Privacy Management Framework
Introduction
There are 10 Information Privacy Principles (IPPs) in the Privacy and Data Protection Act 2014 (PDP Act) that set out the minimum standards and practices for handling personal information in the Victorian public sector.
Section 20 of the PDP Act states that an organisation must not do an act, or engage in a practice, that contravenes an IPP. It is the responsibility of all Victorian public sector organisations to implement appropriate measures to meet the requirements of the IPPs.
The measures an organisation implements will depend on a variety of factors, including the size of the organisation, its functions, the types of information it collects, and its relationship with the public.
Purpose
This Privacy Management Framework (Framework) is intended to provide organisations with guidance on the policies and procedures that promote good privacy practices within an organisation. The Framework encourages holistic information and privacy management by interconnecting a wide range of policies and information management tools.
Implementing the measures outlined in this Framework will enable an organisation to be accountable for its information handling practices, and convey to the public that it values and respects the privacy rights of individuals. The Framework will assist an organisation to demonstrate the steps it has taken to comply with the IPPs and section 20 of the PDP Act, and entrench a culture of privacy across the organisation.
This Framework is divided into three parts:
The Framework includes links to resources, guides and templates containing further information to assist organisations in establishing and maintaining good privacy practices.
The end of this Framework also includes an organisational self-assessment checklist that can assist organisations to develop and maintain effective privacy management practices.
Note that organisations handling health information must also comply with the Health Privacy Principles contained in the Health Records Act 2001 (Vic). This Framework does not discuss or consider those obligations.
Part 1 – Organisational commitment
Building a culture of respect for privacy and personal information across an organisation starts with good privacy governance and leadership.
An organisation ensures that its executive and senior management promote good privacy practices across the organisation. Using existing governance arrangements, such as boards, executive committees and management meetings to raise privacy issues and create general privacy awareness can be effective in creating an organisational culture that respects privacy.
An organisation should know and understand its privacy obligations. The Office of the Victorian Information Commissioner’s (OVIC) Guidelines to the Information Privacy Principles detail how to interpret the IPPs in the PDP Act.
An organisation should consider if it has concurrent privacy obligations under the Health Records Act 2001 (Vic), the Charter of Human Rights and Responsibilities Act 2006 (Vic), the Privacy Act 1988 (Cth), and other international laws.
Guidance from the Health Complaints Commissioner on the Health Records Act 2001
Australian Privacy Principles Guidelines under the Commonwealth Privacy Act 1988
Guidance on the Charter of Human Rights and Responsibilities Act 2006
Guidance for the Victorian public sector on the EU General Data Protection Regulation
An organisation should appoint key roles and responsibilities for privacy management, including a senior member of staff with overall organisational accountability for privacy. It should have staff responsible for managing day-to-day privacy, including a privacy officer or team, responsible for handling internal and external privacy enquiries, complaints, and providing advice to other staff on building privacy into their programs.
An organisation should ensure appropriate resourcing is allocated to maintain organisational privacy expertise relative to the organisation’s nature, size, and complexity.
An organisation should ensure privacy is considered before, at the start of, and throughout the development and implementation of initiatives involving the collection, handling or use of personal information. It is important for an organisation to engage with its legal, procurement, and project teams to build privacy into contract and project documentation.
An organisation should understand the role of OVIC and its approach to using regulatory powers. OVIC’s Regulatory Action Policy describes how it aims to promote, assure and enforce the PDP Act.
Part 2 – Privacy practices
Robust and effective privacy practices ensure regulatory compliance and maintain public trust in an organisation’s ability to handle personal information.
An organisation should develop and maintain processes around handling personal information that align with the organisation’s privacy obligations. Processes, procedures and policies need to be tailored to individual functions and activities an organisation undertakes.
An organisation’s processes should cover the information lifecycle and clearly outline staff responsibilities when handling personal information. The information lifecycle is the flow of information from the point the organisation collects the information to the point the information is destroyed. The IPPs can be grouped into the five main stages of the information cycle. This is illustrated in the diagram.
An organisation should have a privacy policy that is current, easily accessible, easy to understand, and accurately reflects the organisation’s practices.
An organisation should ensure reasonable steps are taken to give notice of the matters required under IPP 1.3 when collecting personal information. It is important to ensure steps taken to give notice (for example, a collection notice) are tailored to the circumstances, reviewed periodically, and consistent with the organisation’s privacy policy.
An organisation should ensure it is aware of any information security obligations it has under the Victorian Protective Data Security Framework. Privacy and security go hand-in-hand. Good information security practices protect personal information from unauthorised access, use, modification, or disclosure.
An organisation should ensure Privacy Impact Assessments (PIAs) are undertaken for all projects and initiatives that involve personal information or impact on the organisation’s information management practices or processes. PIAs should be reviewed and updated when material changes occur.
An organisation should ensure it understands how and when personal information can be shared within and outside of the organisation, and how information should be protected when shared.
Information Sharing and Privacy
Model terms for transborder data flows
Guidelines to IPP 2 – Using and disclosing personal information
An organisation should ensure the information handling practices of its contracted service providers (CSPs) adhere to the IPPs (or equivalent privacy protections) and align with the organisation’s privacy obligations. Active steps should be taken to ensure CSPs have appropriate privacy practices in place.
