There are 10 Information Privacy Principles (IPPs) in the Privacy and Data Protection Act 2014 (PDP Act) that set out the minimum standards and practices for handling personal information in the Victorian public sector.
Section 20 of the PDP Act states that an organisation must not do an act, or engage in a practice, that contravenes an IPP. It is the responsibility of all Victorian public sector organisations to implement appropriate measures to meet the requirements of the IPPs.
The measures an organisation implements will depend on a variety of factors, including the size of the organisation, its functions, the types of information it collects, and its relationship with the public.
This Privacy Management Framework (Framework) is intended to provide organisations with guidance on the policies and procedures that promote good privacy practices within an organisation. The Framework encourages holistic information and privacy management by interconnecting a wide range of policies and information management tools.
Implementing the measures outlined in this Framework will enable an organisation to be accountable for its information handling practices, and convey to the public that it values and respects the privacy rights of individuals. The Framework will assist an organisation to demonstrate the steps it has taken to comply with the IPPs and section 20 of the PDP Act, and entrench a culture of privacy across the organisation.
This Framework is divided into three parts:
The Framework includes links to resources, guides and templates containing further information to assist organisations in establishing and maintaining good privacy practices.
The end of this Framework also includes an organisational self-assessment checklist that can assist organisations to develop and maintain effective privacy management practices.
Note that organisations handling health information must also comply with the Health Privacy Principles contained in the Health Records Act 2001 (Vic). This Framework does not discuss or consider those obligations.
Building a culture of respect for privacy and personal information across an organisation starts with good privacy governance and leadership.
An organisation ensures that its executive and senior management promote good privacy practices across the organisation. Using existing governance arrangements, such as boards, executive committees and management meetings to raise privacy issues and create general privacy awareness can be effective in creating an organisational culture that respects privacy.
An organisation should know and understand its privacy obligations. The Office of the Victorian Information Commissioner’s (OVIC) Guidelines to the Information Privacy Principles detail how to interpret the IPPs in the PDP Act.
An organisation should consider if it has concurrent privacy obligations under the Health Records Act 2001 (Vic), the Charter of Human Rights and Responsibilities Act 2006 (Vic), the Privacy Act 1988 (Cth), and other international laws.
An organisation should appoint key roles and responsibilities for privacy management, including a senior member of staff with overall organisational accountability for privacy. It should have staff responsible for managing day-to-day privacy, including a privacy officer or team, responsible for handling internal and external privacy enquiries, complaints, and providing advice to other staff on building privacy into their programs.
An organisation should ensure appropriate resourcing is allocated to maintain organisational privacy expertise relative to the organisation’s nature, size, and complexity.
An organisation should ensure privacy is considered before, at the start of, and throughout the development and implementation of initiatives involving the collection, handling or use of personal information. It is important for an organisation to engage with its legal, procurement, and project teams to build privacy into contract and project documentation.
An organisation should understand the role of OVIC and its approach to using regulatory powers. OVIC’s Regulatory Action Policy describes how it aims to promote, assure and enforce the PDP Act.
Robust and effective privacy practices ensure regulatory compliance and maintain public trust in an organisation’s ability to handle personal information.
An organisation should develop and maintain processes around handling personal information that align with the organisation’s privacy obligations. Processes, procedures and policies need to be tailored to individual functions and activities an organisation undertakes.
An organisation’s processes should cover the information lifecycle and clearly outline staff responsibilities when handling personal information. The information lifecycle is the flow of information from the point the organisation collects the information to the point the information is destroyed. The IPPs can be grouped into the five main stages of the information cycle. This is illustrated in the diagram.
An organisation should ensure it is aware of any information security obligations it has under the Victorian Protective Data Security Framework. Privacy and security go hand-in-hand. Good information security practices protect personal information from unauthorised access, use, modification, or disclosure.
An organisation should ensure Privacy Impact Assessments (PIAs) are undertaken for all projects and initiatives that involve personal information or impact on the organisation’s information management practices or processes. PIAs should be reviewed and updated when material changes occur.
An organisation should ensure it understands how and when personal information can be shared within and outside of the organisation, and how information should be protected when shared.
An organisation should ensure the information handling practices of its contracted service providers (CSPs) adhere to the IPPs (or equivalent privacy protections) and align with the organisation’s privacy obligations. Active steps should be taken to ensure CSPs have appropriate privacy practices in place.
An organisation should implement a risk management process that enables the organisation to identify, assess and manage privacy risks across the organisation.Risks should be added to the organisation’s risk register, and an accountable person assigned to manage risks.
An organisation should maintain a register (for example, in an organisational Information Asset Register) of the types of personal information it holds, where that information is located, and when it should be destroyed.
An organisation should have processes in place to ensure it monitors how long personal information should be retained before it is destroyed. Personal information must be destroyed or permanently de-identified when it is no longer needed for any purpose. Organisations should refer to the relevant Retention and Disposal Authority issued under the Public Records Act 1973(Vic) when determining whether data should be destroyed or permanently de-identified.
An organisation should incorporate privacy into staff inductions and conduct regular privacy training and awareness programs across the organisation.
An organisation should have a process for handling privacy enquiries and complaints. It should ensure stakeholders and the public know who to contact within the organisation or where to get help.
An organisation should develop a data breach response plan and an incident management process. It should ensure staff know what to do and who to contact when a breach occurs. An organisation should be aware of the Information Security Incident Notification Scheme, which requires certain organisations to notify OVIC of incidents that compromise public sector information.
An organisation should develop and implement a program of engagement and awareness activities to build and enhance a privacy conscious culture. This could include participating in Privacy Awareness Week activities, or conducting regular seminars or other events with privacy officers and experts that highlight good privacy practices.
Monitor, review, and improve policies and practices to ensure they remain relevant and effective. Privacy is fast-moving and ever evolving which means organisations need to be proactive and anticipate future challenges
An organisation should establish a process to measure or evaluate the effectiveness of the organisation’s privacy practices, processes, and resources. This could include measuring the awareness of good privacy practices and the adoption and use of privacy tools or resources across the organisation.
An organisation should regularly review its risk registers to ensure privacy risks are being appropriately managed.
An organisation should proactively examine the privacy implications, risks and benefits of new technologies it introduces into the organisation, and address identified risks. Where a new process or technology changes the organisation’s information handling practices, any privacy policies, collection notices and PIAs should be updated to reflect those changes.
An organisation should ensure that any material changes to its privacy policies, procedures and practices are communicated appropriately to its employees and any relevant key stakeholders.
An organisation should document compliance with its privacy obligations including keeping records of privacy process reviews, breaches and complaints. These records should enable an organisation to identify systemic privacy risks, common themes, and opportunities for improvement. Any themes and privacy risks identified should be reported to senior management and those responsible for privacy.
An organisation should create a culture of continuous improvement by encouraging input from staff, the public, and key stakeholders with suggestions and feedback on the organisation’s privacy practices.
An organisation should consider having its privacy processes assessed periodically by an independent party to identify areas that may need improvement.
This checklist is at the end of the word document and is designed to assist an organisation to implement privacy-enhancing practices and processes, and build a culture of privacy across the organisation.
Whether an organisation has implemented or implements all or some of the measures listed will depend on a variety of factors, including the size of the organisation, its functions, the types of information it collects, and its relationship with the public.
This checklist should be completed annually by the organisation’s privacy officer and endorsed by the organisation’s executive. When completing the checklist, the privacy officer should comment on how the organisation has implemented the action, or intends to implement the relevant action, and make a robust assessment of the effectiveness of the organisation’s practices.