An agency’s privacy programme activities bring its privacy strategy to life and embeds privacy into the everyday work of the agency and its staff.
The agency’s privacy officer is responsible for the development, implementation and maintenance of the agency’s privacy programme.
Privacy officers or teams should also consider working with ICT and digital teams to develop and embed Privacy by Design practices. This is a design methodology that includes privacy as an essential priority of any product, service, system or process.
Use the following activities to help embed good privacy practice at your agency.
Training and awareness
Training and awareness are the foundation of an agency’s privacy programme. An effective training programme includes privacy training for all staff at induction and regular intervals thereafter, as well as providing customised privacy training for staff who deal with large amounts or sensitive personal information.
Training activities may include:
classroom training
online learning
workshops.
The Office of the Privacy Commissioner has e-learning privacy training modules that agencies can use to train their staff:
A data inventory identifies the personal information an agency handles as it moves across the agency’s systems and is an important component of an effective privacy risk assessment.
Responding to and learning from privacy breaches is an essential aspect of an effective privacy programme. Encouraging the reporting of privacy breaches and incidents (near misses), and putting in place processes to minimise the likelihood of a breach occurring is also very important.
The following are important components of privacy incident and breach management:
Metrics are a useful tool to communicate the current state of an agency’s privacy practices and the effectiveness of its privacy programme.
Metrics are most effective when coupled with a compelling narrative about the agency’s privacy practices and its privacy programme.
A good metric is easy to understand, repeatable and reflective of the relevant indicators. There are different metrics for different audiences based on their level of interest, influence and responsibility. An agency will need to consider what metrics will best facilitate the achievement of their desired privacy goals and outcomes.
Some common types of metrics are:
trend analysis — patterns viewed over a period of time
return on investment — physical, personnel, IT and operational management assets
business resiliency
Privacy Maturity Assessment Framework (PMAF).
It’s important to consider the potential behaviour that a metric and its target might encourage. For example, if an agency wants to monitor its privacy breaches and incidents (near misses), setting a target of zero breaches is counterproductive. It will discourage the reporting of breaches and incidents by staff.
A more effective approach is to use the reporting of breaches and near misses to learn which business areas may need additional privacy training, helping to raise the agency’s privacy capability and reduce the number of breaches and near misses.
Effective programme assurance provides confidence to an agency’s senior leaders and other important stakeholders that the expected privacy outcomes and benefits are being achieved.
Programme assurance helps to measure the efficacy of privacy procedures, demonstrate compliance, increase privacy awareness, reveal gaps and provide a basis for any improvements to the privacy programme.
Monitoring
Monitoring can provide a well-rounded picture of an agency’s privacy programme and identify areas in which training activities and programme processes may be improved.
Monitoring may include the following:
privacy incident register
complaints register
information lifecycle
privacy controls
staff feedback on privacy training and awareness.
Auditing
The purpose of a privacy audit is to determine the degree to which technology, processes and people comply with privacy policies and practices.
There are 3 types of audits:
internal self-evaluation — first party
supplier audit — second party
independent audit — third party.
Three lines of defence
The Auditor-General has provided guidance on using the three lines of defence model as a clear and effective way to strengthen communications on risk management, assurance and control.
There are 3 lines of defence:
functions that own and manage risks — first line
functions that oversee the risks — second line
functions that provide independent assurance — third line.