Role of a Privacy Officer
What does a Privacy Officer do?
The Code requires all Australian Government agencies (as defined by section 5 of the Code) to have a Privacy Officer. An agency may have more than one Privacy Officer.
A Privacy Officer is the first point of contact for advice on privacy matters in your agency and co-ordinates a range of functions to help their agency comply with the Code. However, it is ultimately your agency that is required to comply with the Code and the Privacy Act. Your agency is expected to provide you with the necessary resources, time and support to allow you carry out your role effectively.
The Code sets out a list of the Privacy Officer functions that an agency must ensure are carried out. These functions will usually be performed by the Privacy Officer, but may also be performed by another person (or persons) in accordance with the existing processes or specific requirements of your agency. The Privacy Officer’s role may vary from agency to agency, depending on the agency’s privacy maturity level. The Privacy Officer functions required under the Code include:
- providing privacy advice internally. For example, you may give advice to your colleagues on:
- the development of new initiatives that have a potential privacy impact
- the general application of privacy law to the agency’s activities
- what to consider when deciding whether or not to carry out a Privacy Impact Assessment
- what safeguards to apply to mitigate any risks to the privacy of individuals
- liaising with the OAIC
- co-ordinating the handling of internal and external privacy enquiries, privacy complaints, and requests for access to, and correction of, personal information
- maintaining a record of your agency's personal information holdings
- assisting with the preparation of Privacy Impact Assessments
- measuring and documenting your agency’s performance against its privacy management plan.
In some agencies, Privacy Officers may have additional functions to the Privacy Officer function under the Code, such as delivering privacy training to agency staff, proactively monitoring compliance, or managing the agency’s response to data breaches.
What skills and knowledge should a Privacy Officer have?
You will need skills and knowledge in a range of areas to carry out your role effectively.
Most important will be an in-depth understanding of the Privacy Act and the Code, and the ability to translate these requirements into practice in your agency. You will also need to have an understanding of any other legislation that governs the way your agency handles personal information.
Other useful skills and knowledge include:
- the ability to understand your agency’s strategic priorities and key projects involving the use of personal information
- understanding the systems and processes your agency uses to handle personal information
- strong communication skills to speak with a wide range of stakeholders, including senior executives, staff from other areas such as legal, IT, security, project management teams, and the OAIC
- an understanding of privacy dispute resolution and complaint-handling methods and processes.
See the Privacy: the legislative framework page for information about your agency’s privacy obligations.
You can also look at the Resources, training and staying up-to-date page for information on how you can develop this knowledge and skill set.
Privacy: the legislative framework
You will need a solid understanding of the privacy legislative framework so that you can provide sound guidance and practically apply the requirements to your agency’s activities and functions.
This means you must be able to interpret and apply:
- the Privacy Act 1988 and the Australian Privacy Principles (APPs)
- the Australian Government Agencies Privacy Code
- any other legislation governing what your agency can and cannot do with personal information.
The good news is that there are plenty of resources to help you.
For a summary of all the APPs, you can refer to Australian Privacy Principles Quick Reference or Read the Australian Privacy Principles. The APP Guidelines provide more detail on how to interpret and comply with the APPs.
Our What Is Personal Information? guide takes you through factors to consider when determining whether information is personal information.
Our Privacy for government agencies page provides information about the Code and the supporting resources that are available to help your agency to comply. This includes the Privacy Code Checklist, which is a starting point in preparing agencies for the commencement of the Code.
The ‘Law’ section of our Privacy page includes information about the specific areas of law that are included in the coverage of the Privacy Act, as well as other Commonwealth privacy-related legislation (such as telecommunications, criminal records, data matching, and anti-money laundering legislation).
The OAIC is currently developing an e-learning program that will provide an overview of the privacy framework. This will be available prior to the commencement of the Code.
You can also contact our Enquiries line on 1300 363 992 or email us at firstname.lastname@example.org.
