Common agency privacy risks
Read about common agency privacy risks, who to involve and potential mitigations.
Privacy risks
Staff are not adequately trained to handle personal information
Who to involve:
- learning & development
- people leaders
- staff.
Potential mitigations:
- ensure all new staff receive an effective privacy induction
- have ongoing privacy training for all staff
- provide targeted privacy training for staff who handle sensitive personal information
- adopt and implement good privacy policies and procedures that are widely disseminated and used.
The agency does not understand where personal information is stored and processed
Who to involve:
- ICT
- information security
- information management
- risk and assurance
- HR
- finance
- procurement
- service delivery/operations.
Potential mitigations:
- complete a data inventory
- regularly refresh the data inventory.
Privacy risks are not associated with new products, services or processes
Who to involve:
- programme management office
- project team
- service delivery/operations
- ICT
- information security.
Potential mitigations:
- have a good process for completing Privacy Threshold Assessments (PTA) and Privacy Impact Assessments (PIA)
- encourage a culture in which everyone views privacy as their responsibility.
Privacy risks are not associated with material changes to existing products, services or processes
Who to involve:
- programme management office
- project team
- service delivery/operations
- ICT
- information security.
Potential mitigations:
- have a good process for completing PTAs and PIAs
- encourage a culture in which everyone views privacy as their responsibility.
Personal information is retained longer than is necessary for the business purpose
Who to involve:
- information management
- records management
- service delivery/operations.
Potential mitigations:
- identify appropriate retention period for all personal information
- have a disposal schedule for all personal information
- ensure the disposal schedule is followed
- regularly review the disposal schedule.
More personal information is collected than is required for the business purpose
Who to involve:
- delivery/operations
- information management
- ICT
- programme management office
- project team.
Potential mitigations:
- have a good process for completing PTAs and PIAs
- encourage a culture in which everyone views privacy as their responsibility
- implement Privacy by Design
- ensure all new staff receive an effective privacy induction
- have ongoing privacy training for all staff
- provide targeted privacy training for staff who handle sensitive personal information.
Third party providers do not handle personal information appropriately
Who to involve:
- procurement
- legal
- ICT
- information security
- learning and development.
Potential mitigations:
- complete third party risk assessment
- ensure contracts with third party providers include appropriate privacy and security provisions
- ensure there’s targeted training for individual contractors
- ensure third party providers have adequate privacy training for their staff
- adopt good privacy policies and procedures that are widely disseminated and used.
Personal information is used or disclosed in an unauthorised manner
Who to involve:
- staff
- service delivery/operations
- project team
- ICT
- information security
- learning and development
- information management
- HR.
Potential mitigations:
- have a good process for completing PTAs and PIAs
- encourage a culture in which everyone views privacy as their responsibility
- implement Privacy by Design
- use appropriate technical measures and privacy-enhancing technologies
- ensure all new staff receive an effective privacy induction
- have ongoing privacy training for all staff
- provide targeted privacy training for staff who handle sensitive personal information
- adopt and implement good privacy policies and procedures that are widely disseminated and used.
Privacy-related enquiries are not appropriately handled
Who to involve:
- staff
- service delivery/operations
- learning and development
- HR.
Potential mitigations:
- ensure all new staff receive an effective privacy induction
- have ongoing privacy training for all staff
- provide targeted privacy training for staff who handle privacy-related enquiries
- adopt good privacy policies and procedures that are widely disseminated and used.
Personal information is inadequately secured
Personal information is not adequately secured from accidental errors or loss, or from malicious acts such as hacking or deliberate theft, disclosure or loss.
Who to involve:
- information security
- ICT
- risk and assurance
- learning and development
- staff
- service delivery/operations
- project team.
Potential mitigations:
- have a good process for completing PTAs and PIAs
- have a good process for completing information security risk assessments
- ensure all new staff receive an effective privacy and information security induction
- have ongoing privacy and information security training for all staff
- adopt good privacy and information security policies and procedures that are widely disseminated and used.
Privacy processes do not operate as intended
Who to involve:
- staff
- service delivery/operations
- learning and development
- project team
- information security
- information management
- records management
- people leaders
- risk and assurance
- ICT
- HR
- finance
- procurement.
Potential mitigations:
- maintain a privacy incident register that records privacy incidents and breaches, and regularly review the register to identify patterns of privacy incidents
- adopt good privacy policies and procedures that are widely disseminated and used
- implement a process for monitoring and reviewing the effectiveness of privacy policies and processes
- ensure all new staff receive an effective privacy induction
- have ongoing privacy training for all staff
- encourage a culture in which everyone views privacy as their responsibility.
Privacy-related incidents are not responded to appropriately
Who to involve:
- staff
- service delivery/operations
- learning and development
- project team
- information security.
Potential mitigations:
- adopt good privacy policies and procedures that are widely disseminated and used
- ensure all new staff receive an effective privacy induction
- have ongoing privacy training for all staff
- encourage a culture in which everyone views privacy as their responsibility'
The agency does not learn from patterns of privacy-related incidents
Who to involve:
- people leaders
- risk and assurance
- staff
- service delivery/operations
- learning and development
- information security
- HR.
Potential mitigations:
- maintain a privacy incident register that records privacy incidents and breaches, and regularly review the register to identify patterns of privacy incidents
- implement a process for monitoring and reviewing the effectiveness of privacy policies and processes
- adopt good privacy policies and procedures that are widely disseminated and used.
