Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy management plan template

pdfPrintable version578.82 KB             Editable PDF (coming soon)

The Office of the Australian Information Commissioner’s (OAIC) Privacy management framework (Framework) outlines steps to take to meet your ongoing compliance obligations under Australian Privacy Principle (APP) 1.2. A key tool to help you meet these requirements is to develop and implement a privacy management plan. A privacy management plan is a document that identifies specific, measurable goals and targets that identify how you will implement the four steps outlined in the Framework.

This template is designed to help you develop a privacy management plan for your entity. Which commitments you implement within each step, and who performs these, will depend upon your particular circumstances, including your entity’s size, resources and business model.

You may be able to adapt this template to include specific details around how you intend to implement each commitment. Alternatively, it could be appropriate to specify these details in a separate project plan, dependant on the size and scale of the relevant commitment.

privacy-management-framework

Step 1 — Embed: a culture of privacy that enables compliance

Action

Person responsible

Due

Status

Adopt a ‘privacy by design’ approach (see the Guide to undertaking privacy impact assessments)

 

 

 

Assign key roles and responsibilities for privacy management

 

 

 

Assign staff responsibility for managing privacy

 

 

 

Create reporting mechanisms that ensure senior management are routinely informed about privacy issues

 

 

 

Ensure staff understand their privacy obligations and the roles of the OAIC

 

 

 

Step 2 — Establish: robust and effective privacy practices, procedures and systems

Action

Person responsible

Due

Status

Keep information about your business’s personal information holdings (including the type of information you hold and where it is held) up to date

 

 

 

Develop and maintain processes around the handling of personal information prior to collection, while personal information is held and once it is no longer needed (see the Australian Privacy Principles guidelines)

 

 

 

Integrate privacy into staff training and induction processes (see the OAIC’s privacy training resources)

 

 

 

Develop and implement a clearly expressed and up to date privacy policy (see the Guide to developing an APP privacy policy)

 

 

 

Implement risk management processes to identify, assess and manage privacy risks across the business (see the Guide to undertaking privacy impact assessments)

 

 

 

Establish processes for receiving and responding to privacy enquiries and complaints (see the Handling privacy complaints resource)

 

 

 

Establish processes that allow individuals to promptly and easily access and correct their personal information (see the Access and Correction business resources)

 

 

 

Create a data breach response plan (see the Guide to developing a data breach response plan)

 

 

 

Step 3 — Evaluate: your privacy practices, procedures and systems to ensure continued effectiveness

Action

Person responsible

Due

Status

Regularly monitor and review privacy processes, policies and notices

 

 

 

Document compliance with privacy obligations, including keeping records on privacy process reviews, breaches and complaints

 

 

 

Measure your performance against this privacy management plan

 

 

 

Create channels for staff and customers to provide feedback on privacy processes

 

 

 

Step 4 — Enhance: your response to privacy issues

Action

Person responsible

Due

Status

Use the results of evaluations to make changes to practices, procedures and systems to improve privacy processes

 

 

 

Have your privacy processes externally assessed/audited to identify areas for improvement

 

 

 

Keep up to date with issues and developments in privacy law and changing legal obligations

 

 

 

Monitor and address new security risks and threats

 

 

 

Examine and address the privacy implications, risks and benefits of new technologies. Consider implementing privacy enhancing technologies that allow you to minimise and better manage the personal information you handle

 

 

 

Introduce initiatives that promote good privacy standards in your business practices

 

 

 

Participate in Privacy Awareness Week and other privacy events