Maximising opportunities with data
Government agencies collect and generate a significant amount of information in the course of their activities. The OAIC acknowledges the importance of enabling access to this valuable information for a range of purposes in the public interest, including supporting the delivery of better government services and evidence-based policies, as well as more widely in stimulating innovation and economic prosperity.
We have a number of resources to help your agency to maximise the benefits of the data that you hold, while also safeguarding and protecting personal information.
De-identification can help you to maximise the value of data by allowing your agency to share or release information in ways that may not otherwise be permitted under the APPs. When done well, de-identification can be an important privacy-enhancing tool, which can help to build trust in your data governance practices.
The OAIC and CSIRO Data 61 have released the De-Identification Decision-Making Framework to assist agencies to de-identify their data effectively. The resource provides a comprehensive framework for approaching de-identification in a way that is consistent with the Privacy Act.
Our guide De-identification and the Privacy Act provides guidance on when de-identification may be appropriate, how to choose appropriate de-identification techniques, and how to assess the risk of re-identification.
Working with big data
Big data analytics have changed the way we identify trends and challenges, as well as identify opportunities. This means big data has the potential to bring about enormous social and economic benefits.
Our Guide to Data Analytics and the Australian Privacy Principles provides guidance about how the Australian Privacy Principles apply to data analytics and how these activities can be conducted while protecting personal information.
Government data as a national resource
See Open data quick wins — getting the most out of agency publications for steps your agency can take to ensure that information it publishes is converted to an open data format that supports reuse by others.
The Privacy Act recognises the strong public interest in the conduct of medical research, and provides a framework to facilitate data access arrangements for these research purposes. This framework includes guidelines made under section 95 of the Privacy Act, which allow personal information to be handled by agencies for medical research purposes without the consent of the individual, if a number of other requirements are also met.
The Guidelines under Section 95 of the Privacy Act 1988, have been issued by the National Health and Medical Research Council with the approval of the Privacy Commissioner. They outline requirements for the protection of privacy in the conduct of medical research.
Privacy enquiries, complaints, and requests for access and correction
One of the core Privacy Officer functions under the Australian Government Agencies Privacy Code is to ensure that internal and external privacy enquiries, complaints, and requests for access and correction are handled correctly. In practice, this means that you have a role in helping your agency to have clear policies and procedures for dealing with these enquiries, complaints, and requests.
It is particularly important for frontline staff who have contact with the public, such as receptionists or call centre staff, to be aware of these policies.
Having a strong privacy enquiries and complaint-handling framework in place allows your agency to resolve privacy matters quickly and effectively within your agency, without the need for formal intervention from the OAIC. By acting quickly to respond and resolve these matters, you can minimise any privacy impacts, avoid problems down the track, and enhance your agency’s reputation.
Handling privacy complaints
If a member of the public is concerned about the way your agency has handled their personal information, they will generally need to approach your agency in the first instance. You generally have 30 days to respond after you have received a privacy complaint.
Our guide Handling Privacy Complaints sets out a best practice approach to handling privacy complaints in your agency.
If the individual is not satisfied with your response or you aren’t able to resolve the matter, the individual can make a complaint to the OAIC. In this situation, we can make preliminary inquiries into the matter, and if appropriate, investigate and/or attempt to resolve the complaint by conciliation.
See the Working with the OAIC section for information about liaising with us when we have received a complaint against your agency.
Handling access and correction requests
Under APP 12, your agency must give individuals access to their personal information on request, unless an exception applies. Similarly, individuals can ask your agency to correct their personal information under APP 13. You must also correct personal information if you become aware that the personal information that you hold is incorrect.
Agencies must respond to requests for access and correction within 30 days.
As a Privacy Officer, you play a key role in helping your agency establish processes that enable agency staff to handle and process access and correction requests in a timely and efficient way, and to monitor these processes to ensure they are working well.
Access and correction and the Freedom of Information Act
The right to access under APP 12 and the right to correct under APP 13 operate alongside your agency’s obligations under the Freedom of Information Act 1982 (FOI Act). The FOI Act provides individuals with a right of access to documents held by most Australian Government agencies, including documents containing personal information.
