Reading time: 6 minutes

If your business deals with customers’ personal information, you are an ‘agency’ under the Privacy Act. This means that you must comply with New Zealand privacy law. The law imposes certain obligations on your business that dictate how you handle this personal information. One of those obligations is having someone who oversees this process in your business, known as a privacy officer. This person at your business or company is in charge of ensuring that you meet your privacy obligations. This article will explain:

  • the role of a privacy officer in your business; and 
  • why it is vital to have a privacy officer.

What Is a Privacy Officer?

A privacy officer deals with all matters privacy-related and oversees privacy law compliance.

For example, they manage how your business deals with customers’ personal data, including how you collect, store, use and share personal information.

Personal information is data that you can use to identify your customers as individuals. For example, this includes:

  • full names;
  • email addresses;
  • location data; and
  • payment details.

You have specific privacy law requirements covering how you handle each aspect of personal data collection, and a privacy officer at your business will make sure you are doing this appropriately. You should outline this in your business’ privacy policy.

For example, one of your obligations as an agency is to allow your customers to request what information you have on them. Your privacy officer would handle customer requests like this.

You are also responsible for reporting any privacy breaches likely to cause someone serious harm to the Privacy Commission. If you fail to do so, you could face a fine of up to $10,000 and other serious legal consequences depending on the nature of the breach.

A Privacy Officer’s Responsibilities

The law imposes various duties on the privacy officer at your business. For example, these responsibilities include:

  • having a general understanding of the Privacy Act and its principles;
  • ensuring your business complies with its privacy obligations;
  • dealing with customer complaints about privacy breaches;
  • handling customer information access requests relating to privacy;
  • liaising with the Privacy Commission; and
  • aiding the Privacy Commission in any investigations.

On top of these responsibilities, your privacy officer may do more general tasks that improve your business’ privacy and security. For example, these could include:

Staff Training

Training and educating staff about privacy in your business, covering topics like password protection and recognising potential privacy risks.

General Advice

Advising on the privacy ramifications of any structural changes at your business and other matters.

Developing Workplace Privacy Policies

Helping to develop your overall privacy policy and procedures within your business for protecting privacy.

Dealing With Privacy Breaches

Preventing privacy breaches and dealing with the aftermath of one.

Improving Privacy Security

Assessing risks at your business and remedying them. What this looks like depends on your business. For example, if you are online, a privacy officer would assess cybersecurity risks.

Who Should Be the Privacy Officer at My Business?

Anyone can be a privacy officer, and you do not need any special training or qualifications. However, you need to understand the Privacy Act and its principles and meet the duties listed above. Who the privacy officer is at your business will depend on your business’:

  • size;
  • industry;
  • quantity of personal information handled.

For example, your online business might only have a small team of five or six people. However, if you deal with large amounts of customer personal information online, you need someone to handle the duties attached to managing that information.

Evaluate how much work a privacy officer would need to do at your business, and what that work would entail. Your options for choosing a privacy officer include:

  • adding privacy duties to an existing role, such as a manager that deals with general regulatory compliance;
  • having a small team dedicated to privacy matters, with a nominated privacy officer who liaises with the Privacy Commission;
  • assigning someone the sole duty of dealing with your business’ privacy matters; or
  • hiring an outside consultant to fulfil this role.

For example, if you run a franchise, it may be easier to have a third party act as a privacy officer for multiple businesses across your franchise.

The Privacy Commission has online modules you can complete if you are a privacy officer. Also, there are various privacy officer networks across the country with resources available to you.

Does My Business Need a Privacy Officer?

If you handle personal information as an agency, you must have a privacy officer. What this role looks like will depend on your business. However, as long as you have someone dedicated to privacy matters, you meet your requirements.

There are also many benefits to having a privacy officer. Meeting your privacy law obligations is an ongoing process, and does not stop at writing up a privacy policy. Therefore, your privacy officer should continuously work to protect your customers’ privacy.

Key Takeaways

If your business is an agency that deals with customers’ personal information, you must have a privacy officer. This is someone that deals with privacy law compliance at your business and will handle any privacy breaches. If you would like more information or help with your privacy officer, contact LegalVision’s IT lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is a privacy officer?

A privacy officer is someone at your business who has the dedicated role of ensuring you comply with your privacy obligations and handle privacy breaches. This could be a specific person you hire or someone who adds privacy duties to their existing ones.

What does a privacy officer do?

A privacy officer needs to understand the Privacy Act and its principles. They will ensure that your business meets its responsibilities under that law and take steps to protect your customer’s privacy.

Do I need a privacy officer?

The law requires that you have someone as a dedicated privacy officer at your business. If you continuously fail to meet this obligation, you could be fined up to $10,000.

What is a breach of privacy?

A breach of privacy at your business is when an unauthorised person has handled your customers’ personal data in some way, or something prevents you from accessing that information such as a denial-of-service attack.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards