PAW blog series 2019: Good privacy governance – what does it mean?
Embedding a culture of respect for privacy and personal information across an organisation starts with good privacy governance, which is the basis for ensuring organisations have robust and effective privacy management practices. This is essential for building the public’s trust and confidence in the way government handles everyone’s personal information.
This year’s theme for PAW Protecting privacy is everyone’s responsibility, highlights that everyone in an organisation has a role to play in protecting privacy, and shaping an organisation’s privacy management practices. It is not just the responsibility of a select few within an organisation.
What does it mean?
Good privacy governance encompasses…
…building privacy into ‘business as usual processes’ – you shouldn’t have to think twice about whether or not your projects or initiatives adhere to privacy obligations, because your processes should already require privacy to be considered during the design and conceptual phases.
…ensuring your organisation has privacy policies, procedures and guidance that are followed, remain relevant to your organisation and are effective in what they are trying to achieve.
…being proactive in taking steps to manage privacy risks, and not waiting for an incident to occur before privacy is taken seriously.
…treating personal information as a valuable business asset that is respected, managed and protected appropriately.
What does is look like?
One step in particular that organisations can take is to make Privacy by Design a key part of their privacy governance strategy. Privacy by Design is about setting up your organisation to be able to provide the highest standard of privacy protection to individuals, without those individuals having to take steps themselves to protect their own privacy.
A key part of Privacy by Design is ‘privacy by default’, which means that if individuals were to do nothing, their privacy would still be protected. Good governance should aim to achieve this state. Privacy impact assessments can assist organisations with this. They are a key tool for assessing your privacy governance for individual projects and assist in identifying privacy risks before they happen.
Of course, no matter how many positive steps you take to implement good privacy practices, privacy breaches can still happen. One of the most common causes of privacy breaches is human error, and simple mistakes like sending an email to the wrong recipient or misplacing a file can lead to a privacy breach.
Encouraging employees to think ‘privacy’ before ‘doing’ can avoid simple mistakes. But when a breach occurs, having a response plan in place is a core part of good governance so that you have processes to identify when the breach occurred, manage the risks associated with the breach, and take steps to prevent similar breaches from happening again.
There are many other practical steps that can be taken to embed good privacy governance across an organisation and to foster the idea that protecting privacy is everyone’s responsibility. Check out OVIC’s tip sheet: Privacy governance in your organisation for other helpful tips on how to achieve good privacy governance in your organisation.