To mark Privacy Awareness Week our NSW State Government privacy experts provide five quick tips that all agencies should be thinking about when it comes to managing personal information and establishing a foundation of trust with key stakeholders.

Privacy Awareness Week is the ideal time to perform a privacy health check on your Privacy Management Plan and privacy practices generally…

NSW Government Privacy Health Check – 5 Key Tips

1. Review and update your Privacy Management Plan regularly (i.e. annually) and at least once every two years, in line with recommendations made by the Privacy Commissioner. Regularly reviewing and updating your Privacy Management Plan is an essential compliance step, and one that is often overlooked in our experience. For example, one of the key findings made by the Auditor-General in a recent Report into mishandling of personal information, was that the relevant agency’s Privacy Management Plan had not been updated to reflect key governance and process changes. The Report also found that the Plan did not adequately reflect the full scope and complexity of personal information handled by the agency. For some agencies their Privacy Management Plan was initially prepared in line with obligations at the commencement of the Privacy and Personal Information Protection Act 1988 (NSW) (PPIP Act) (i.e. in 2000), and it may not have been comprehensively reviewed since.

2. Conduct privacy impact assessments and have the tools and resources in place to ensure staff are aware of the role of a Privacy Impact Assessment (PIA) and are able to successfully complete and maintain a privacy impact assessment where required (or to determine that a PIA is not required and document that decision). A privacy impact assessment can help to identify and minimise privacy risks in relation to a new project or when making changes to existing processes. This is a crucial step in adopting a ‘privacy by design’ approach and can help to build and demonstrate compliance with privacy laws. Completed privacy impact assessments are invaluable in keeping a record of privacy practices so key policies and documents (including your Privacy Management Plan) can be updated regularly and more easily.

3. Implement and maintain a data breach response plan to the extent you do not already have one in place. Over the past few years we have seen a significant rise in the number of high profile data breaches impacting NSW Government agencies. In our experience, data breach response plans which are actively followed and enforced have proven essential in ensuring a coordinated and effective response to data breaches when they occur, including compliance with notification requirements where necessary. Although mandatory data breach notification obligations have not yet commenced for NSW Government agencies, the NSW Information Commissioner has set out clear expectations for voluntary notification of serious breaches.

4. Conduct regular data mapping exercises in relation to new and existing processes and initiatives, to ensure your agency has a deep understanding of how personal information is collected, used, disclosed, stored and handled. The Information and Privacy Commission (IPC) has produced innovative on-line Information Governance Agency Self-assessment Tools available for use by all NSW Government agencies. The tool enables agencies to measure the maturity of their information governance systems and implement plans to further develop those systems and meet their information access and privacy requirements.

5. Educate and train, train, train your team. The PPIP Act requires an agency to have policies and practices in place to ensure compliance with the PPIP Act and the IPC has issued guidance with detailed recommendations in relation to training staff to help them to understand how to handle personal and health information. In our experience (and as evidenced by the data collected by the Office of the Australian Information Commission in relation to data breaches reported under the Commonwealth privacy legislation), human error is one of the most significant contributing factors of any data breach. Staff awareness and training is pivotal in seeking to reduce instances of data breaches caused or contributed to by human error, and in working to develop strong and resilient privacy compliance practices and establishing a foundation of trust.