Assign Privacy Officers

You must assign one or more individuals within your organization to develop, implement and maintain a privacy policy that suits your business and complies with the ten principles of privacy protection. This individual is commonly known as a "privacy officer."

What is a Privacy Officer?

A privacy officer is the first point of contact in your organization when privacy issues arise. He or she has the authority to intervene on privacy issues relating to any of your organization's operations. A privacy officer is responsible for:

  • Conducting a privacy audit and self-assessment
  • Developing a privacy policy
  • Implementing and maintaining a privacy policy
  • Managing privacy training 
  • Responding to requests for access to and correction of personal information
  • Working with the Information and Privacy Commissioner in the event of an investigation 

A privacy officer must also be familiar with the Personal Information Protection Act and the ten principles of privacy protection.

Why Have a Privacy Officer?

By law, all organizations must assign at least one privacy officer. The name of the privacy officer should be circulated within the organization and staff should be encouraged to discuss privacy issues with the officer. The title and contact information of each privacy officer must also be made available to the public.

Will One Privacy Officer be Enough? 

This depends on a number of factors such as:

  • The size of your organization
  • The structure of your organization (is it a single location or does it have multiple offices or branches?)
  • The amount of personal information your organization holds

An organization with a number of offices or a large amount of personal information might choose to assign a privacy officer in each location. However, an organization that holds very little personal information might find that one privacy officer is enough. 

A privacy officer can delegate his or her duties to another individual if the transfer of responsibility is formally documented.

Do I Need to Hire Extra Staff?

In most cases an existing staff member can take on the duties of a privacy officer. However, if the main business or activity of your organization involves the collection or use of personal information, then a dedicated, full-time position may be necessary.

What is the Privacy Officer's Role if a Complaint is Made to the Information and Privacy Commissioner?

Information and Privacy Commissioner receives a complaint regarding your organization’s personal information practices, your privacy officer may be contacted to provide information and assistance.