The Essentials of Privacy Compliance for NSW Government Agencies

To mark Privacy Awareness Week, our NSW State Government privacy experts provide five quick tips all agencies should consider when it comes to managing personal information and establishing a basis of trust with key stakeholders.

Privacy Awareness Week is a great time to do a privacy health check of your privacy management plan and privacy practices in general…

NSW Government Privacy Health Check – 5 Key Tips

1. Review and update your privacy management plan regularly (i.e. annually) and at least once every two years, as recommended by the Privacy Commissioner. Regularly reviewing and updating your privacy management plan is an essential compliance step that is often overlooked in our experience. For example, one of the key findings of the Auditor General in a recent report on the mismanagement of personal information was that the agency’s privacy management plan had not been updated to reflect major changes. governance and process. The report also found that the plan did not adequately reflect the full scope and complexity of personal information handled by the agency. For some agencies, their privacy management plan was initially prepared in accordance with obligations at the start of the Privacy and Personal Information Protection Act 1988 (New South Wales) (RAPP Act) (i.e. in 2000), and it may not have been thoroughly reviewed since.

2. Conduct Privacy Impact Assessmentsand have the tools and resources in place to ensure staff are aware of the role of a Privacy Impact Assessment (PIA) and are able to complete and maintain a Privacy Impact Assessment privacy as needed (or determine that a PIA is not necessary and document that decision). A privacy impact assessment can help identify and minimize privacy risks associated with a new project or when making changes to existing processes. This is a critical step in adopting a “privacy by design” approach and can help establish and demonstrate compliance with privacy laws. Completed privacy impact assessments are invaluable for keeping a record of privacy practices so that key policies and documents (including your privacy management plan) can be updated regularly and more easily.

3. Implement and maintain a data breach response planas long as you don’t already have one in place. Over the past few years, we have seen a significant increase in the number of high profile data breaches affecting government agencies in New South Wales. In our experience, data breach response plans that are actively tracked and enforced have proven essential to ensure a coordinated and effective response to data breaches when they occur, including meeting notification requirements if necessary. Although mandatory data breach notification obligations have yet to commence for NSW government agencies, the NSW Information Commissioner has set clear expectations for voluntary notification of serious violations.

4. Conduct regular data mapping exercises with respect to new and existing processes and initiatives, to ensure that your agency has a thorough understanding of how personal information is collected, used, disclosed, stored and processed. The Information and Privacy Commission (IPC) has produced innovative online information governance agency self-assessment tools, available for use by all government agencies in the New -South Wales. The tool enables agencies to measure the maturity of their information governance systems and implement plans to further develop these systems and meet their access to information and privacy requirements.

5. Educate and train, train, train your team. The PPIP Act requires an agency to have policies and practices in place to ensure compliance with the PPIP Act and the IPC has published guidelines with detailed recommendations regarding staff training to help them understand how to handle information. personal and health. In our experience (and as evidenced by data collected by the Australian Reporting Commission’s Office of reported data breaches under Commonwealth privacy legislation), human error is one of the biggest contributing factors to any data breach. Raising awareness and training of staff is essential in trying to reduce instances of data breaches caused or facilitated by human error, and in working to develop strong and resilient privacy practices and establish a foundation of trust. .

Ashley C. Reynolds