Privacy is the collection, use, management and protection of your customers’ personal information. It is an important part of managing your business and maintaining the trust of your customers when they do business with you. Therefore, you should nominate a privacy officer for your business. Doing so is a good way of ensuring you comply with Australian privacy laws. This article explains whether you need to nominate a privacy officer for your business and what the role entails.

Do You Need to Comply With the Australian Privacy Principles?

The Privacy Act 1988, which includes the Australian Privacy Principles (APPs), regulates the handling of personal information about individuals. The APPs apply to certain entities in Australia, including:

  • entities with an annual turnover of more than $3 million, including charities and not-for-profit organisations;
  • health service providers, including gyms;
  • some small businesses, including businesses selling or purchasing personal information; and
  • entities that ‘opt-in’ and choose to comply with the APPs.

This list is not exhaustive. Other entities also need to comply with the APPs. It is best to seek legal advice to clarify whether your business needs to comply. If your business is an APPs entity, then you must fulfil certain obligations when collecting, storing and managing the personal information of your customers.

Do I Need to Nominate a Privacy Officer?

The APPs do not require APPs entities to appoint a privacy officer. Nor do they set out the scope within which a privacy officer must act. However, the Office of the Australian Information Commissioner (OAIC) has issued guidelines, setting out recommended practices and systems for APPs entities to ensure compliance with their obligations under the APPs.

One of the recommendations is for businesses to appoint a privacy officer, or multiple officers depending on the size of your business.

If you are an APPs entity, you must have a privacy policy. The policy must set out, among other matters, how your customers can:

  • contact your business to ask questions about their personal information;
  • access their personal information; and
  • make complaints about any breach of the APPs by your business.

Having a privacy officer means your customers have a simple point of contact for concerns relating to privacy and compliance with the APPs.

What if My Business is Not an APPs Entity?

Even if your business is not an APPs entity, the OAIC recommends you appoint someone who is responsible for ensuring customers’ personal information is protected.

They do not have to be called a privacy officer, but they should specifically deal with issues relating to how the business handles the privacy of customers.

The Responsibilities of a Privacy Officer

A privacy officer should receive training before taking on the role. They should know what the APPs contain and what the business needs to do to comply with them.

A privacy officer may:

  • conduct regular staff training on your business’ obligations under the APPs, including correct policies and processes for handling personal information;
  • handle any complaints or questions from customers as they arise under your business’ privacy policy;
  • action any reasonable customer requests for personal information;
  • maintain records of the personal information your business holds;
  • handle any internal privacy issues; and
  • respond to any data breaches that occur.

A privacy officer is not personally liable for whether the business complies with the APPs. Your business must ensure that it complies with its APPs obligations regardless of whether you nominate a privacy officer.

Key Takeaways

You do not need to nominate a privacy officer under Australian privacy law. However, it is recommended as best practice for your business, regardless of whether you are an APPs or non-APPs entity. This is because it shows that your business is committed to ensuring a culture of privacy compliance.

It is also useful to have a key contact to deal with customer complaints and concerns relating to your business’ privacy policy. If you have any questions, contact LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

About LegalVision: LegalVision is a tech-driven, full-service commercial law firm that uses technology to deliver a faster, better quality and more cost-effective client experience.
Lauris De Clifford

Get a Free Quote Now

If you would like to receive a free fixed-fee quote or get in touch with our team, fill out the form below.

  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at

View Privacy Policy