Webinar: Preparing your agency’s Privacy Management Plan
The OAIC hosted a webinar on preparing your agency’s privacy management plan on 15 May 2018. The webinar provided information about how to use the Interactive Privacy Management Plan template.
You can still view the original webinar — it has higher video quality and more viewing options.
The live functionality to ask a question that is referred to during the webinar is no longer available. If you would like to ask a question relating to any of the content in this webinar, please email us at email@example.com or call 1300 363 992.
MELANIE DRAYTON: Good morning, everybody, and thank you for attending today’s webinar on preparing a privacy management plan, which is one of the requirements under the Australian Government Agencies Privacy Code, which commences on 1 July this year.
Today we will be showcasing an interactive privacy management plan tool designed for agencies to simplify the process of putting together their first plan and managing the plan over time.
Through this tool you can evaluate your agency’s privacy practices and processes, set specific goals to reduce privacy risks and build a greater public trust in the management of your personal information.
There is also a guide for companies, the interactive Privacy Management Plan Tool. This guide takes you step by step through the process of completing a privacy management plan using the tool.
A lot of the material that we cover today is provided in the guide in greater detail, so we encourage you to have the guide available when using the tool.
Before we start, it might be useful to acknowledge up front that the tool and the guide have been specifically designed for agencies, as the requirements of the code apply only to agencies.
However, the general principles underlying these resources are equally applicable to organisations who might be looking for assistance in developing their privacy management plans and boosting their overall privacy performance.
So, if there are individuals listening today from organisations rather than agencies, we do expect that you will find this presentation useful.
Before we dive into the OAIC privacy management plan resources, a little background on who we are. I am Melanie Drayton, the acting Deputy Commissioner, and this is Sarah Ghali, the acting Assistant Commissioner, Regulation and Strategy.
So, on this slide you will see the agenda for today’s webinar as well as a few acronyms you will become familiar with through the presentation. We will start by addressing why we are here, the development of the Australian Government Agencies Privacy Code, or Code for short. We will then cover the privacy management plan, or PMP, requirements and the OAIC resources that can assist you in meeting your obligations. Specifically, our new PMP tool and guidance.
We will also take you through a case study. Finally, we will take your questions.
While we are aiming to have enough time at the end of the presentation to address the commonly asked questions, we recognise you may have additional questions about the material that we cover today or in the coming months before the Code comes into force. The guidance and the resources published in the Code — sorry, the guidance and the resources published on the OAIC’s website will hopefully answer most of these questions but, of course, you are very welcome to contact us through firstname.lastname@example.org and we will work to get back to you as a matter of priority.
So, in brief, after today you should be able to have a clear understanding of your PMP obligations and the value of a PMP. You should be able to feel confident in using the OAIC’s resources and you should be able to effectively measure and document your agency’s privacy management performance.
In short, we would like you to feel well prepared to meet the Code’s PMP obligations.
So, it might be helpful to start with a recap of why we are here.
Having a PMP is one of the requirements of the Code which was registered on 27 October 2017. In combination, the Code requirements support a consistent high standard of personal information management across all government agencies. This supports greater public trust in how an individual’s personal information is handled, wherever it travels in the APS.
Building and maintaining trust is vital, because without it initiatives that rely on data being shared, analysed or used can struggle to gain support or a social licence to operate. There is enormous potential for data to be used in ways that benefit the Australian community, for example, identifying gaps in existing services, furthering research or by making service delivery more efficient.
The potential value of data has been recognised in various initiatives. For example, the Government National Action Plan in 2016, which committed to making more public data openly available, as well as the government’s recent commitments in response to the Productivity Commission’s data availability and use inquiry, which aimed at extending the value of public data for the benefit of the Australian public.
In this year’s budget we also saw commitments to enhancing digital government services and funding for the implementation of a new consumer data right, which will give consumers the right to direct that their data be shared with others that they trust. These type of initiatives depend in part on individuals having confidence that their personal information and data, more broadly, will be managed in line with their expectations.
We do know there is room to grow this confidence in the public sector. The OAIC’s 2017 Australian Community Attitudes to Privacy Survey showed that only 58 per cent of people considered government very or somewhat trustworthy when it came to privacy. The Code is therefore a step towards building greater trust in privacy across the public service by establishing specific governance requirements for agencies.
SARAH GHALI: Let’s turn to your PMP obligations as an Australian government agency. Under the Code you must have a PMP and your agency must measure and document its performance against the PMP at least once a year.
A PMP is a document that identifies specific measurable privacy goals and targets and sets out how your agency will meet its compliance obligations under Australian Privacy Principle 1.2.
You can see the text of APP 1.2 on the slide. In short, under APP 1.2 entities must take reasonable steps to implement practices, procedures, and systems to comply with the APPs and to deal with privacy inquiries and complaints.
To get the most out of your PMP it is important that it isn’t viewed as a tick-the-box requirement. An effective PMP, like all good governance practices, has value beyond compliance.
Your PMP provides a centralised document that clarifies your agency’s privacy risk profile and your privacy maturity, that is, how well your practices and processes support you in managing this risk profile.
By providing a holistic view of privacy in your agency, your PMP enables you to identify and address any potential weak points. This, in turn, can build public trust and confidence in your agency and, of course, it can reduce the chance of making mistakes that can lead to data incidents and have a significant impact on your agency’s reputation.
Let’s turn now to how you complete your PMP. The OAIC has created an interactive PMP tool that you can download from our website. You may want to open it now as we go through to see how it works.
A key benefit of the tool is that it guides you step by step through each of the actions you will take in creating your PMP. The information you enter into the tool will automatically populate other areas and generate actions or information where relevant.
In addition to the interactive tool, we have also done a guide which will illustrate how to use it; it is called PMP Explained.
In developing these resources our office has drawn on established best practice both within the private and public sectors in Australia as well as approaches taken in international jurisdictions, particularly in New Zealand, which has also developed a similar privacy maturity assessment framework for its public service.
That being said, it is not compulsory to use our interactive PMP tool to create your plan. The tool sets out just one approach to developing a privacy management plan.
By way of context, you may be aware that the OAIC has in the past developed our resources to assist with developing a plan such as the Privacy Management Framework and the associated template.
Whatever methodology you choose to develop your agency’s PMP the key purpose of a PMP is to document your agency’s privacy goals or actions for the coming period in a way that will enable you to improve and strengthen your overall privacy governance. As we go through it, keep in mind that there is more to the tool than we can cover in depth in today’s webinar. It is well worth reading through the guide before you begin using the tool.
So before you begin actually preparing your PMP, as a preliminary step you will need to consider your agency’s specific circumstances. It is important that you have a clear understanding of your agency’s privacy risk profile as this will help you to set targets and actions that are appropriate for your agency.
There are a variety of factors you need to consider to understand your agency’s privacy risk profile. This includes your agency’s functions and activities, the nature and volume of the personal information it holds, the nature of the agency, including its size and resources as well as the sensitivity of the information you collect.
Not all agencies will face the same privacy risks so the targets and actions that are appropriate for one agency might not be the same for another.
At the bottom of this slide you will see examples of three broad privacy risk profile categories. An agency may have a low privacy risk profile when they handle little personal information and this information is not sensitive in nature. While an agency that delivers personalised services to individuals which requires the handling of a significant amount of personal information may sit at a higher risk level.
While some agencies may not handle significant amounts of personal information they may have a strong privacy influence and as such a higher risk profile, that is, they may shape the personal information handling practices of other agencies due to their role in policy setting or delivering technology or services.
For those who are wondering, as a national privacy regulator we consider ourselves to have a high privacy risk profile. You can find out more about setting a privacy risk profile in our PMP guide.
So, moving to the first formal step of actually preparing your PMP, and that is measuring your agency’s current privacy maturity. In this step you complete the risk based maturity assessment of your agency based on the framework provided in the PMP guide. You will find that in Appendix 1.
The maturity framework gets you to consider a range of criteria or elements related to your agency’s governance and culture, privacy strategy, privacy processes, risk and assurance processes and your data breach response strategy. You can then use the tool to identify your agency’s current maturity level.
The PMP tool will calculate your scores across each criteria and as a whole to generate an overall score.
You can then set targets for improving privacy in your agency based on your score and, of course, your overall risk profile.
The PMP tool will flag where a low level of maturity is likely to indicate a compliance gap. By addressing these risks as a priority you can minimise or eliminate your agency’s exposure to privacy incidents and non‑compliance with the Act.
Your privacy maturity will be categorised in one of four levels: initial, developing, defined and leader. Your agency does not necessarily need to be in the leader category across all criteria. Your maturity level targets should be a reflection of your risk profile and the circumstances of your agency in line with the assessment we outlined earlier.
As you see in the image on this slide, a fictional officer responsible for privacy has identified their agency’s current level for one criteria at Developing. They have determined that it would be appropriate for a Defined level to be achieved.
To ensure compliance with the Code your agency will generally need to sit at the Developing level. However, certain obligations under the Code may need to be scaled up in order to ensure that the privacy goals, actions and target maturity levels you set are commensurate with your privacy risk profile.
Your agency should be selective about its targets and its resulting PMP to ensure goals are achievable. Which criteria you prioritise as targets will depend on whether there are any compliance gaps for remedial action. These, of course, should be addressed first as well as your agency’s privacy risk profile and broader objectives.
Before moving to consider a case study, we might pause briefly here to remind you that we will be taking questions at the end so please send them through using the chat box.
MELANIE DRAYTON: We thought it would be beneficial to look at a case study to see how the PMP tool works in practice. For this case study we are going to follow the experience of a fictional agency, the Department of Workforce Planning.
Here is a bit of background on our fictional agency, the DWP. They help coordinate workforce planning and investment. They research commercial, economic, and geographic employment trends. They challenge and advise the federal government on future workforce needs. They hold a large amount of aggregated deidentified data about Australia’s workforce and, finally, they have access to statistical analysis undertaken by other entities.
After gathering the background information, DWP uses the PMP tool to record the rationale for its privacy risk profile. It is up to you and your agency to decide how much information to record here. Whatever you enter will be included in the PMP created once you have completed the tool process. Remember, the PMP explained resource provides additional information that will be really useful to you. You should take the time to reach a well-supported conclusion on your agency’s privacy risk profile. because it is going to inform your agency’s privacy goals and targets.
So, now it’s time to measure DWP’s privacy maturity. This requires DWP to refer to the maturity framework in the interactive PMP explained guide. On reviewing the guide, DWP determines that it is currently operating at the selected maturity levels shown on this slide. In some cases, an initial level will not meet compliance level obligations under the Privacy Act or the Code, so the PMP tool automatically highlights any gaps that indicate a compliance issue with an asterisk next to each relevant criteria name and by highlighting the cell red if the “initial” level is selected.
At this stage, the tool will also generate a score for each element across the maturity assessment.
Our next step is identifying DWP’s target maturity levels. In this case DWP has determined that it will lift its PMP practice from the “developing” level to the “defined” level. A rationale for this decision is entered into the PMP tool.
Once DWP has completed its maturity assessment and has set its target maturity levels it is time to start setting the actions that will help our DWP achieve its goals.
The first step in the process is to address any compliance gaps that came to light in the maturity assessment. The PMP tool will identify these gaps for you automatically and will ask you to document the actions your agency will take to address them.
On this slide we can see that the tool has identified a compliance gap in relation to DWP’s personal information inventory. The tool automatically generates a suggested action which, in this case, is for DWP to document the categories of personal information it collects, uses and discloses, including to any offshore recipients.
DWP has adopted the suggested action and typed it into the remediation action cell and has provided details about responsibility and due dates.
Once we have documented the actions that will help our agency address any compliance gaps, we can then move on to the improvement goals that we set in the maturity assessment. The PMP tool identifies where we set a target maturity level that is higher than our agency’s current level. The tool also provides suggested outcomes that will help our agency meet the target level.
Here we can see that DWP has set a target level of “developing” in relation to its privacy values. The tool has indicated the sort of outcomes that DWP should target to meet this higher level, and DWP has drafted an action to help meet those outcomes.
Finally, after DWP has set all of its privacy actions it needs to track its progress against them over the course of the year.
One of the key advantages of using the PMP tool is that it gives a consolidated view of all the actions and provides space for you to track your agency’s progress as well as commentary and further actions.
Once you have finished using the tool it is a good idea to share the findings and actions contained in your agency’s PMP with your privacy champion. This might include providing feedback to any staff or teams identified in the course of creating the PMP.
You could also consider sharing your PMP outcomes with other agencies so that you can further enhance your learning and strategies.
Before moving to consider some examples of actions your agencies might set for its PMP, we might pause here again to remind you to make a note of any questions you might like to ask and to send them through to us now for the Q&A session at the end. You can use the chat icon at the bottom right‑hand corner of your screen.
SARAH GHALI: Now that we have gone through the PMP process, let’s focus briefly on how you can create practical and relevant actions that help you in meeting your privacy goals. You should try to ensure that your actions are SMART, that is, specific, measurable, attainable, realistic and timely. SMART actions are clear, which makes them easier to achieve and ensures stakeholders understand what is required and what their responsibilities are. SMART actions are always easier to assess.
Let’s take a look at some examples.
On the slide here we have one action example. In this one, your agency is aiming to lift its privacy values attribute from “initial” to “developing”. So it sets the following action to lift its maturity in this respect:
The privacy officer is to develop a fact sheet which links to the agency’s values and to its privacy obligations and targets within five months.
I would consider this to be a SMART action because it is specific, a fact sheet will be created. This is measurable in that the fact sheet will either be completed or it won’t. It will be attainable as it is within the privacy officer’s expertise. It is realistic because the agency has already documented its values in our hypothetical. And it is timely; there is a deadline in place.
Let’s quickly look at another one.
For scenario 2 an agency is looking to increase their maturity level under the awareness criteria in regard to governance and culture. The action is to improve the agency’s culture to increase staff awareness about privacy. This action is not SMART. There is no specific actions set and no timeframe. There is also the question of how awareness would be measured.
So, a final example. In this scenario an agency wants to lift their data breach response plan maturity level from “developing” to “defined”. To do that, they will develop and deliver an annual training program for all staff on the contents of their response plan. Requirements of the NDB scheme and how to identify and report a suspected DBN internally. The first training program will run within six months.
On reading this action this would be considered SMART, again because it meets the criteria of being specific, measurable, attainable, realistic and timely.
Now that you have a PMP, what next? As we mentioned earlier, under the Code an agency must measure and document its performance against its PMP. We would suggest that it is valuable to track your actions throughout the year. This will not only help you to ensure you meet your obligations under the Code but will make preparing your next PMP simpler and easier.
In the last quarter of your agency’s reporting year, whether that’s a calendar year or financial, you should start to reflect on your current privacy program and consider how well your agency has met and delivered the targets set out in its current PMP. You should start this assessment process early enough to develop a strong PMP that can be endorsed by management and put in place by the start of the next year.
This brings us to the question portion of today’s session. But before we do that I will just note that we have put links to resources you can refer to on the right‑hand side of this slide. I should also say if we don’t make it to your question today we will endeavour to get back to you via email. So, our colleague Stephanie Otorepec will now be joining us for this question session.
STEPHANIE OTOREPEC: Thanks, Sarah and Melanie. I think a question came through which is just a quick one which I will address. That was from Amy, “What is the difference between the interactive PMP and the PMP template?” They are the same thing; we have referred to those things interchangeably throughout the presentation.
The first question that came through from Felicity: “Is any part of the PMP to be made public?”
SARAH GHALI: The PMP is intended to be an internal document to guide your own performance and also the particular targets and actions, so it is not intended to be a public document. We did touch on today that it might be valuable to perhaps consider sharing your outcomes with partner agencies or agencies that you work with. It is always useful to get feedback and to also get a sense of how other people are tracking, but it is not intended to be a public document.
