This privacy management framework (Framework) provides steps the Office of the Australian Information Commissioner (OAIC) expects you to take to meet your ongoing compliance obligations under Australian Privacy Principle (APP) 1.2.
APP 1 ensures that personal information is managed in an open and transparent way. APP 1.2 requires you to take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs. This means that you must be proactive in establishing, implementing and maintaining privacy processes. Compliance with APP 1.2 should be understood as a matter of good governance.
A leadership commitment to a culture of privacy is a foundation for good privacy governance. Good privacy governance can improve business productivity and help to develop more efficient business processes. Good privacy governance will also help you manage both the risk of a privacy breach and your response should one occur. Personal information is one of your most valuable business assets. By embedding a culture that respects privacy, you will build a reputation for strong and effective privacy management that will inspire trust and confidence in your entity.
The Framework has four steps. These are the steps you should take to ensure you practice good privacy governance and meet your ongoing compliance obligations. Which commitments you implement within each step, and who performs these, will depend upon your particular circumstances, including your entity’s size, resources and business model.
Step 1: Embed: a culture of privacy that enables compliance
Good privacy management stems from good privacy governance. Ensure your leadership and governance arrangements create a culture of privacy that values personal information.
To embed a culture of privacy, make a commitment to:
treat personal information as a valuable business asset to be respected, managed and protected. Outline how protecting personal information is important for your business
appoint key roles and responsibilities for privacy management, including a senior member of staff with overall accountability for privacy. Also have staff responsible for managing privacy, including a key privacy officer, who are responsible for handling internal and external privacy enquiries, complaints, and access and correction requests
adopt a ‘privacy by design’ approach. Ensure you consider the seven foundational principles of privacy by design in all your business projects and decisions that involve personal information
allocate resources to support the development and implementation of a privacy management plan that aligns your business processes with your privacy obligations. Your plan should outline how you will implement and monitor the steps outlined in this Framework, and meet your goals or objectives for managing privacy
implement reporting mechanisms that ensure senior management are routinely informed about privacy issues
understand your privacy obligations. The APP guidelines provide guidance on how the OAIC will interpret the APPs and what matters it may take into account when exercising its functions and powers
understand the role of the OAIC. The Privacy regulatory action policy explains the OAIC’s approach to using its privacy regulatory powers and how it will communicate information.
Step 2: Establish: robust and effective privacy practices, procedures and systems
Good privacy management requires the development and implementation of robust and effective practices, procedures and systems.
To establish good privacy practices, procedures and systems, make a commitment to:
keep information about your business’s personal information holdings (including the type of information you hold and where it is held) up to date. This includes information held off-shore, or that is in the physical possession of a third party
develop and maintain processes to ensure you’re handling personal information in accordance with your privacy obligations. Ensure these processes:
address the handling of information throughout the information lifecycle — prior to collection, once personal information has been collected, while you hold it and once it is no longer needed. Ensure additional consideration is given to areas you assess as having greater risk, including sensitive information and use of service providers, contractors, outsourcing arrangements and off shore storage
clearly outline how staff are expected to handle personal information in their everyday duties. Tailor these processes to align with the different needs of different parts of your business, and how they use personal information
promote privacy awareness within your entity by integrating privacy into your induction and regular staff training programs (including short term staff, service providers and contractors). This should include training staff on their privacy obligations and your processes. The OAIC has a number of training resources to help you with this
implement risk management processes that allow you to identify, assess and manage privacy risks across your business, including personal information security risks. The Guide to securing personal information provides steps and strategies you should consider taking to protect personal information, including privacy impact assessments, information security risk assessments and regular reviews of your personal information security controls
undertake privacy impact assessments for business projects or decisions that involve new or changed personal information handling practices (including implementing new technologies). The Guide to undertaking privacy impact assessments includes information on threshold assessments, which will help you determine whether a privacy impact assessment is necessary
establish processes for receiving and responding to privacy enquiries and complaints. The Handling privacy complaints resource provides information to help you address a privacy complaint
establish processes that allow individuals to promptly and easily access and correct their personal information
develop a data breach response plan. The Data breach notification — A guide to handling personal information security breaches provides guidance to assist you respond effectively to data breaches.
Step 3: Evaluate: your privacy practices, procedures and systems to ensure continued effectiveness
Systematically examine the effectiveness and appropriateness of your privacy practices, procedures and systems to ensure they remain effective and appropriate.
To evaluate your privacy practices, procedures and systems, make a commitment to:
document your compliance with your privacy obligations, including keeping records on privacy process reviews, breaches and complaints. Ensure senior management and those with responsibility for privacy management are briefed on risks or issues identified
measure your performance against your privacy management plan. Regularly review your implementation of this Framework and your progress towards your objectives or goals
create channels for both your staff and customers to provide feedback on your privacy processes, such as a suggestion box and feedback form.
Step 4: Enhance: your response to privacy issues
Good privacy management requires you to be proactive, forward thinking and to anticipate future challenges. By continually improving your privacy processes, you will ensure you are responsive to new privacy issues and that implementation will not be a burden.
To enhance your response to privacy issues, make a commitment to:
use the results of your Step 3 evaluations to make changes to your practices, procedures and systems that improve your privacy processes. Track the performance of any new measures you implement
consider having your privacy processes externally assessed to identify areas for improvement
consider adopting good privacy practices that go beyond the requirements of the APPs, where appropriate. The APP guidelines and other OAIC resources provide examples of good privacy practices
keep informed of issues and developments in privacy law and changing legal obligations. Subscribe to the OAIC’s news email list Information Matters for updates and participate in privacy seminars, including the OAIC’s webinars
monitor and address new security risks and threats. Subscribe to Stay Smart Online Alert Service and follow the steps it suggests for ensuring online security, including implementing software updates and patches. The Australian Cyber Security Centre and CERT Australia also provides guidance on cyber security issues
examine and address the privacy implications, risks and benefits of new technologies. Consider implementing privacy enhancing technologies that allow you to minimise and better manage the personal information you handle
introduce initiatives that promote good privacy standards in your business practices. Highlight examples of good personal information handling so that your staff know what is expected of them
participate in Privacy Awareness Week and other privacy events. By bringing privacy into the spotlight, you will ensure your staff remain privacy aware.