An organisation should implement a risk management process that enables the organisation to identify, assess and manage privacy risks across the organisation.Risks should be added to the organisation’s risk register, and an accountable person assigned to manage risks.
An organisation should maintain a register (for example, in an organisational Information Asset Register) of the types of personal information it holds, where that information is located, and when it should be destroyed.
An organisation should have processes in place to ensure it monitors how long personal information should be retained before it is destroyed. Personal information must be destroyed or permanently de-identified when it is no longer needed for any purpose. Organisations should refer to the relevant Retention and Disposal Authority issued under the Public Records Act 1973(Vic) when determining whether data should be destroyed or permanently de-identified.
An organisation should incorporate privacy into staff inductions and conduct regular privacy training and awareness programs across the organisation.
OVIC face-to-face training – Information privacy under the Privacy and Data Protection Act 2014
OVIC online privacy module – Introduction to privacy in the Victorian public sector
OVIC online privacy module – Managing the privacy impacts of data breaches
An organisation should have a process for handling privacy enquiries and complaints. It should ensure stakeholders and the public know who to contact within the organisation or where to get help.
An organisation should develop a data breach response plan and an incident management process. It should ensure staff know what to do and who to contact when a breach occurs. An organisation should be aware of the Information Security Incident Notification Scheme, which requires certain organisations to notify OVIC of incidents that compromise public sector information.
An organisation should develop and implement a program of engagement and awareness activities to build and enhance a privacy conscious culture. This could include participating in Privacy Awareness Week activities, or conducting regular seminars or other events with privacy officers and experts that highlight good privacy practices.
Part 3 – Monitor, review, and improve
Monitor, review, and improve policies and practices to ensure they remain relevant and effective. Privacy is fast-moving and ever evolving which means organisations need to be proactive and anticipate future challenges
An organisation should monitor and review its privacy policies and processes regularly to ensure they are up to date and fit for purpose. This should involve assessing its privacy policy, collection notices, and PIA templates – at least annually – to ensure they are up to date.
An organisation should establish a process to measure or evaluate the effectiveness of the organisation’s privacy practices, processes, and resources. This could include measuring the awareness of good privacy practices and the adoption and use of privacy tools or resources across the organisation.
An organisation should regularly review its risk registers to ensure privacy risks are being appropriately managed.
An organisation should proactively examine the privacy implications, risks and benefits of new technologies it introduces into the organisation, and address identified risks. Where a new process or technology changes the organisation’s information handling practices, any privacy policies, collection notices and PIAs should be updated to reflect those changes.
An organisation should ensure that any material changes to its privacy policies, procedures and practices are communicated appropriately to its employees and any relevant key stakeholders.
An organisation should document compliance with its privacy obligations including keeping records of privacy process reviews, breaches and complaints. These records should enable an organisation to identify systemic privacy risks, common themes, and opportunities for improvement. Any themes and privacy risks identified should be reported to senior management and those responsible for privacy.
An organisation should create a culture of continuous improvement by encouraging input from staff, the public, and key stakeholders with suggestions and feedback on the organisation’s privacy practices.
An organisation should consider having its privacy processes assessed periodically by an independent party to identify areas that may need improvement.
Privacy Management Framework Checklist
Purpose of self-assessment
OVIC has developed a self-assessment checklist to help an organisation review its existing privacy culture, governance, and practices – to work out how it is doing and where improvements are required.
How to use the self-assessment
The self-assessment tool will be most effective if it is carried out annually by the organisation’s privacy officer and reported to the organisation’s executive. Conducting the self-assessment will likely involve interviewing relevant staff and reviewing documentation.
When completing the self-assessment, the privacy officer is asked to consider a list of ‘actions’. Whether an organisation implements all or some of the measures listed will depend on a variety of factors, including its size, functions, the types of information it collects, and its relationship with the public.
The self-assessment asks the privacy officer to update the organisation’s ‘progress’ for each action. To guide the assessment, OVIC has provided a list of ‘activities’ that an organisation might carry out to fulfil each action. Please note that these activities are examples and are not an exhaustive list.
To describe an organisation’s progress, the privacy officer can choose from three options ranging from ‘yet to be addressed’; ‘in progress’; or ‘completed/reviewed’. In describing the progress, the privacy officer should also add comments to explain how the organisation has implemented the action or intends to implement the relevant action.
Measuring your performance
Each action is associated with a category (governance, culture, data breaches, or compliance). The progress for each action item informs a ‘score’ against each category at the bottom of the assessment, as well as an overall total score expressed as a percentage.
This score is designed to be a progression marker, to enable an organisation to gauge where it stands in its journey of improving its privacy performance. It will help an organisation to see its progress and provide clear metrics on which it can report.
Addressing gaps from your self-assessment
To provide structure for implementing measures to address shortcomings from the self-assessment, OVIC recommends creating a Privacy Management Plan.
To assist, we have developed a privacy management plan template for the privacy officer to populate with items that are ‘yet to be addressed’ or require review in the self-assessment. An organisation may choose to use this template or develop its own.