Privacy programme governance
Privacy programme governance enables an agency to set its programme direction and manage its operations to achieve its intended outcomes.
The purpose of a privacy programme extends beyond compliance with the Privacy Act’s Information Privacy Principles. A privacy programme should also consider an agency’s wider obligations and build trust with the individuals whose personal information they collect and hold.
The main scope of a privacy programme are the activities that enable managing the full lifecycle of personal information from collection to deletion.
Understanding stakeholder expectations and the wider context that an agency operates within are important to governing a privacy programme effectively.
Good governance requires:
- clear purpose for the privacy programme
- defined roles and responsibilities
- risk management
- reporting, monitoring and assurance
- continuous improvement.
Privacy programme goals
The goals of a privacy programme (at a minimum) are to:
- ensure compliance with all applicable laws
- promote trust and confidence
- enhance the agency’s reputation
- facilitate privacy programme awareness of staff, customers, clients, partners and service providers
- reduce the risk of privacy breaches
- enable effective response to privacy breaches
- ensure regular monitoring, maintenance and improvement of the privacy programme.
Privacy governance components
A good privacy programme should include the following 4 documents, each of which should be regularly reviewed and updated.
Privacy mission statement
A privacy mission statement concisely communicates an agency’s approach to privacy to all stakeholders. It’s an important component that lays the groundwork for the rest of the privacy programme and should align with the agency’s broader purpose.
The privacy mission statement should be prepared with input from a range of stakeholders within the agency and circulated widely throughout the agency.
The privacy mission statement should take less than 30 seconds to read.
A privacy strategy lays out the goals of the agency’s privacy programme and how it will accomplish those goals.
The privacy strategy sets coherent goals for where the agency wishes to get to with its privacy practices.
These goals will work well if they are coupled with objectives that are targeted and make sense in the context of the agency’s overall privacy stance and risk profile rather than being generic or overly broad.
A privacy strategy should
- be aligned with the agency’s organisational strategy
- ensure compliance with all applicable laws (including, at a minimum, the Privacy Act 2020)
- state privacy goals to promote a privacy culture and improve privacy practices within the agency
- be owned by a member of the senior leadership team
- state a time horizon, for example, a 2-year plan
- identify key stakeholders.
An agency may prepare additional policies to address specific business practices, such as engaging with third party suppliers.
- have a clear purpose
- have a clear scope with respect to both the information and people it applies to
- include guiding principles with respect to the agency’s management and protection of personal information
- allocate responsibility for different privacy activities to roles throughout the agency — importantly, highlighting that all staff and contractors are responsible for protecting personal information
- include a means through which compliance with the policy can be monitored (for example, through measuring privacy maturity against the Privacy Maturity Assessment Framework).
Privacy statement or notice
A privacy statement is an external statement addressed to anyone whose personal information is handled by an agency.
A privacy statement must be provided when an agency collects personal information from an individual.
An agency should keep a record of their privacy statements and their effective dates, so the agency knows what disclosures were made to individuals regarding the handling of their personal information.
The Office of the Privacy Commissioner has a Privacy Statement Generator to assist agencies with creating their privacy statements.
A privacy statement should include
- who the agency is and its contact information
- what personal information is collected, directly and indirectly
- how the personal information is collected
- how the agency will use the personal information
- who the agency will share the personal information with
- if a law requires or authorises the collection of personal information, what is the law and is collection voluntary or mandatory
- what the consequences are for the individual if any or all of the requested personal information is not provided
- how the behaviour of website users is monitored
- how individuals can access and correct their personal information.