STEPHANIE OTOREPEC: Thanks, Sarah. Second question: “Where will the slides be made available and will they be made available?”
MELANIE DRAYTON: Slides from today I am assuming. They will be available on our website under the Code page.
STEPHANIE OTOREPEC: Great. Thanks, Melanie. Just a more general question now: “Why do a PMP? Why has this obligation been included in the Code?”
MELANIE DRAYTON: Great question. Well, it is a requirement of the Code, so that’s the reason that you should be doing it. Besides that, it is a really great way to ensure you are meeting your privacy obligations on a broad level and that you have got a good understanding of where you are sitting in the privacy governance landscape and what you can do to understand your privacy risks and to mitigate those risks. I suppose it is your foundation or privacy governance document that is going to give you a good insight into how your agency can best manage privacy. People would be aware recently there have been — privacy has been a hot topic, and I think that is a good illustration that when there are serious privacy incidents it can undermine the community’s confidence in the way you handle personal information, and a PMP is a good way to avoid those situations.
STEPHANIE OTOREPEC: Thanks, Sarah and Melanie. Another question now: “Who is responsible for approving the PMP? Who does that or who should prepare the PMP?”
MELANIE DRAYTON: Your privacy champion will need to approve your PMP. It is going to be up to your agency to decide how you develop your privacy management plan and I think that is going to be dependent on who your agency is, the size, what your information holdings are and what your business is. The kind of things we talk about in assessing your maturity, your privacy maturity, will go to who is going to be best to create your plan. So, you have got latitude in deciding how you are going to create your PMP and you have the resources to help you work through that process, but your privacy champion, they are the person that is going to need to approve that plan for you.
STEPHANIE OTOREPEC: Thanks, Melanie. I have a question now about the PMP and whether that’s a requirement for private companies. So, “Will PMPs ever become a legislative must for private companies?”
MELANIE DRAYTON: Well, that is gazing into the crystal ball. I think the answer to that is right now, the obligations in the Code are for Australian government agencies but, that said, we would think this is definitely best practice. We already on our website have a privacy management framework that’s an older resource that talks about this concept of a privacy management plan. We would be encouraging anyone who is required to abide by the Privacy Act to have a think about a privacy management plan, because it really goes to the heart of meeting your obligations in Australian Privacy Principle 1.2.
STEPHANIE OTOREPEC: Thanks, Melanie. I have a question now about the PMP frequency of review: “How often does the PMP need to be updated? Does that need to happen once a year or twice a year or how often?”
SARAH GHALI: The Code requires you do it annually. From the OAIC’s perspective, in terms of our own plan we have adopted an approach of reviewing our progress against our actions quarterly. That is one way that works for us, and it helps to minimise the burden of checking and reporting at the end of the financial year. So, we have taken a more frequent approach to reviewing and tracking our progress. Really, it is up to you and what works best for your particular governance arrangements.
STEPHANIE OTOREPEC: Great. Thanks, Sarah. Now a question generally about privacy awareness culture: “Does the OAIC have some further suggestions for promoting a privacy awareness culture? For example, Privacy Awareness Week events or otherwise?”
MELANIE DRAYTON: We would encourage everyone to engage in Privacy Awareness Week. It is a fantastic opportunity to raise the profile of privacy within your entity. Certainly, Privacy Awareness Week is one vehicle, but it doesn’t stop there. You would have heard us talk a lot about how privacy culture is really important to your entity having a good understanding of how to best handle personal information. So we would be really encouraging entities to have a top‑down understanding of the value of privacy to your business and those consents that are the foundation of the Privacy Act, transparency and accountability, to make sure that everyone that is handling personal information understands those concepts and the value of doing privacy well to your business, because there is a lot of evidence that shows that doing privacy well and having a strong privacy culture can be a great competitive advantage in the business world.
When it comes to the government that important concept of social licence, of getting people’s buy‑in to the use of their personal information is integral to the success of innovative data uses.
