What is, and which organizations have to appoint a DPO?
A Data Protection Officer (DPO) is a person in charge of verifying the compliance of personal data processing with the applicable law. The DPO communicates information on processing personal data such as its purposes, interconnections, types, categories of data subjects, length of retention and department(s) in charge of implementing processing. DPOs may be required by law or recommended.
Australian employers are required to designate an individual, generally called a “Privacy Officer” as the point of contact for privacy matters, including inquiries and formal complaints. The contact information for the Privacy Officer should be included within a policy.
Although there is no specific legal regulation requiring organizations to appoint a DPO, it may be recommended as way to demonstrate compliance with the Australian Privacy Principles’ (APP 1) and Codes of Practice. According to the Principles, entities are expected to take reasonable steps to implement practices, systems and procedures and to manage personal data openly and transparently. Note that reasonable steps are in part determined by the entity’s size and resources.