For a lot of people in the privacy space, help with the basics is exactly what they need. Whether you’re new to privacy or working for an organisation with a new/underdeveloped privacy program, the basics are what you need to get started.
This Privacy Awareness Week, where the theme is ‘Back to Basics’, we’ve developed a free privacy toolkit. In the privacy industry we often spend a lot of time on the ‘what’ — what is privacy, what is personal information, is this personal information, what should I do with this personal information….
But this week, in support of getting the framework right, we are focussing on the ‘how to’. How to maximise your privacy processes, how to do a lot with a little, how to build reusable processes, how to be strategic and proactive…
We hope these resources are helpful to anyone who uses them.
1. Building a privacy impact assessment toolbox
A good PIA process has four parts:
- Identify the need for a PIA.
- Gather the information.
- Assess the privacy risks.
- Mitigate the risks and approve the outcomes.
Doing these four steps well is time consuming and, in a lot of organisations, is very resource intensive for a privacy team.
‘Building a privacy impact assessment toolbox’ is an interactive resource that will step you through the four steps of a PIA and provide you with key tools to support you in this process. (You may also download a PDF version of this resource, however, we recommend viewing the interactive version first).
2. Information gathering checklist
The second of four steps of a PIA is information gathering. This information gathering covers organisational policy and process documents (such as privacy policies and collection notices), interviewing people involved in the project, and observing or assessing physical processes (when relevant).
What form this information gathering takes, what you read, and who you talk to will vary from organisation to organisation and will also vary depending on the situation and type of project you are assessing. However, there are common types of information and certain role types that will feed into your information gathering for most PIAs. Therefore, it may be possible to develop a template ‘Information gathering checklist’ that you use as the starting point for this step.
We have developed a generic ‘Information gathering checklist’ to help get you started, and which you can customise to your organisation.
3. PIA register template
The final step of a PIA is to mitigate the identified risks and record approval of actions against these risks. This process needs to have specific, pragmatic, actions, so everyone is clear what needs to be done to reduce or remove a risk.
It is important to document approvals and key decisions in a centralised register that is used for all PIAs. This register should be specific to the processes and approvals of your organisation (however, you will find a template approvals and decisions register in the Office of the Australian Information Commissioner’s PIA tool).
It is also important to document the PIAs that you have undertaken. This will help you monitor the progress of assessments which are planned or underway, and the outcomes of completed assessments (including risks and remedial actions).
We have developed a template ‘PIA register’ to help get you started, and which you can customise to your organisation.
4. Developing a privacy heatmap
No privacy team can be everywhere, and it can be hard to know where to focus, but there’s plenty of data available to help you with this problem.
Developing a privacy heatmap is about using process data to proactively identify and strategically target those business areas that need more attention. The idea is to use process data to identify trends and potential issues. However, it is also important to have a risk lens, in terms of which business areas have a higher risk profile as well as which may simply have less need to engage with the privacy team.
‘Developing a privacy heatmap’ is an interactive resource module that will step you through some of the questions and considerations in developing a privacy heatmap, and how you can use it to support the privacy function. (You may also download a PDF version of this resource, however, we recommend viewing the interactive version first).