The FOI Act procedures, criteria and review mechanisms differ in important respects from those under APP 12 and APP 13. Chapter 12 and 13 of the APP Guidelines outlines these differences, including when it may be more appropriate to use one Act rather than another.
You can also read Administrative access, for information on when it may be beneficial for agencies to release information outside the formal FOI process, and how agencies can set up an administrative access arrangement.
Further information about access to, and correction of, personal information is set out in Chapters 12 and 13 of our APP Guidelines.
Privacy management plans — reporting on performance
The Australian Government Agencies Privacy Code requires agencies to have a privacy management plan.
A privacy management plan is a strategic planning document in which your agency:
- identifies its privacy goals and targets
- sets out how it will meet its compliance obligations under APP 1.2.
Your agency must also measure and document its performance against its privacy management plan at least annually.
A good privacy management plan will help to embed an agency culture that respects privacy, and assist your agency to build a reputation for strong and effective privacy management. It implicitly promotes a privacy-by-design approach to ensure that privacy compliance is included in the design of information systems and practices from their inception. It can also provide an opportunity to improve productivity, develop more efficient processes, and manage both the risk of a privacy breach and your response should one occur.
Preparing the privacy management plan
Your agency is responsible for preparing its privacy management plan, and for determining the most appropriate officer(s) to develop the privacy management plan. Your agency’s Privacy Champion is responsible for reviewing and/or approving the privacy management plan.
You may be asked to help with the preparation of your agency’s privacy management plan. This will require an awareness of your agency’s privacy governance arrangements, strategic priorities, and personal information handling practices.
The OAIC has developed an Interactive Privacy Management Plan (PMP), a tool to assist agencies to assess the current state of their privacy practices and set privacy goals and targets. Visit our Interactive Privacy Management Plan (for agencies) page to download the Interactive PMP, read the companion guide Interactive PMP Explained, and watch the webinar for information about how to use this interactive template.
Measuring and documenting agency performance against the privacy management plan
Privacy Officers are responsible for measuring and documenting the agency’s performance against the privacy management plan at least annually. This involves reviewing the agency’s progress against the goals and targets set out in its privacy management plan. Our Privacy management plan template will assist you with this process.
This documented review against the privacy management plan will need to be reviewed and/or approved by the Privacy Champion.
Privacy impact assessments
A Privacy Impact Assessment (PIA) is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising, or eliminating that impact.
While PIAs assess a project’s risk of non-compliance with privacy legislation and identify controls to mitigate the risk, a PIA is much more than a simple compliance check. It should ‘tell the full story’ of a project from a privacy perspective, going beyond compliance to also consider the broader privacy implications and risks, including whether the planned uses of personal information in the project will be acceptable to the community. PIAs are key to building community trust and have a range of other benefits, such as demystifying the project and its objectives.
Who should conduct a PIA?
Your agency is responsible for determining the most appropriate officer(s) to conduct their PIA. For example, it may be that PIAs are conducted by the relevant officer working on the policy or project, or your agency may choose to centralise this function so that all PIAs are conducted by one team (for example a project management, privacy or governance team).
Your agency must also ensure that two Privacy Officer responsibilities under the Code are carried out in relation to PIAs:
- assisting project teams to prepare PIAs
- maintaining the agency’s register of PIAs.
Conducting a PIA
We have a number of resources to help you provide advice on PIAs, and assist in their preparation.
Our Guide to Undertaking Privacy Impact Assessments takes you through a ten-step process for undertaking a PIA. The Guide also has an accompanying PIA tool to help you conduct a PIA, report its findings and respond to recommendations. Entities are encouraged to take a flexible approach and adapt this tool to suit the size, complexity and risk level of their project.
The PIA e-learning program is based on the Guide, and provides information on conducting a PIA in an easy-to-understand format so that you can have the confidence to do a PIA in your agency. The e-learning also includes a worksheet so that you can start your own PIA as you work through the course.
