Privacy Commissioner Marie Shroff answers some questions about what a privacy officer at a business is supposed to do.
KEY POINTS:
Who is the privacy officer at a business?
A privacy officer is the person who knows most about how to handle personal information, for example, client or employee records. He or she is the first point of contact when something crops up to do with personal information.
What does a privacy officer do at a workplace?
He or she knows the law on how to handle personal information; knows the business' current policies on how to handle personal information; can advise others in the business about handling personal information; and trains others if necessary. He or she also looks at proposals for new policies or procedures to see if they impact on privacy and gives advice to decision-makers; writes policies as required (such as on email monitoring or storage of information); is the first port of call for queries or complaints about how the business deals with personal information; and liaises with the Office of the Privacy Commissioner to get information, or to resolve a complaint.
Why have a privacy officer, and does a business have to have one?
Having a privacy officer means the business is more likely to deal well with information, which means clients and employees will trust that business and want to stay with it; avoid expensive mistakes apart from anything else - privacy breaches seriously damage a business reputation; deal quickly and effectively with disputes that do occur - this saves time and money; and makes it more likely the person affected will stay with the business. All businesses are required to have a privacy officer by law.
Does a business have to have a full-time privacy officer?
No. Few businesses are large enough for this to be feasible. Instead, the privacy officer is often the overall manager, the person who deals most with clients, the records administrator, or the person who deals with compliance.
What penalties are in place for failing to have a privacy officer, and is there support available?
There are no legal penalties for not having a privacy officer. Mistakes are more likely to happen without a privacy officer, so businesses often end up wishing they had one. The Office of the Privacy Commissioner provides training and information relevant to privacy officers. Its free inquiry line is 0800 803 909 - or 09 302 8655 in Auckland - and its website is www.privacy.org.nz There is also an independent privacy officers network (PORT), which meets regularly in Wellington, but whose members can assist privacy officers wherever they are. For PORTs contact details call the Office of the Privacy Commissioner.
Are any businesses exempt from privacy rules, and what penalties are there for breaching privacy?
The Privacy Act encompasses all businesses, apart from the news media in relation to their news activities. MPs, the courts and some other bodies also have whole or partial exemptions. Apart from the potential damage to a business reputation from a breach, there are formal penalties for breaching privacy. The Office of the Privacy Commissioner tries to resolve breaches of privacy by agreement between the parties. The commissioner can also issue an opinion, with her view of how the law applies. Unsettled complaints can go to the Human Rights Tribunal, which makes a formal, legally binding decision. It can award compensation for breaches. The highest award to date is $40,000.
What are the main privacy problems faced by businesses these days?
New technologies create opportunities for business, but some technologies can impact negatively on privacy if misused. It's important to identify where potential problems lie before the technology is installed.