Privacy programme governance enables an agency to set its programme direction and manage its operations to achieve its intended outcomes.
The purpose of a privacy programme extends beyond compliance with the Privacy Act’s Information Privacy Principles. A privacy programme should also consider an agency’s wider obligations and build trust with the individuals whose personal information they collect and hold.
The main scope of a privacy programme are the activities that enable managing the full lifecycle of personal information from collection to deletion.
Understanding stakeholder expectations and the wider context that an agency operates within are important to governing a privacy programme effectively.
Good governance requires:
- clear purpose for the privacy programme
- defined roles and responsibilities
- risk management
- reporting, monitoring and assurance
- continuous improvement.
Privacy programme goals
The goals of a privacy programme (at a minimum) are to:
- ensure compliance with all applicable laws
- promote trust and confidence
- enhance the agency’s reputation
- facilitate privacy programme awareness of staff, customers, clients, partners and service providers
- reduce the risk of privacy breaches
- enable effective response to privacy breaches
- ensure regular monitoring, maintenance and improvement of the privacy programme.
Privacy governance components
A good privacy programme should include the following 4 documents, each of which should be regularly reviewed and updated.
Privacy mission statement
A privacy mission statement concisely communicates an agency’s approach to privacy to all stakeholders. It’s an important component that lays the groundwork for the rest of the privacy programme and should align with the agency’s broader purpose.
The privacy mission statement should be prepared with input from a range of stakeholders within the agency and circulated widely throughout the agency.
The privacy mission statement should take less than 30 seconds to read.
A privacy strategy lays out the goals of the agency’s privacy programme and how it will accomplish those goals.
A privacy strategy should
- be aligned with the agency’s organisational strategy
- ensure compliance with all applicable laws (including, at a minimum, the Privacy Act)
- promote a privacy culture within the agency
- embed Privacy by Design into product and service design
- be owned by a member of the senior leadership team.
An agency may prepare additional policies to address specific business practices, such as engaging with third party suppliers.
- have a clear purpose
- have a clear scope with respect to both the information and people it applies to
- include guiding principles with respect to the agency’s management and protection of personal information
- allocate responsibility for different privacy activities to roles throughout the agency — importantly, highlighting that all staff and contractors are responsible for protecting personal information
- include a means through which compliance with the policy can be monitored (for example, through measuring privacy maturity against the Privacy Maturity Assessment Framework).
A privacy notice is an external statement addressed to anyone whose personal information is handled by an agency.
A privacy notice must be provided when an agency collects personal information from an individual.
An agency should keep a record of their privacy notices and their effective dates, so the agency knows what disclosures were made to individuals regarding the handling of their personal information.
The Office of the Privacy Commissioner has a Privacy Notice Builder to assist agencies with creating their privacy notices.
A privacy notice should include
- who the agency is and its contact information
- what personal information is collected, directly and indirectly
- how the personal information is collected
- how the agency will use the personal information
- who the agency will share the personal information with
- if a law requires or authorises the collection of personal information, what is the law and is collection voluntary or mandatory
- what the consequences are for the individual if any or all of the requested personal information is not provided
- how the behaviour of website users is monitored
- how individuals can access and correct their personal information.