Reviewing and improving practices
An organisation’s privacy officer is usually responsible for ensuring their organisation reviews and improves its privacy practices. This involves:
- Regularly assessing the state of privacy at your organisation. You should first take stock of what personal information your organisation collects; where it is held; how staff use and disclose it; how it is protected; and how it is ultimately destroyed. This will help you identify weaknesses in your organisation’s existing privacy practices.
- Developing and implementing a privacy management plan
You should identify actions to be taken to address any gaps you identify in your organisation’s privacy practices.
As well as improving privacy practices at your organisation, this systemic approach will also help build a culture of privacy at your organisation.
Step 1: Assess the state of privacy and identify areas for improvement
Undertaking a structured review of your organisation’s current state of privacy governance, practices, policies, and procedures can help you determine how mature your organisation is from a privacy standpoint. It can then help you determine where to focus your efforts for improvements.
This might involve interviewing staff; reviewing documents and systems; undertaking workshops or conducting surveys.
OVIC’s Privacy Management Framework provides a benchmark against which to measure the level of your organisation’s privacy maturity. The Framework provides guidance on the policies and procedures that promote good privacy practices within your organisation.
You can use OVIC’s self-assessment checklist to help your organisation review its existing privacy culture, governance and practices – to work out how it is doing and where improvements are required.
How to use the self-assessment
The self-assessment tool will be most effective if it is carried out annually and reported to your executive. Conducting the self-assessment will likely involve interviewing relevant staff and reviewing documentation.
When completing the self-assessment, you are asked to consider a list of ‘actions’. Whether your organisation implements all or some of the measures listed will depend on a variety of factors, including its size, functions, the types of information it collects, and its relationship with the public.
The self-assessment asks you update your organisation’s ‘progress’ for each action. To guide the assessment, OVIC has provided a list of ‘activities’ that your organisation might carry out to fulfil each action. Please note that these activities are examples and are not an exhaustive list.
To describe your progress, you can choose from three options ranging from ‘yet to be addressed’; ‘in progress’; or ‘completed/reviewed’. In describing the progress, you should also add comments to explain how the organisation has implemented the action or intends to implement the relevant action.
Measuring your performance
Each action is associated with a category (governance, culture, data breaches, or compliance). The progress for each action item informs a ‘score’ against each category at the bottom of the assessment, as well as an overall total score expressed as a percentage.
This score is designed to be a progression marker, to enable your organisation to gauge where your organisation stands in its journey of improving its privacy performance. It will help you see your organisation’s progress and provide clear metrics on which you can report.
Step 2: Develop a privacy management plan
Identifying gaps in your organisation’s privacy practices allows you to develop a privacy management plan with goals for improvement.
Through setting goals and making sure you and your organisation are on track to meet them, you are implementing a process of continuous review and improvement of privacy practices.
A privacy management plan is a useful way of identifying and prioritising steps your organisation will be taking during a set period. These plans are often refreshed annually.
A Privacy Management Plan typically sets out:
- key privacy goals or activities to be completed by your organisation;
- who is responsible for completing each action; and
- a timeframe for each action to be completed by.
This plan may be informed by items that are ‘yet to be completed’ on the self-assessment checklist.
To assist you, we have developed a privacy management plan template for you to populate. You may choose to use this or develop your own.
It is crucial that the plan is endorsed by your organisation’s executive and that the executive is regularly updated on progress on the plan.