Common agency privacy risks

Who to involve:

• learning & development
• people leaders
• staff.

Potential mitigations: 

• ensure all new staff receive an effective privacy induction
• have ongoing privacy training for all staff
• provide targeted privacy training for staff who handle sensitive personal information
• adopt and implement good privacy policies and procedures that are widely disseminated and used.

Who to involve:

• ICT
• information security
• information management
• risk and assurance
• HR
• finance
• procurement
• service delivery/operations.

Potential mitigations:

• complete a data inventory
• regularly refresh the data inventory.

Who to involve:

• programme management office
• project team
• service delivery/operations
• ICT
• information security.

Potential mitigations:

• have a good process for completing Privacy Threshold Assessments (PTA) and Privacy Impact Assessments (PIA)
• encourage a culture in which everyone views privacy as their responsibility.

Who to involve:

• programme management office
• project team
• service delivery/operations
• ICT
• information security.

Potential mitigations:

• have a good process for completing PTAs and PIAs
• encourage a culture in which everyone views privacy as their responsibility.

Who to involve:

• information management
• records management
• service delivery/operations.

Potential mitigations:

• identify appropriate retention period for all personal information
• have a disposal schedule for all personal information
• ensure the disposal schedule is followed
• regularly review the disposal schedule.

Who to involve:

• delivery/operations
• information management
• ICT
• programme management office
• project team.

Potential mitigations:

• have a good process for completing PTAs and PIAs
• encourage a culture in which everyone views privacy as their responsibility
• implement Privacy by Design
• ensure all new staff receive an effective privacy induction
• have ongoing privacy training for all staff
• provide targeted privacy training for staff who handle sensitive personal information.

Who to involve:

• procurement
• legal
• ICT
• information security
• learning and development.

 Potential mitigations:

• complete third party risk assessment
• ensure contracts with third party providers include appropriate privacy and security provisions
• ensure there’s targeted training for individual contractors
• ensure third party providers have adequate privacy training for their staff
• adopt good privacy policies and procedures that are widely disseminated and used.

Who to involve:

• staff
• service delivery/operations
• project team
• ICT
• information security
• learning and development
• information management
• HR.

Potential mitigations:

• have a good process for completing PTAs and PIAs
• encourage a culture in which everyone views privacy as their responsibility
• implement Privacy by Design
• use appropriate technical measures and privacy-enhancing technologies
• ensure all new staff receive an effective privacy induction
• have ongoing privacy training for all staff
• provide targeted privacy training for staff who handle sensitive personal information
• adopt and implement good privacy policies and procedures that are widely disseminated and used.

Who to involve:

• staff
• service delivery/operations
• learning and development
• HR.

Potential mitigations:

• ensure all new staff receive an effective privacy induction
• have ongoing privacy training for all staff
• provide targeted privacy training for staff who handle privacy-related enquiries
• adopt good privacy policies and procedures that are widely disseminated and used.

Personal information is not adequately secured from accidental errors or loss, or from malicious acts such as hacking or deliberate theft, disclosure or loss.

Who to involve:

• information security
• ICT
• risk and assurance
• learning and development
• staff
• service delivery/operations
• project team.

Potential mitigations:

• have a good process for completing PTAs and PIAs
• have a good process for completing information security risk assessments
• ensure all new staff receive an effective privacy and information security induction
• have ongoing privacy and information security training for all staff
• adopt good privacy and information security policies and procedures that are widely disseminated and used.

Who to involve:

• staff
• service delivery/operations
• learning and development
• project team
• information security
• information management
• records management
• people leaders
• risk and assurance
• ICT
• HR
• finance
• procurement.

 Potential mitigations:

• maintain a privacy incident register that records privacy incidents and breaches, and regularly review the register to identify patterns of privacy incidents
• adopt good privacy policies and procedures that are widely disseminated and used
• implement a process for monitoring and reviewing the effectiveness of privacy policies and processes
• ensure all new staff receive an effective privacy induction
• have ongoing privacy training for all staff
• encourage a culture in which everyone views privacy as their responsibility.

Who to involve:

• staff
• service delivery/operations
• learning and development
• project team
• information security.

Potential mitigations:

• adopt good privacy policies and procedures that are widely disseminated and used
• ensure all new staff receive an effective privacy induction
• have ongoing privacy training for all staff
• encourage a culture in which everyone views privacy as their responsibility'

Who to involve:

• people leaders
• risk and assurance
• staff
• service delivery/operations
• learning and development
• information security
• HR.

Potential mitigations:

• maintain a privacy incident register that records privacy incidents and breaches, and regularly review the register to identify patterns of privacy incidents
• implement a process for monitoring and reviewing the effectiveness of privacy policies and processes
• adopt good privacy policies and procedures that are widely disseminated and used.