Gaining buy-in for a privacy programme
A successful privacy programme needs to have buy-in from decision-makers and stakeholders.
Why buy-in is important
Buy-in from decision-makers and stakeholders will ensure that:
- the privacy programme is allocated appropriate resources
- privacy is embedded within the agency’s culture
- individuals within the agency support the privacy programme and are aware of their role within it.
Resourcing a privacy programme
When making a business case for the resourcing of a privacy programme, it’s important to ensure that the decision-makers understand what’s required to implement and manage a successful privacy programme.
Most of a programme’s resources would generally be allocated across 3 areas:
An agency’s privacy team needs to have:
- a sufficient number of staff who are appropriately skilled. The composition of the team will vary depending on the agency’s context, size and risk profile.
- the resources to support the required privacy processes, such as conducting data inventories, risk assessments, and identifying and implementing appropriate controls.
In today’s market, there are numerous privacy technologies that can facilitate the operation of an agency’s privacy programme. Automation, efficiency and consistency are some of the benefits that these technologies can provide.
An agency also needs to invest in its ICT infrastructure to ensure that it remains secure.
Identifying decision-makers and stakeholders
Identifying decision-makers and communicating the importance of an effective privacy programme is an important part of managing a privacy programme. Getting buy-in from an agency’s senior leaders is vital for obtaining the resources required to manage the privacy programme and embedding privacy within the agency’s culture.
A privacy programme also requires support from a range of teams within the agency, including, among others:
- Information management
- Information security
- Human resources
- Learning and development
- Risk and assurance
- Health and safety
Communicating the benefits
An effective privacy programme has a range of benefits that needs to be presented to decision-makers and stakeholders to gain the resources and support required to operate effectively.
Benefits of an effective privacy programme include the following:
Increased trust and confidence
The public’s trust and confidence in an agency gives the agency social license (permission) to make decisions about the management and use of the public’s data without sanction. Social license makes it easier for the agency to carry out its activities.
Additionally, if people have trust and confidence in an agency, they’ll be more likely to engage with the agency and receive the services they need.
By having an effective privacy programme, an agency will foster this trust and confidence.
An effective privacy programme will allow an agency to identify and mitigate its privacy risks. A privacy programme will not eliminate all breaches, but it can decrease the risk of a breach, reduce the number of breaches and improve how an agency responds to a breach.
If an agency has a tested privacy incident response plan, it will allow the agency to contain a breach more quickly and better mitigate the impact of the breach by lessening the loss.
In 2019 the global average time to identify a breach was 206 days and the average time to contain a breach was 73 days, totalling 279 days.
Compliance with applicable laws
Privacy legislation provides a baseline of privacy practice by setting out how agencies can collect, use, disclose, store, and provide access to personal information. Complying with applicable privacy laws reduces the likelihood of misuse or unauthorised disclosure of personal information held by an agency.
An effective privacy programme is the best way to facilitate compliance with all applicable privacy laws, including the Privacy Act and Privacy Codes.
The Privacy Commissioner administers the Privacy Act and considers complaints about breaches of privacy and access to personal information. The Privacy Act 2020 further strengthens the role of the Privacy Commissioner by providing the Commissioner with the power to issue a compliance notice against the agency or impose a fine of up to $10,000.
Human Rights Review Tribunal (HRRT)
An agency may be brought before the Human Rights Review Tribunal (HRRT) by an individual for breaches of the Privacy Act.
The Tribunal has said that, unless there is a reason to award less, cases at the less serious end of the spectrum will range from $5,000 to $10,000. More serious cases can range from $10,000 to around $50,000, and the most serious cases will range from $50,000 upwards.
To date, the most the HRRT has awarded for a privacy matter is just over $168,000.
Reporting the benefits
Using privacy metrics
Once an agency’s privacy programme is underway, use privacy metrics to illustrate the programme’s benefits.
Metrics can facilitate discussions with senior leaders, other business units and stakeholders. Using metrics can also advance the maturity of an agency’s privacy programme and operations. The Privacy Maturity Assessment Framework (PMAF) is an example of using metrics to both communicate with stakeholders and improve an agency’s privacy practices.
Different metrics can be used for different audiences depending on their level of interest, influence and responsibility. One way to communicate the benefits is to develop metrics for different aspects of the information life cycle — collection, storage and security, use, access and correction, disclosure, retention, and disposal — as well as different processes (for example, incidents, training, and risk profile). These metrics can illustrate an agency’s trends over time and lead to a more in-depth conversation about the agency’s privacy programme.
The Privacy Opportunity Wheel
The Privacy Opportunity Wheel is another way to communicate the benefits of an agency’s privacy programme and how good management of personal information can bring about opportunities and benefits.