elevenM’s Angela Wong describes how to create a Privacy Management Plan and get the most out of it.
With comprehensive and complex privacy reforms underway, there’s no better time to be thinking about lining up your privacy ducks and getting your house (workplace) in order.
Whether you’re an Australian Government agency or a private sector organisation, one of the best ways to check that you’re meeting key privacy obligations under the Privacy Act 1988 is to establish or review a Privacy Management Plan (PMP).
What is a Privacy Management Plan?
The specific details that are included in a PMP can vary, but at a minimum a PMP should:
- describe your organisation’s current privacy maturity
- identify goals for improvement to your organisation’s privacy program
- describe how your organisation is going to achieve its goals.
How to develop a Privacy Management Plan
While not a new resource (Australian Government agencies have been required to have a PMP under the APP Code since 2017), the OAIC’s Interactive PMP tool provides a detailed framework that will also help businesses identify specific and measurable targets to meet privacy obligations under the Privacy Act.
There is no one size fits all when it comes to developing a PMP. Many policies and practices that are ‘reasonably expected’ of a regulated entity depend on their key business functions, the amount of personal information handled and the resources they have. The OAIC’s Privacy Maturity Framework, on which the PMP tool is based, identifies five key elements to measure your agency or organisation’s privacy maturity:
- Privacy Governance and Culture
- Privacy strategy
- Privacy Processes
- Risk and Assurance
- Data Breach Response
There are 21 attributes in total under those elements, which provides a detailed checklist of good governance characteristics. This checklist will direct you to consider existing privacy practices within your agency or organisation and actions you can take to uplift privacy practice where necessary.
Getting the most out of a Privacy Management Plan
Developing a PMP takes time and effort, but if used properly it can be an invaluable tool for monitoring and improving your organisation’s privacy maturity. Here are some tips to help you as much value as possible from your PMP:
Get buy in
One of the key challenges in setting up a good governance framework is obtaining resources to prioritise privacy. The OAIC’s 2020 Community Attitudes to Privacy Survey found 70% of Australians see the protection of personal information as a major concern in their life. With recent media, regulator and Government attention on privacy and data breaches this figure is likely to continue to increase. And if that’s not enough to pique the interest of your senior executive, delivering a PMP that identifies specific, measurable privacy goals and how compliance obligations and build customer trust will provide a clear picture of the value of privacy, making privacy management much more digestible and achievable.
Know your business
To understand where your agency or organisation’s current privacy program maturity sits, you need to understand the current state of affairs. This may involve measuring your current privacy maturity through a privacy capability assessment, to understand the types of personal information you hold, mapping data flows, reviewing existing policies and practices and understanding how well team members across your agency or organisation understand and implement best privacy practice. As a privacy officer, you might not always immediately know the answers to all of the above, which takes me to the next tip.
Know your internal stakeholders
You may know your agency or business functions in terms of deliverable objectives and strategies or KPIs for business development and growth.
To know whether your business has a good handle on privacy management, you should familiarise yourself with key stakeholders in various business units within your agency or organisation, particularly in data governance, customer service, marketing and legal. For example, you need to know:
- who to check in with to ensure privacy impact assessments (PIAs) are being conducted for new initiatives that collect or handle personal information
- what training is being provided (to identify any privacy or role specific privacy training gaps)
At a more basic level, does everyone know who to go to if there’s a privacy issue? If not, then perhaps one of the goals in your PMP is to formally document and define clear lines of privacy responsibilities and reporting requirements. Privacy officers should make themselves known to all divisions within the business so they have a firm finger on the privacy pulse.
Promote privacy management as a whole-of-organisation responsibility
The three previous tips make identifying key privacy compliance goals and activities much more achievable, but without involvement and support from the whole agency or organisation, you’ll feel like the Pied Piper without his magic flute. Promoting privacy as a whole-of-organisation responsibility ensures staff all know they have a role to play and ensures the privacy officer is consulted as appropriate.
And finally, review and assess your Privacy Management Plan regularly.
Privacy management requires an ongoing review and assessment to ensure the privacy policies and practices remain relevant and current. Agencies must measure and document their performance against its PMP at least annually under the APP Code. With recent changes to data breach penalties and more regulatory reform on the horizon, there is no better time to revisit your privacy management plans to ensure compliance gaps are identified and addressed.