From 1 July 2018, the Code will require agencies to conduct a PIA for all high privacy risk projects. A high privacy risk project is one that involves a new or changed way of handling personal information that is likely to have a significant impact on the privacy of individuals. We are currently developing a resource that will provide guidance on the PIA requirements in the Code, including how to determine whether a project is a high privacy risk project.
Keep an eye on this page or subscribe to our PPN newsletter to stay informed about when this resource is available.
The Code requires agencies to maintain a register of the PIAs that it conducts. Your agency must publish this register, or a version of the register, on its website.
The OAIC recommends that agencies consider publishing their PIA registers as part of the Information Publication Scheme.
What information should be included in the register?
Agencies should include information about all completed PIAs on their registers. As a minimum, the PIA register should include the title of your agency’s PIA. It may also be useful to include on the register a summary of the project, the team responsible for undertaking the PIA and the outcome of the PIA or project.
Can my agency publish a version of its PIA register?
The Code requires your agency to publish its PIA register, or a version of that register.
While we would generally expect your agency to list all the PIAs it has completed on its published register, the Code requirement recognises that in limited circumstances, it may not be appropriate to publish certain information (or occasionally, any information) about a particular PIA.
For example, it may not be appropriate to publish particular information where:
- the project has been discontinued or has not progressed
- publication would reveal personal information in a way that is not consistent with the APPs
- publication would reveal Cabinet material or other protected information
- publication would reveal information that is subject to legal professional privilege or another form of privilege
- publication would reveal information that the agency is not permitted to reveal under other relevant legislation, or because of other legal obligations — for example, where it would reveal commercially sensitive information in contravention of the terms of a contract the agency is a party to.
In most cases, the OAIC would still expect the agency to publish the title of the PIA, even if it considers that other details on the register, or the PIA itself, would not be appropriate for general publication.
The OAIC recommends that agencies consider publishing their PIA registers as part of the Information Publication Scheme.
As with other documents your agency holds, a person has a legally enforceable right under the Freedom of Information Act 1982 to request access to a particular PIA listed on the register.
Under the Freedom of Information Act, agencies are required to publish information that has been released in response to an FOI request. The information must be published in a disclosure log within 10 working days of giving the FOI applicant access to the information, unless it would be unreasonable to publish the information.
Agencies may consider publishing individual PIAs as part of the Information Publication Scheme. Proactive publication promotes the principles of open government information and reduces the resources required by agencies to deal with requests for access.
Further information on the Information Publication Scheme and the Disclosure Log requirements under the Freedom of Information Act, are available at:
- Information Publication Scheme
- FOI Guidelines, Part 13 – Information Publication Scheme
- FOI Guidelines, Part 14 – Disclosure Log
- Information Publication Scheme (IPS) and Disclosure Log
- Information Publication Scheme and disclosure log determinations policy and procedure
Where should my agency publish the register?
What is the expected timeframe for adding a PIA to the register?
You should add PIAs to the public register as soon as practical after the PIA has been completed. As a guide, we would generally expect the PIA register to be updated at least twice a year.
How long should PIA register information be made available for?
A PIA should remain on the register for as long as the agency retains records of the particular project. It is likely that the register will grow in length over time and provide an historical as well as current record of PIAs conducted under the Code.
Does the requirement to maintain a PIA register operate retrospectively?
No. The PIA register just needs to include the PIAs that your agency has completed since 1 July 2018, when the Code commences. You may wish to include previous PIAs on the register to increase transparency of current or past projects, however, this is not a requirement of the Code.
Privacy policies and notices
Privacy policies and notices are key tools to ensure that your agency is being open and transparent about the way it manages the personal information that it holds. Privacy policies and notices should be clear and easy to read, so that individuals that deal with your agency are able to understand exactly why your agency is collecting their information, and how your agency will handle their information.
When an agency collects personal information about an individual, it must take reasonable steps to notify the individual of certain matters, or to ensure the individual is aware of those matters.
The matters that must be included in your agency’s collection notices are set out in APP 5 and include the fact that personal information will be collected, the circumstances of the collection, and the purposes of collection. Your agency must take reasonable steps to notify individuals of the collection before, or at the time, it collects their personal information. If this is not practical, reasonable steps must be taken to notify as soon as practical after collection.
