Privacy is the collection, use, management and protection of your customers’ personal information. It is an important part of managing your business and maintaining the trust of your customers when they do business with you. Therefore, you should nominate a privacy officer for your business. Doing so is a good way of ensuring you comply with Australian privacy laws. This article explains whether you need to nominate a privacy officer for your business and what the role entails.
Do You Need to Comply With the Australian Privacy Principles?
The Privacy Act 1988, which includes the Australian Privacy Principles (APPs), regulates the handling of personal information about individuals. The APPs apply to certain entities in Australia, including:
- entities with an annual turnover of more than $3 million, including charities and not-for-profit organisations;
- health service providers, including gyms;
- some small businesses, including businesses selling or purchasing personal information; and
- entities that ‘opt-in’ and choose to comply with the APPs.
This list is not exhaustive. Other entities also need to comply with the APPs. It is best to seek legal advice to clarify whether your business needs to comply. If your business is an APPs entity, then you must fulfil certain obligations when collecting, storing and managing the personal information of your customers.
Do I Need to Nominate a Privacy Officer?
The APPs do not require APPs entities to appoint a privacy officer. Nor do they set out the scope within which a privacy officer must act. However, the Office of the Australian Information Commissioner (OAIC) has issued guidelines, setting out recommended practices and systems for APPs entities to ensure compliance with their obligations under the APPs.
One of the recommendations is for businesses to appoint a privacy officer, or multiple officers depending on the size of your business.
- contact your business to ask questions about their personal information;
- access their personal information; and
- make complaints about any breach of the APPs by your business.
Having a privacy officer means your customers have a simple point of contact for concerns relating to privacy and compliance with the APPs.
What if My Business is Not an APPs Entity?
Even if your business is not an APPs entity, the OAIC recommends you appoint someone who is responsible for ensuring customers’ personal information is protected.
They do not have to be called a privacy officer, but they should specifically deal with issues relating to how the business handles the privacy of customers.
The Responsibilities of a Privacy Officer
A privacy officer should receive training before taking on the role. They should know what the APPs contain and what the business needs to do to comply with them.
A privacy officer may:
- conduct regular staff training on your business’ obligations under the APPs, including correct policies and processes for handling personal information;
- action any reasonable customer requests for personal information;
- maintain records of the personal information your business holds;
- handle any internal privacy issues; and
- respond to any data breaches that occur.
A privacy officer is not personally liable for whether the business complies with the APPs. Your business must ensure that it complies with its APPs obligations regardless of whether you nominate a privacy officer.
You do not need to nominate a privacy officer under Australian privacy law. However, it is recommended as best practice for your business, regardless of whether you are an APPs or non-APPs entity. This is because it shows that your business is committed to ensuring a culture of privacy compliance.
Was this article helpful?
We appreciate your feedback – your submission has been successfully received.