Privacy 101 for Government
Privacy is central to the work of the Australian public service.
That’s why we have put together 10 tips for government departments and agencies to apply to keep personal information safe.
Privacy 101 for Government
Know your obligations
Privacy is integral to building and maintaining the community’s trust in government’s handling of their personal information. That trust is also necessary when it comes to new uses of data that may be proposed.
Ensure you understand your agency’s obligations under the Privacy Act and Australian Government Agencies Privacy Code, and keep up to date with developments in privacy and changing legal obligations.
Take steps to understand how the Australian community expects you to handle their personal information and respond to their needs and concerns.
Update your privacy plan
Australian Government agencies are required to have a privacy management plan. It also needs to be up-to-date.
Use our resources to assess your privacy practices and set goals and targets.
A good privacy management plan will help to embed an agency culture that respects privacy, and assist your agency to build a reputation for strong and effective privacy management.
It implicitly promotes a privacy-by-design approach to ensure that privacy compliance is included in the design of information systems and practices from their inception
You must measure and document performance against your agency’s privacy management plan at least annually.
Assign privacy roles
Assign a member of your senior executive as your Privacy Champion to drive a strong privacy culture and have overall responsibility for privacy.
Privacy Officers also play a critical role. They are the first point of contact on privacy issues and coordinate activities to help your agency comply with the code.
Make sure staff know who your privacy champion and officers are and understand their responsibilities. You must also provide the contact details of your privacy officer to the OAIC.
Use our Privacy Officer Toolkit to find out more about what is required as a privacy officer.
Assess privacy risks
Assess privacy risks early. You must undertake a privacy impact assessment for all high-risk projects, and make sure you record them on your published privacy impact assessment register.
A privacy impact assessment is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.
To be effective, a privacy impact assessment should be an integral and early part of the project planning process.
They can help facilitate a privacy-by-design approach, identify better practice and help ensure compliance with the Privacy Act.
Build in privacy by design
It’s more effective and efficient to manage privacy risks proactively.
‘Privacy by design’ is a process for embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures.
Design legislation, programs and services to minimise or manage privacy risks. Ensure you build good privacy practices into internal systems and processes.
‘Privacy by design’ will help your agency build and maintain the community’s trust in the government’s handling of personal information.
Undertaking a privacy impact assessment will be vital in helping you facilitate a ‘privacy by design’ approach.
Secure personal information
Ensure secure systems are in place to protect personal information from misuse, loss and unauthorised access and disclosure.
Over-collection of personal information increases the risks in the event of a data breach. Agencies should only collect personal information that is reasonably necessary and directly related to carrying out the functions or activities of that agency.
For personal information already collected, ensure you understand the need to maintain the quality of that information.
Where record keeping obligations prevent de-identification or destruction of personal information no longer required, adopt other measures to limit privacy risks (such as archiving and limiting access to those personal information holdings).
Simplify your privacy policy
Australians are more likely to trust your website or service if they have read your privacy policy, but less than a third of us read them because they’re too long and complex.
Make sure yours is written in plain language and includes a summary.
Don’t treat the privacy policy as a legal document to manage legal risk. It should be a document that creates trust in your agency. Make it specific and relevant to what your agency does.
And importantly, remember to include information about how individuals can contact you about privacy matters.
Train your staff
Clearly outline how staff are expected to handle personal information in their everyday duties, not just in terms of general principles. Make it real, and relevant.
Integrate privacy into your induction and regular staff training programs – including for short-term staff, service providers and contractors.
Conduct regular refreshers and ensure your whole team is aware of their privacy and security obligations.
Also, make sure your staff also have all the information they need to protect their own privacy at work.
The OAIC has a number of training resources to help agencies develop or improve their privacy training programs.
Encourage your staff to engage with Privacy Awareness Week, including checking out the ‘Privacy 101 for Individuals’ section of this website!
Prepare for data breaches
Have a clear and practical data breach response plan at hand so staff know what to do if there is a data breach. A quick response is critical to effectively managing a breach.
Your data breach response plan should outline your entity’s strategy for containing, assessing and managing the incident from start to finish.
It can help you meet your obligations under the Privacy Act, limit the consequences of the breach, and preserve and build public trust.
You will need to regularly review and test your plan to make sure it is up to date and that your staff know what actions they are expected to take.
Treat all suspected data breaches seriously – it’s always best to be cautious.
Review your practices
Good privacy management means being proactive, and anticipating future challenges.
Review your privacy practices and policy regularly. Make sure they meet community expectations, comply with the law, remain relevant, and address any new risks.
To help keep up to date, you can subscribe to the OAIC’s Information Matters newsletter for updates, and participate in privacy seminars, including the OAIC’s webinars.
By continually improving your privacy processes, you will ensure you are responsive to new privacy issues and that implementation will not be a burden.
Did you know?
Australian Government agencies have additional responsibilities under the Australian Government Agencies Privacy Code. The code requires agencies to take a best practice approach to privacy governance to help build a consistent, high standard of personal information management across all Australian Government agencies.
State and territory privacy regulators
Most Australian states and territories have equivalent legislation which covers their public sector agencies, and some state authorities and instrumentalities are bound by the Privacy Act.
Assess your privacy knowledge
Take our Privacy in Practice e-learning course for Australian Government agencies for more practical advice and guidance on good privacy management practices.
More resources
- Privacy management framework
- Privacy code checklist
- Privacy in the Australian Public Service
- Privacy for policy developers and project managers
Become a PAW supporter
Becoming a PAW supporter gives your agency access to our supporter toolkit to help increase privacy awareness among your staff, community and stakeholders. It shows your commitment to good privacy practice and advancing the privacy rights of individuals.
Congratulations!
