need to nominate a privacy officer under Australian privacy law. However, it is recommended as best practice for your business, regardless of whether you are an APPs or non-APPs entity. This is because it shows that your business is committed to ensuring a culture of privacy compliance.

It is also useful to have a key contact to deal with customer complaints and concerns relating to your business’ privacy policy. If you have any questions, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Register for our free webinars

Protect, License, Enforce: IP Strategies for In-House Legal Teams

Online
Strengthen your company’s IP strategy and safeguard its value. Register for our free webinar.
Register Now

Going Global: Expanding Your Franchise Overseas

Online
Learn how to scale your franchise internationally and unlock new markets. Register for our free webinar.
Register Now

Work Hard, Play Harder: Managing Employee Off-Duty Behaviour

Online
Understand the risks of off-duty conduct and protect your business from reputational damage. Register for our free webinar.
Register Now

Cybersecurity and Compliance: The Hidden Risks Every Small Business Faces

Sydney Office
Protect your small business from cyber threats. Register for our free in-person event and learn essential security strategies.
Register Now
See more webinars >
Lauris De Clifford

Lauris De Clifford

Read all articles by Lauris

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

Related articles

How Does the Typeform Data Breach Affect My Business?

General Data Protection Regulation (GDPR) Compliance Checklist

Does Your Business Trade in Personal Information?

When Do I Need to Report a Notifiable Data Breach?

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards