Privacy programme governance

A privacy mission statement concisely communicates an agency’s approach to privacy to all stakeholders. It’s an important component that lays the groundwork for the rest of the privacy programme and should align with the agency’s broader purpose.

The privacy mission statement should be prepared with input from a range of stakeholders within the agency and circulated widely throughout the agency.

The privacy mission statement should take less than 30 seconds to read.

A privacy strategy lays out the goals of the agency’s privacy programme and how it will accomplish those goals.

The privacy strategy sets coherent goals for where the agency wishes to get to with its privacy practices.

These goals will work well if they are coupled with objectives that are targeted and make sense in the context of the agency’s overall privacy stance and risk profile rather than being generic or overly broad.

A privacy strategy should

• be aligned with the agency’s organisational strategy
• ensure compliance with all applicable laws (including, at a minimum, the Privacy Act 2020)
• state privacy goals to promote a privacy culture and improve privacy practices within the agency
• be owned by a member of the senior leadership team
• state a time horizon, for example, a 2-year plan
• identify key stakeholders.

A privacy policy is an internal document addressed to staff that clearly states how personal information will be handled, stored and transmitted to meet an agency’s needs and all applicable laws.

An agency may prepare additional policies to address specific business practices, such as engaging with third party suppliers.

A privacy policy should

• have a clear purpose
• have a clear scope with respect to both the information and people it applies to
• include guiding principles with respect to the agency’s management and protection of personal information
• allocate responsibility for different privacy activities to roles throughout the agency — importantly, highlighting that all staff and contractors are responsible for protecting personal information
• include a means through which compliance with the policy can be monitored (for example, through measuring privacy maturity against the Privacy Maturity Assessment Framework).

A privacy statement is an external statement addressed to anyone whose personal information is handled by an agency.

A privacy statement must be provided when an agency collects personal information from an individual.

An agency should keep a record of their privacy statements and their effective dates, so the agency knows what disclosures were made to individuals regarding the handling of their personal information.

The Office of the Privacy Commissioner has a Privacy Statement Generator to assist agencies with creating their privacy statements.

Office of the Privacy Commissioner — Privacy Statement Generator

A privacy statement should include

• who the agency is and its contact information
• what personal information is collected, directly and indirectly
• how the personal information is collected
• how the agency will use the personal information
• who the agency will share the personal information with
• if a law requires or authorises the collection of personal information, what is the law and is collection voluntary or mandatory
• what the consequences are for the individual if any or all of the requested personal information is not provided
• how the behaviour of website users is monitored
• how individuals can access and correct their personal information.