The Privacy (Australian Government Agencies – Governance) APP Code 2017, or the Australian Government Agencies Privacy Code as it may also be cited (Code), requires all Australian Government agencies (as defined by s 5 of the Code) to have a Privacy Officer. An agency may have more than one Privacy Officer.
The Office of the Australian Information Commissioner (OAIC) has a Chief Privacy Officer (CPO). Lawyers, including senior lawyers and the Director of the Legal Services team, comprise the OAIC’s Privacy Officers.
Agencies must also have a Privacy Champion under the Code. An agency’s designated Privacy Officer may also be its designated Privacy Champion. Within the OAIC, the agency’s Deputy Commissioner is designated as the Privacy Champion. The OAIC’s General Counsel is designated as the Chief Privacy Officer.
What does the Privacy Champion do?
The Privacy Champion must be a senior official within the agency, which must ensure that the following Privacy Champion functions are carried out:
- Promoting a culture of privacy within the agency that values and protects personal information
- Providing leadership within the agency on broader strategic privacy issues
- Reviewing and/or approving the agency’s privacy management plan, and documented reviews of the agency’s progress against the privacy management plan
- Providing regular reports to the agency’s executive, including about any privacy issues arising from the agency’s handling of personal information.
What do the Privacy Officers, including the Chief Privacy Officer do?
Within the OAIC the CPO is the primary point of contact for advice on privacy matters and
co-ordinates a range of functions to help the agency comply with the Code. However, it is ultimately the OAIC that is required to comply with the Code and the Privacy Act. The OAIC is expected to provide the CPO and its Privacy Officers with the necessary resources, time, and support to allow them carry out their role effectively.
The Code sets out a list of the Privacy Officer functions that the OAIC must ensure are carried out. These functions will usually be performed by the CPO and the Privacy Officers but may also be performed by another person (or persons) in accordance with the existing processes or specific requirements of the agency.
The Privacy Officer functions required under the Code include:
- Providing privacy advice internally. The CPO, for example, may give advice to colleagues on:
- the development of new initiatives that have a potential privacy impact
- the general application of privacy law to the agency’s activities
- what to consider when deciding whether to carry out a privacy impact assessment (PIA)
- what safeguards to apply to mitigate any risks to the privacy of individuals
- Liaising with the Executive and the agency at large about privacy matters in the OAIC and how to best undertake a range of functions to help the agency comply with the Code.
- Coordinating the handling of internal and external privacy enquiries, privacy complaints about the OAIC as an agency, and providing advice on requests for access to, and correction of, personal information. On receipt of a privacy enquiry or complaint, the CPO will talk to the manager and/or officer relevant to the enquiry or complaint. The CPO will generally refer privacy complaints to the Privacy Officers to assist with management of the complaint.
- Responsibility for maintaining a record of the OAIC’s personal information holdings
- Assisting with the preparation of PIAs, which are required for all high privacy risk projects
- Measuring and documenting the OAIC’s performance against its privacy management plan.
The CPO and Privacy Officers have additional functions including delivering privacy training to agency staff, proactively monitoring compliance, and managing the OAIC’s response to data breaches.
What skills and knowledge should the OAIC’s Chief Privacy Officer and Privacy Officers have?
The Privacy Officers, including the CPO, need skills and knowledge in a range of areas to carry out their role effectively. Most important will be an in-depth understanding of the Privacy Act and the Code, and the ability to translate these requirements into practice in the OAIC. The CPO and Privacy Officers will also need to have an understanding of any other legislation that governs the way the OAIC handles personal information.
Other useful skills and knowledge include:
- the ability to understand the OAIC’s strategic priorities and key projects involving the use of personal information
- understanding the systems and processes the OAIC uses to handle personal information
- strong communication skills to speak with a wide range of stakeholders, including senior executives, staff from other areas such as legal, IT, security, project management teams, and dispute resolution teams
- an understanding of privacy dispute resolution and complaint-handling methods and processes.
This document will be reviewed on an annual basis.