The privacy officer should be a responsible and practical person, familiar with the principles in the Privacy Act, who will work to make sure the organisation complies with the Act. The officer’s role will include being contacted about and responding to privacy breaches and raising awareness about privacy among staff, volunteers, and congregations.
Appointing a privacy officer
Each ministry unit should designate a privacy officer to raise awareness about privacy among staff and volunteers, ensure compliance with the Act, facilitate training, and manage all privacy breaches. More details about the role can be found here.
Privacy training
It is highly recommended that all key personnel complete introductory training in privacy matters. The Office of the Privacy Commissioner (OPC) has lots of training modules available on their website. These can be completed individually by creating a student profile and ‘enrolling’. Or your privacy officer can enrol and take a group through the modules together by sharing a screen on Zoom or casting to a shared screen, if that method of learning is preferred.
The three suggested introductory modules are:
The privacy officer should also complete further training modules, so they have a full understanding of what is required. Other suggested modules include: Privacy 101, A guide to privacy impact assessments, Introduction to credit reporting, and Employment and privacy.
We suggest that your governing body runs a brainstorm session to discuss how to prevent privacy breaches through understanding how personal information is managed and used in your ministry unit. You may need to change and improve systems where you can identify potential breaches. Topics to consider include:
To keep the Privacy Act 2020 obligations front of mind when securing personal information, refer to the PADLOCK system.
Read more about preventing privacy breaches on the OPC website here.
Managing Privacy breaches
If you have a privacy breach, use the Office of the Privacy Commissioner’s NotifyUS tool to
Notifiable breaches must be reported to the OPC. You can also contact the OPC about how best to manage your breach, whether notifiable or not.
Privacy Breach Register
One of the responsibilities under the Act is to keep a breach register to track and manage all instances of privacy breaches, whether notifiable or not. If a privacy breach occurs, your privacy officer can advise management on appropriate actions to take and update the register. You should also inform the Diocesan Office’s Privacy Officer (the Diocesan Manager) about any breaches.