Programme activities and resources
An agency’s privacy programme activities bring its privacy strategy to life and embeds privacy into the everyday work of the agency and its staff.
The agency’s privacy officer is responsible for the development, implementation and maintenance of the agency’s privacy programme.
Use the following activities to help embed good privacy practice at your agency.
Training and awareness
Training and awareness are the foundation of an agency’s privacy programme. An effective training programme includes privacy training for all staff at induction and regular intervals thereafter, as well as providing customised privacy training for staff who deal with large amounts or sensitive personal information.
Training activities may include:
- classroom training
- online learning
The Office of the Privacy Commissioner has e-learning privacy training modules that agencies can use to train their staff:
- Privacy 101
- Privacy ABC
- Privacy for Policy-Makers
- Privacy ABC for Schools
- Privacy 2.0 (Privacy Act 2020 changes).
Awareness reinforces training through reminders. Awareness activities may include:
- booklets and flyers
- campaigns (for example, Privacy Week).
Privacy risk assessments
Privacy risks can be assessed at the agency level and at the project level.
An agency privacy risk assessment provides an agency with a snapshot of its current privacy risks and how it will manage them as an organisation.
A project privacy risk assessment only considers the risks associated with a specific process, product or service.
A data inventory identifies the personal information an agency handles as it moves across the agency’s systems and is an important component of an effective privacy risk assessment.
Privacy incidents and breaches management
Responding to and learning from privacy breaches is an essential aspect of an effective privacy programme. Encouraging the reporting of privacy breaches and incidents (near misses), and putting in place processes to minimise the likelihood of a breach occurring is also very important.
Important components of privacy incident and breach management are:
Metrics are a useful tool to communicate the current state of an agency’s privacy practices and the effectiveness of its privacy programme.
Metrics are most effective when coupled with a compelling narrative about the agency’s privacy practices and its privacy programme.
A good metric is easy to understand, repeatable and reflective of the relevant indicators. There are different metrics for different audiences based on their level of interest, influence and responsibility. An agency will need to consider what metrics will best facilitate the achievement of their desired privacy goals and outcomes.
Some common types of metrics are:
- trend analysis — patterns viewed over a period of time
- return on investment — physical, personnel, IT and operational management assets
- business resiliency
- Privacy Maturity Assessment Framework (PMAF).
It’s important to consider the potential behaviour that a metric and its target might encourage. For example, if an agency wants to monitor its privacy breaches and incidents (near misses), setting a target of zero breaches is counterproductive. It will discourage the reporting of breaches and incidents by staff.
A more effective approach is to use the reporting of breaches and near misses to learn which business areas may need additional privacy training, helping to raise the agency’s privacy capability and reduce the number of breaches and near misses.
Effective programme assurance provides confidence to an agency’s senior leaders and other important stakeholders that the expected privacy outcomes and benefits are being achieved.
Programme assurance helps to measure the efficacy of privacy procedures, demonstrate compliance, increase privacy awareness, reveal gaps and provide a basis for any improvements to the privacy programme.
Monitoring can provide a well-rounded picture of an agency’s privacy programme and identify areas in which training activities and programme processes may be improved.
Monitoring may include the following:
- privacy incident register
- complaints register
- information lifecycle
- privacy controls
- staff feedback on privacy training and awareness.
The purpose of a privacy audit is to determine the degree to which technology, processes and people comply with privacy policies and practices.
There are 3 types of audits:
- internal self-evaluation — first party
- supplier audit — second party
- independent audit — third party.
Three lines of defence
The Auditor-General has provided guidance on using the three lines of defence model as a clear and effective way to strengthen communications on risk management, assurance and control.
There are 3 lines of defence:
- functions that own and manage risks — first line
- functions that oversee the risks — second line
- functions that provide independent assurance — third line.