2018 GPEN Sweep: The good, the bad and the takeaway
Every year, the Global Privacy Enforcement Network (GPEN) coordinates a ‘Sweep’, where data protection and privacy regulators around the world analyse the privacy practices of some of their local organisations.
In 2018 a Sweep was conducted by GPEN members on the theme of privacy accountability. The aim was to consider how well organisations had implemented the concept of privacy accountability into their own internal programs and policies.
OVIC participated in this Sweep by contacting a random selection of 32 public sector entities listed on the Victorian Public Sector Commission website. OVIC sent out a short questionnaire to these selected entities, asking them to self-assess their privacy practices over 12 questions.
Here are some of our findings in comparison to the global Sweep results.
The good
- Every organisation that responded indicated that they had a security and/or privacy policy, most of which were publicly available. In Victoria we outperformed our international counterparts in this regard, where 9% of organisations had no privacy policies at all.
- All Victorian organisations had at least one person acting as a privacy officer, responsible for privacy governance and management. Victoria also did better than average here, with 6% of global organisations lacking a privacy officer or equivalent.
The bad
- Fewer than average organisations responded to OVIC’s questionnaire. While 53% of organisations around the world responded to this Sweep, only 37.5% of Victorian organisations did.
- Only 50% of the surveyed Victorian organisations had a formal self-assessment or audit process in place, whereas 74% of international organisations had such a process.
- 52% of global organisations indicated that they have a documented incident response plan. OVIC found that only 25% of the responding Victorian organisations had one.
The takeaway
Victorian public sector organisations have a good baseline for privacy accountability, with every organisation that responded to this Sweep having both a privacy policy and privacy officer. However, there is room for improvement here. Not all privacy policies were publicly available and some would benefit from a review to bring them up to date.
While it is great that every organisation had someone responsible for privacy, a culture of privacy accountability across all employees would be even better. Organisations should consider providing refresher privacy training for all employees, not just during employee induction.
Organisations that want to become even better at privacy should consider implementing an incident response plan, self-assessment or audit process, and an information asset register.
OVIC’s full report on the 2018 GPEN Sweep is available here.
GPEN’s international report on the Sweep is available here. This report collates the results of each participating privacy authority around the world.
An media release by GPEN on the Sweep is available here.
OVIC would like to extend its thanks to all the Victorian public sector organisations that participated in this year’s Sweep.