The Role of the Privacy Officer
Appointing a privacy officer is key to achieving good privacy governance. This role is one of several privacy practices which, within a Privacy Management Framework, help embed a culture of privacy.
As the privacy officer, you play a major role in ensuring that your organisation protects privacy. In short, you are the go-to contact for advice on privacy matters big and small in your organisation.
But while you may be the face (and brains) of privacy at your workplace, your organisation should enable and empower you to succeed in your role by providing you with adequate resources, time, and authority. After all, it is ultimately your organisation that has obligations to comply with privacy law.
What does a privacy officer do?
The day-to-day role of VPS privacy officers will differ, depending on your organisation’s size and structure. However, as a privacy officer, you are likely to be responsible for many of the following:
Advice and support
- Providing internal privacy advice. This may be about upcoming projects involving the handling of personal information, or in response to ad hoc enquiries from your colleagues about how they should handle personal information.
- Assisting colleagues with the completion of privacy impact assessments for proposed initiatives involving the handling of personal information.
- Co-ordinating your organisation’s response to suspected or confirmed data breaches;
Strategic initiatives
- Developing and maintaining, or assisting in the development and maintenance, of a record of the personal information your organisation holds, and how it is secured. This may be in the form of an information asset register (IAR);
- Completing or coordinating privacy audits or other assurance activities at your organisations to check that it is meeting its privacy obligations;
- Drafting or reviewing privacy documentation, such as privacy policies and collection notices;
- Reviewing existing or proposed arrangements with contracted service providers (CSPs) and providing recommendations to clarify privacy responsibilities;
- Identifying opportunities to improve privacy practices at your organisation.
- Coordinating privacy training, and other activities to promote privacy awareness for staff at your organisation.
Being the face of privacy for your organisation
- Responding, or assisting your organisation to respond, to queries about your organisation’s privacy practices from members of the public.
- Handling privacy complaints that your organisation receives directly. This may include investigating whether your organisation has interfered with someone’s privacy and trying to resolve the complaint;
- Liaising with OVIC (and other relevant privacy regulators, such as the HCC and OAIC) about data breach notifications, privacy complaints or significant projects;
- Assessing whether requests from other organisations to share personal information that your organisation holds are permitted under privacy law.
To assist you to prioritise privacy tasks for your organisation, OVIC has developed a Privacy Management Checklist, as part of a broader Privacy Management Framework. OVIC recommends that this checklist be completed annually by the organisation’s privacy officer and endorsed by the organisation’s executive.
Skills and qualifications
There is no prescribed academic or working background required to be a privacy officer. However, as an effective privacy officer, you will need to have a range of ‘hard’ and ‘soft’ skills.
By hard skills, we mean skills that can be taught and easily measured such as:
- understanding and applying privacy laws and other legislation and guidance material relevant to the handling of information by your organisation (for example, the Public Records Act 1973 (Vic));
- understanding your organisation’s operating environment, policies, strategic objectives, and risk profile;
- implementing complaints handling and dispute resolution processes.
However, it is equally important to possess ‘soft’ skills to be effective in the role. These are qualities and traits like the following:
- Building and maintaining relationships: the ability to develop and manage relationships with internal stakeholders and members of the public is critical for your success as a privacy officer. A large part of your role is engaging with colleagues (including by encouraging them to seek your input) and members of the public. Your ability to engender trust and confidence in your ability, to persuade others to your view, and foster agreement is at the heart of your role.
- Ability to communicate effectively: your role is rooted in legislation which is not always accessible or understood by the people you are advising. You should be able to communicate complex legal messages in clear, Plain English terms, with empathy and understanding for the person receiving your advice.
- Willingness for continuous improvement: given that laws change, new guidance material is published, and the work of your organisation will evolve, you must be comfortable with learning. This includes monitoring the OVIC website and other relevant channels to see what is new and to ensure that your organisation is keeping up with best practice.
Resources
Privacy Management Checklist for privacy officers
Privacy Management Framework for organisations