Chapter 5 of the APP Guidelines sets out the matters that need to be included in your agency’s privacy notices, and other requirements of APP 5.
Reviewing and updating privacy policies and notices
The Australian Government Agencies Privacy Code requires your agency to regularly review and update its privacy practices, procedures and systems. The review must include privacy policies and privacy notices, to ensure that they reflect your agency’s current personal information handling practices.
Tips for effective privacy policies and notices
Below are some tips to developing effective privacy policies and notices:
Consult. Seek input from all areas of your agency, including your public relations department, which may have ideas about innovative formats for better communicating the policy, for example, through video or other mechanisms relevant to the communication channel (paper, telephone, email, online) that you are using.
Focus on what is important to the reader. Do not try to cover everything in minute detail.
Keep it simple. Use simple language and test readability in content and format against external standards such as the Flesch-Kincaid grade level.
Take a layered and dynamic approach. Where possible, privacy policies and notices should be multi-layered and user-centric to assist with readability and navigability. You should also consider the timing of notices to ensure information is given in context, at the right time, in a way that is easy to read.
Agencies must take reasonable steps to protect the personal information that they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure. Those reasonable steps may include the preparation and implementation of a data breach response plan.
You should also familiarise yourself with the mandatory requirements of the Notifiable Data Breaches scheme (NDB scheme), and in particular the definition of eligible data breach, which came into force on 22 February 2018 (new Part IIIC of the Privacy Act — Notification of eligible data breaches).
Your role in preparing and responding to a data breach
As a Privacy Officer, you may need to help to ensure that agency staff are familiar with the data breach response plan and the actions that they need to take to respond to a data breach, and provide advice and support to staff and the agency’s executive should a data breach incident occur. You will also need to serve as the liaison point between your agency and the OAIC in the event of a data breach.
Why is a data breach response plan important?
All agencies should have a data breach response plan. Your actions in the first 24 hours after discovering a data breach are often crucial to the success of your response. A quick response can substantially decrease the impact on affected individuals, protect your agency’s reputation and meet your legal obligations, deal with adverse media or stakeholder attention, and instil public confidence in your agency’s capacity to protect personal information.
The OAIC has developed detailed guidance to assist agencies in meeting their obligations under the NDB scheme, available at www.oaic.gov.au/ndb.
Our Data Breach Preparation and Response guide will also help you develop a best practice data breach response plan, and provides detailed guidance about how to respond to a data breach if one occurs.
Maintaining a record of personal information holdings
The Australian Government Agencies Privacy Code requires agencies to keep a centralised record of the type of personal information they hold. It is the Privacy Officer’s role to maintain this record.
Maintaining an accurate and appropriately detailed record of your personal information holdings will assist you to:
- ensure that your personal information security measures are comprehensive
- understand how your agency can use and disclose the personal information it collects
- easily respond to requests to access or correct personal information
- keep your privacy practices, procedures and systems up-to-date
- assess any inherent risks involved in the personal information that your agency holds, and the way it is handled.
What type of information should be included in the record of personal information holdings?
Developing a record of personal information holdings will involve robust information asset management. The record may include:
- the type of personal information
- whether the information constitutes sensitive information
- the purpose for which the information was collected
- the legal authority under which the information was collected
- how and where the personal information is stored (including whether it is stored overseas, with a cloud service provider, or other third party)
- who is authorised to access the information
- how long the information will be retained and when the information will be de-identified or destroyed.
The record of personal information holdings should generally not include any personal information within it, but rather, should describe the type of information, where it is kept and risks associated with that information.
The record of personal information can be in any format, for example a list or register in a Word document, Excel spreadsheet, a separate database or a system or solution with the capability to quickly retrieve information about your agency’s personal information holdings.
Collating, reviewing and publishing the record of personal information holdings
In practice, you will be creating this record of personal information holdings based on information provided to you by the various areas in your agency responsible for the management of personal information. Your current records management processes for retention and destruction of records and security classification of records may also assist you in identifying your personal information holdings.
