OAIC Privacy Champion, Chief Privacy Officer and Privacy Officer roles

The Privacy (Australian Government Agencies – Governance) APP Code 2017, or the Australian Government Agencies Privacy Code (the Code), requires all Australian Government agencies (as defined by s 5 of the Code) to have a Privacy Champion and Privacy Officer. An agency may have more than one Privacy Officer.

Who are the OAIC’s Privacy Champion, Chief Privacy Officer and Privacy Officers

Within The Office of the Australian Information Commissioner (OAIC), the Executive Manager, Information Rights is designated as the Privacy Champion.

The OAIC has a Chief Privacy Officer (CPO) designated as the General Manager, Enabling Services Branch.

Under oversight from the CPO, team members within Governance, Risk and Compliance (FOI/Privacy) are also OAIC Privacy Officers and carry out Privacy Officer functions as stated in the Code.

What does the Privacy Champion do

The Privacy Champion must be a senior official within the agency, which must ensure that the following Privacy Champion functions are carried out:

• Promoting a culture of privacy within the agency that values and protects personal information
• Providing leadership within the agency on broader strategic privacy issues
• Reviewing and/or approving the agency’s privacy management plan, and documented reviews of the agency’s progress against the privacy management plan
• Providing regular reports to the agency’s executive, including about any privacy issues arising from the agency’s handling of personal information.

What do the Privacy Officers, including the Chief Privacy Officer do

Within the OAIC the CPO is the primary point of contact for advice on privacy matters and co-ordinates a range of functions to help the agency comply with the Code.

The Code sets out a list of the Privacy Officer functions that the OAIC must ensure are carried out. These functions will usually be performed by the CPO and the Privacy Officers but may also be performed by another person (or persons) in accordance with the existing processes or specific requirements of the agency.

The Privacy Officer functions required under the Code include:

• Providing privacy advice internally. The CPO, for example, may give advice to colleagues on:
  • the development of new initiatives that have a potential privacy impact
  • the general application of privacy law to the agency’s activities
  • what to consider when deciding whether to carry out a privacy impact assessment (PIA)
  • what safeguards to apply to mitigate any risks to the privacy of individuals
• Liaising with the Executive and the agency at large about privacy matters in the OAIC and how to best undertake a range of functions to help the agency comply with the Code.
• Coordinating the handling of internal and external privacy enquiries, privacy complaints about the OAIC as an agency, and providing advice on requests for access to, and correction of, personal information. The Privacy Officers to generally assist with management of the complaint.
• Responsibility for maintaining a record of the OAIC’s personal information holdings
• Assisting with the preparation of PIAs, which are required for all high privacy risk projects and maintaining the OAIC’s register of PIAs
• Measuring and documenting the OAIC’s performance against its privacy management plan.

The CPO and Privacy Officers have additional functions including coordinating privacy training to agency staff, proactively monitoring compliance, and managing the OAIC’s response to agency data breaches.

Review

This document will be reviewed on an annual basis.