Who Should Be Your Privacy Officer?

Written By Caroline carver

Did you know that every organisation in New Zealand is required by law to have a Privacy Officer? That includes businesses of all sizes, public agencies, and not-for-profits — no one is exempt.

The Privacy Officer can be someone already in your organisation or a third-party specialist you bring in. What matters most is that they understand the role and are empowered to carry it out effectively.

Under the Privacy Act, a Privacy Officer is responsible for:

  • Knowing the privacy principles in the Act

  • Helping the organisation comply with those principles

  • Managing complaints about potential privacy breaches

  • Handling requests from individuals to access or correct their personal information

  • Acting as the main point of contact with the Office of the Privacy Commissioner.

Unlike some international frameworks, New Zealand’s Privacy Act doesn’t prescribe specific qualifications or where the role should sit in the organisational chart. But that doesn’t mean the placement is unimportant.

The Privacy Commissioner recommends that the Privacy Officer be “sufficiently senior to have influence, but not so senior that they don’t have operational oversight of the day-to-day duties of the privacy function.” That’s a helpful rule of thumb.

But there’s a strategic element too — where this role lives within your structure shapes how privacy is understood and prioritised across the business:

  • If the Privacy Officer sits in Legal, the approach may lean toward compliance and risk mitigation.

  • If the role is held in Customer Service, the lens may focus on trust and customer experience.

  • If it sits within People & Culture, privacy may be more tightly linked to the privacy of staff.

None of these are wrong — but each sets a tone. And that tone will influence how seriously privacy is taken across the organisation.

In our work with customers, we often see that organisations know they need a Privacy Officer but aren’t sure who it should be or how much time they should dedicate. There’s no “one-size-fits-all” answer — it depends on your organisation’s size, industry, and risk profile. But the role shouldn’t be a box-ticking exercise as the Privacy Officer is a key role in building your organisation’s privacy culture.

Not sure where to start? The Office of the Privacy Commissioner has published some clear, practical guidance.

If you have any questions or want further information, please reach out to us at info@threeblackcats.co.nz

Caroline carver
Next

Smile For The Camera — But Only With Informed Consent