You should regularly review and update your record to ensure that it reflects your current personal information holdings, in order to support effective privacy governance practices within your agency.
There is no requirement in the Code to publish your agency’s record of personal information holdings. The record is intended to assist your agency with its privacy governance, rather than replicate the transparency objectives of APP 1 or APP 5.
As with other documents your agency holds, a person has a legally enforceable right under the Freedom of Information Act 1982 (Cth) to request access to an agency’s record of personal information holdings. Agencies may consider publishing their record of personal information holdings as part of the Information Publication Scheme. Proactive publication promotes the principles of open government information and reduces the resources required by agencies to deal with requests for access.
Where an agency provides access to the record of personal information holdings under the Freedom of Information Act, the agency will need to consider whether this information should be published in the agency’s disclosure log.
Working with the OAIC
Your agency is required to provide the contact details of a Privacy Officer to the OAIC. Your agency can notify us about your appointment via email at email@example.com.
If your agency has provided your contact details, you will likely serve as the liaison person for your agency with the OAIC. As a Privacy Officer you can seek the OAIC’s advice in relation to privacy issues affecting your agency, and you may be required to work with us where we are taking, or considering taking, regulatory action. We may contact you to provide updates on our tools and resources, privacy news, or in relation to a privacy issue or complaint involving your agency.
Seeking advice from the OAIC
Where possible, the OAIC responds to agency requests for advice on matters with significant privacy implications. You can seek the OAIC’s privacy expertise and advice on your agency’s obligations under the Privacy Act, including on new policy proposals or changes to existing activities, cabinet submissions and draft legislation where these may have a significant impact on the privacy of individuals.
OAIC investigations and assessments
An individual can make a complaint to the OAIC if they consider that their privacy has been interfered with. Where the OAIC receives a complaint, the Information Commissioner can make preliminary inquiries into the matter, investigate and/or attempt to resolve the complaint by conciliation. The Commissioner also has the power to investigate without a complaint, if the matter involves a suspected interference with the privacy of an individual and the Commissioner considers it desirable to investigate. Our preferred regulatory approach is to work with your agency to facilitate legal compliance and best privacy practice.
The Commissioner also has the power to conduct assessments of an agency’s privacy practices, to determine whether it is maintaining and handling personal information in accordance with the APPs. These assessments may be conducted at any time. The OAIC sees these assessments as one way of working with your agency to ensure that you are meeting your privacy obligations and to encourage you to adopt best privacy practice standards.
For more detail about OAIC’s regulatory powers and our approach to using them, see our Privacy Regulatory Action Policy.
Notifying the OAIC of data breaches
If your agency experiences a data breach that poses a likely risk of serious harm to an individual, or individuals, you should notify the OAIC and affected individuals. See the Data breach section for information and resources to help you provide advice on preparing for and responding to a data breach.
The Notifiable Data Breaches scheme commenced on 22 February 2018, and requires agencies and organisations covered by the Privacy Act to notify our office in certain circumstances. See our page on the Notifiable Data Breaches scheme.
See Contact us for information on how to get in contact with the OAIC.
Resources, training and staying up‑to‑date
It’s important for Privacy Officers to keep up-to-date with changes in law and technology, attend training, and connect with Privacy Officers from other agencies to share experiences and best practice.
Privacy Professionals Network
The OAIC’s Privacy Professionals Network (PPN) is for public and private sector privacy professionals.
The OAIC holds regular events for PPN members, where you will have the opportunity to hear from experts, raise issues or questions with the OAIC, and network with other members. When you sign up to the PPN mailing list, we will keep you up-to-date on the latest privacy news and information.
Become a member of the OAIC’s PPN to receive regular updates on the development of privacy resources and events held by the office.
Visit the Networks page on our website to join, or find out more information.
Education and training
We have developed a training program to help Privacy Officers build their skills and feel confident when performing their role.