STEPHANIE OTOREPEC: Great. Thanks, Melanie. I have a question here about the OAIC’s PMP: “Is the OAIC obviously doing a PMP and will they be sharing that PMP?”
MELANIE DRAYTON: Yes, of course. We are bound by the Privacy Act ourselves and the Code. We will be doing our PMP. We already have one. We will be undertaking the process ourselves that we have just described to you; we are in the midst of that now. We are also looking to share that with agencies that are similar to ourselves and we are interested in hearing from our agencies so we can do some peer learning as well in regard to best practice and how other agencies are working through the issues.
STEPHANIE OTOREPEC: Great. Thanks. Now a question about the timing of the PMP: “We are aware that the obligations are entering into force on 1 July of this year, so when does the PMP need to be in place? If the privacy champion is not appointed at this point will they be required to approve the PMP?”
SARAH GHALI: The obligation in the Code is to have a privacy management plan in place from 1 July. So, certainly that’s where agencies should be aiming their efforts. That doesn’t mean -‑ I know many agencies have existing plans which they are seeking to update. It doesn’t necessarily mean that you would need to start using this particular interactive tool and have a plan generated from within that particular timeframe. So, certainly it is up to you how you develop your plan and have that in place from 1 July.
In terms of the privacy champion approving, you are also required to have a champion in place by 1 July, so we would encourage agencies to be working hard to appoint that particular position.
STEPHANIE OTOREPEC: Thank you, and related to that another similar question: “So how will the OAIC be enforcing the privacy code and the requirement to have a PMP?”
MELANIE DRAYTON: That is a great question. That is something that the office is considering at the moment. Our approach to regulation is set out in our regulatory action policy. People that have worked with us in the past will know that our approach is to empower organisations to comply with their privacy obligations, so we would encourage people to have a dialogue with us and become familiar with their obligations under the Privacy Act and work towards complying as best they can from 1 July. We will certainly be working with stakeholders post 1 July to monitor compliance with their obligations. It is not going to be a situation where the Code comes into effect on 1 July and we are not going to be putting out additional resources, refining the resources that we have. It is certainly our approach to assist agencies to be compliant with the Code.
STEPHANIE OTOREPEC: Thank you. In terms of contributing to the PMP internally the question says: “We understand the PMP is not intended to be a publicly available document necessarily. However, does the OAIC perceive it as something that ought to be published internally within agencies, for example, on the intranet?”
MELANIE DRAYTON: Absolutely, if that is something your agency would like to do, we would encourage you to do so. It would be a great document to set out your privacy governance framework and that would be helpful in staff knowing what the agency’s privacy obligations are and the work that has been undertaken to meet those obligations. If that is something that agencies would like to do, we would certainly be supportive of that.
STEPHANIE OTOREPEC: Great. Thank you. Perhaps a final wrap-up question, which is relevant: “Are further webinars in relation to other requirements of the Code -- does the OAIC intend to run any other webinars in relation to the requirements under the Code, for example, the centralised record of personal information holdings?”
MELANIE DRAYTON: We would be really happy to do further webinars and we would also be happy to hear about further resources that would be of assistance to people. If you have particular ideas for additional webinars, we would encourage you to get into contact with us, send us an mail and we would be really happy to have a look through that and see what else we can do over the coming year.
STEPHANIE OTOREPEC: Great. Thank you. There might be a few more questions that have come through, but as they are a little bit more specific we might undertake to address those for you in a follow-up email.
Thank you very much for your questions that have come through attached to an email address. We will undertake to follow up with you on those, thank you.
MELANIE DRAYTON: Perfect. Thank you, everyone, for joining us this morning. We really hope you found the webinar helpful and it has given you a clearer understanding of your privacy management plan obligations. We encourage you to become familiar with the resources and the tool that we have talked about this morning but more broadly with all the Code resources that we have created. There will be more resources coming before the Code starts on 1 July and, as Stephanie mentioned, if you have particular questions you are more than welcome to email us at our code email address, email@example.com. Thank you for your attendance. We hope you found it beneficial.