How to comply
All agencies must have a "privacy officer"
Section 23 of the Privacy Act states that all agencies must have at least one privacy officer - a person in the agency who knows about privacy. So this is the law.
But there's no penalty for failing to have a privacy officer. So why should an agency bother?
Good privacy builds trust with clients and employees. It also enhances an agency's reputation. Good privacy is good business whatever the business is. So an internal privacy adviser, who is familiar with the business as well as with privacy law, can add value to the agency's business.
A privacy officer can prevent problems from arising. This can save expense, or lost business, further down the line.
If someone complains that the agency has breached their privacy, the privacy officer can handle things quickly and effectively. This is particularly important if the agency wants to have, or needs to have, an ongoing relationship with the person (for example if they are a client, or an employee). Again, this can save money and time.
Of course, people can complain to the Privacy Commissioner. But we always try to get people to resolve things with the agency first. And we usually advise people to ask for the privacy officer!
So having a privacy officer is useful for agencies, as well as being required by law.
What does a privacy officer do?
A privacy officer:
- is familiar with the privacy principles in the Privacy Act
- is familiar with any other legislation governing what the agency can and cannot do with personal information
- deals with any complaints from the agency's clients about possible breaches of privacy
- trains other staff at the agency to deal with privacy properly
- advises managers on how to ensure the agency's business practices comply with privacy requirements
- advises managers on the privacy impacts (if any) of changes to the agency's business practices
- advises managers if improving privacy practices might improve the business
- deals with requests for access to personal information, or correction of personal information
- acts as a liaison person for the agency with the Privacy Commissioner. (This is particularly important if the Privacy Commissioner is investigating whether the agency has breached privacy).
Who should be the privacy officer?
This depends on the size of the agency, what it does, and what personal information it handles.
- In a small agency, such as a small business, the overall manager will usually be responsible for all legal compliance, including privacy.
- Or an existing staff member might be asked to advise the manager or managers on privacy issues.
- Often, a person responsible for human resource matters will also take on the privacy officer job.
- If the agency has an in-house lawyer, that person is sometimes the privacy officer.
- In large agencies, or agencies which handle a lot of personal information, there may be a need for one or more employees focusing exclusively on privacy matters.
It does not matter who the privacy officer is. But it is important for managers in the agency to take the privacy officer's advice seriously.
Training and help for privacy officers
- We offer online privacy training covering privacy and health. The training is free and can be carried out at a time and pace to suit the participant. Further information is available here.
- If you are interested in privacy workshops, email firstname.lastname@example.org.
- Our enquiries staff can answer general questions about how the legislation works (call 3028680 from Auckland, or 0800 803 909 from outside Auckland). We cannot provide legal advice on particular problems, but we may be able to suggest someone who can help.
- There is an active network in the Auckland, Wellington and Christchurch regions run by privacy officers for privacy officers. This network - the Privacy Officers' Round Table, or "PORT" - meets regularly. It has members from private sector agencies as well as government agencies. Further information is available here.
- Privacy officers from all the District Health Boards also run a network, with meetings three times a year in Wellington. Again, for details about the contact person, call our enquiries staff.
- Privacy officers in other regions may benefit from setting up a local network similar to PORT, or the DHB privacy officers' network. We are happy to assist in establishing privacy officer networks.