Join our Privacy Professionals Network to receive alerts about upcoming Privacy Officer training sessions.
The OAIC also has a number of education and training resources on our website, including webinars and a Privacy Impact Assessment e-learning program. We also have two videos that outline why privacy is important for the Australian Public Service, and for policy developers and project managers:
We have released a Privacy in Practice e-learning program for Australian Government agency staff who handle personal information in their day-to-day work.
As well as using these resources yourself, you may wish to share them with your colleagues, add them to your agency induction programs, or publish them on your intranet.
Privacy Awareness Week
Privacy Awareness Week (PAW) is an annual initiative of the Asia Pacific Privacy Authorities (APPA) forum, and is held every year to promote and raise awareness of privacy issues and the importance of protecting personal information.
Sign your agency up as a supporter to be the first to hear about the next PAW.
- The Privacy Code Checklist
- Video: Privacy in the Australian Public Service
- Video: Privacy for Policy Developers and Project Managers
- e-learning: Undertaking a privacy impact assessment
- e-learning: Privacy in Practice
- Coming soon: Privacy Impact Assessments for high-risk projects
- Coming soon: Privacy Management Plan Template
Other useful resources
- APP Guidelines
- What Is Personal Information?
- Guide to Securing Personal Information
- Data Breach Preparation and Response
- Guide to Undertaking Privacy Impact Assessments
- e-learning: Privacy in Practice
- e-learning: Undertaking a Privacy Impact Assessment
- Handling privacy complaints
- De-Identification Decision-Making Framework
- De-identification and the Privacy Act
- Guide to Data Analytics and the Australian Privacy Principles
This section contains answers to some frequently asked questions about Privacy Officers.
Is the Privacy Officer personally responsible for non-compliance with the Australian Government Agencies Privacy Code?
No. It is your agency that is required to comply with the Code and the Privacy Act. Your agency is expected to provide you with the necessary resources, time and support to allow you carry out your role effectively.
What is the difference between a Privacy Officer and a Privacy Champion?
The Privacy Officer’s role is to engage in operationally focused privacy matters (see the Role of a Privacy Officer page for detailed information about the functions of the Privacy Officer that are set out in the Code).
A Privacy Champion is a senior official within the agency who has strategic oversight of privacy issues and drives cultural change within the agency. The Privacy Champion is also responsible for:
- approving the agency’s privacy management plan
- approving the documented reviews of the agency’s progress against the privacy management plan
- providing regular reports to the agency’s executive about any privacy issues arising from the agency’s handling of personal information.
The Code sets out a list of the Privacy Officer and Privacy Champion functions that an agency must ensure are carried out. These functions may be performed by the Privacy Officer and Privacy Champion respectively, but may also be performed by another person (or persons) in accordance with the existing processes or specific requirements of your agency.
An agency's Privacy Officer may also be its Privacy Champion.
Can there be a single Privacy Officer for several agencies?
Yes. The Code allows an agency to designate a person from another agency as its Privacy Officer, for example, the Privacy Officer of another agency in the same portfolio.
To fulfil your agency’s obligations under the Code, the Privacy Officer should have the skills, knowledge and experience necessary to undertake the functions effectively. This means that an Officer located in another agency would need to have sufficient knowledge and understanding of your agency’s functions, activities and privacy practices, and would need to be easily accessible to all areas of the agency and to the OAIC.
Can there be more than one Privacy Officer?
Yes. Depending on its size, functions and structure, your agency may decide to appoint more than one Privacy Officer.
Where multiple Privacy Officers are appointed, the internal structure of the team and the responsibilities of each of its members should be clearly drawn up to ensure that the Privacy Officer functions outlined in the Australian Government Agencies Privacy Code are all being carried out.
Your agency may wish to appoint a lead Privacy Officer to coordinate or supervise the team of individuals carrying out the Privacy Officer functions. This person would also serve as the central point of contact for line areas and the OAIC.
Do I need to put processes in place to ensure my agency’s contractors and suppliers comply with the Code?
No. The Code does not apply to entities that are not agencies.