The governance structure linked in the act is that the deputy head is ultimately accountable, but the deputy head can create a delegated structure within his or her department that would include the necessary training and the other people who have authority, for example, to make determinations or advise internally on what is relevant.
I'm not sure whether you've met or will meet the Privacy Commissioner on this act, but he's already reviewing the act for exactly that kind of question. How does that internal governance structure work? Who has been trained to what level? How is it working for them to make sure it's up to the standard that he thinks is acceptable?