Checklist - Privacy Management Plans
Read the document below or download it here: Checklist - Privacy Management Plans, updated October 2024
| Who is this information for? | NSW public sector agency staff seeking support on Privacy Management Plans |
|---|---|
| Why is this information important to them? | This checklist can be used by public sector staff to assess the content of their agencyβs Privacy Management Plan once it has already been prepared. |
Section 33 of the Privacy and Personal Information Protection Act 1998 (PPIP Act) requires agencies to have a privacy management plan (plan). A plan sets out an agencyβs commitment to respecting the privacy rights of clients, employees, and members of the public. It should also explain an agencyβs practices and procedures in handling personal information under the PPIP Act and health information under the Health Records and Information Privacy Act 2002 (HRIP Act).
This checklist does not prescribe the structure and format a plan should follow. Rather, it is a useful tool for an agency to assess the content of its plan once it has already been prepared.
The NSW Privacy Commissioner also uses this checklist to assess the quality of plans they receive from agencies.
For practical information on how to write a plan, please refer to the Guide to Making Privacy Management Plans.
Review Questions
| Yes | Part | No | Comments | |
|---|---|---|---|---|
| General | ||||
| 1. Does the plan mention the agencyβs requirement to have a plan? |
β |
β |
β |
|
|
2. Does the plan describe the main kinds of personal and health information managed by the agency? Tip: think about this question in context of the functions and activities of the agency |
β |
β |
β |
|
| Information Protection Principles (sections 8 -19, Part 1, Division 1 of the PPIP Act) | ||||
|
3. Does the plan explain how the personal information the agency collects is related to the agencyβs functions and activities (IPP 1)? e.g. enquiries, complaints handling, core business, human resources, recruitment |
β |
β |
β |
|
| 4. Does the plan indicate when the agency collects personal information from the person and when it is collected from third parties (IPP 2)? |
β |
β |
β |
|
| 5. Does the plan explain how and when a person is notified that their personal information is being collected (IPP 3)? |
β |
β |
β |
|
| 6. Does the plan explain how the agency ensures that the collection of personal information is relevant, not excessive and is not an unreasonable intrusion (IPP 4)? |
β |
β |
β |
|
| 7. Does the plan generally explain how the agency stores, protects and disposes of personal information (IPP 5)? |
β |
β |
β |
|
|
8. Does the plan explain how the agency helps a person find out:
|
β |
β |
β |
|
| 9. Does the plan set out how a person can access their personal information (IPP 7)? |
β |
β |
β |
|
| 10. Does the plan set out how a person can request an amendment to their personal information (IPP 8)? |
β |
β |
β |
|
| 11. Does the plan explain how the agency checks the accuracy of personal information before using it (IPP 9)? |
β |
β |
β |
|
| 12. Does the plan mention how the agency limits its use of personal information (IPP 10)? |
β |
β |
β |
|
| 13. Does the plan mention how the agency limits disclosure of personal information (including other jurisdictions) (IPP 11)? |
β |
β |
β |
|
| 14. Does the plan explain how the agency deals with sensitive personal information (IPP 12)? |
β |
β |
β |
|
| Health Privacy Principles (clauses 1-15, Schedule 1 to the HRIP Act) | ||||
|
15. Does the plan explain how the health information the agency collects is related to the agencyβs functions and activities (HPP 1)? e.g. enquiries, complaints handling, core business, human resources, recruitment |
β |
β |
β |
|
| 16. Does the plan explain how the agency ensures that the collection of personal information is relevant, not excessive and is not an unreasonable intrusion (HPP 2)? |
β |
β |
β |
|
| 17. Does the plan indicate when the agency collects health information from the person and when it is collected from third parties (HPP 3)? |
β |
β |
β |
|
| 18. Does the plan explain how and when a person is notified that his/her health information is being collected (HPP 4)? |
β |
β |
β |
|
| 19. Does the plan explain how the agency stores, protects and disposes of health information (HPP 5)? |
β |
β |
β |
|
|
20. Does the plan explain how the agency helps a person find out:
|
β |
β |
β |
|
| 21. Does the plan set out how a person can access his/her health information (HPP 7)? |
β |
β |
β |
|
| 22. Does the plan set out how a person can request an amendment to his/her health information (HPP 8)? |
β |
β |
β |
|
| 23. Does the plan mention how the agency checks the accuracy of health information before using it (HPP 9)? |
β |
β |
β |
|
| 24. Does the plan mention how the agency limits its use of health information (HPP 10)? |
β |
β |
β |
|
| 25. Does the plan mention how the agency limits disclosure of health information (HPP 11)? |
β |
β |
β |
|
| 26. Does the plan mention whether the agency assigns identifiers to individuals (if applicable) (HPP 12)? |
β |
β |
β |
|
| 27. Does the plan mention whether it gives individuals the opportunity to remain anonymous (HPP 13)? |
β |
β |
β |
|
|
28. Does the plan mention whether the agency discloses health information to individuals or bodies outside of NSW (HPP 14)? e.g. Commonwealth, interstate, overseas |
β |
β |
β |
|
| 29. Does the plan mention whether the agency includes health information in a health records linkage system (if applicable) (HPP 15)? |
β |
β |
β |
|
| 30. Does the plan mention whether any exemptions in the PPIP Act or the HRIP Act are particularly relevant to the agency? |
β |
β |
β |
|
| Exemptions | ||||
| 31. Does the plan mention whether there are any particular codes of practice or public interest directions relevant to the agency? |
β |
β |
β |
|
| 32. Does the plan mention whether there is any relevant legislation that allows the agency not to comply with any of the IPPs or HPPs? |
β |
β |
β |
|
| 33. Does the plan mention whether the agency has any Memorandums of Understanding or referral arrangements with other agencies? |
β |
β |
β |
|
| 34. If any of 31 to 33 are applicable, does the plan briefly explain how they actually impact on the agencyβs handling of personal or health information? |
β |
β |
β |
|
| Public registers | ||||
| 35. Does the plan advise whether the agency has any public registers that contain personal or health information? |
β |
β |
β |
|
| 36. If so, does the plan explain whether the personal or health information in these public registers can be accessed, and how? |
β |
β |
β |
|
| 37. Does the plan explain how a person can apply for personal or health information to be suppressed in a public register? |
β |
β |
β |
|
| Internal reviews and complaints | ||||
| 38. Does the plan explain a personβs right to seek an internal review? |
β |
β |
β |
|
|
39. Does the plan set out the internal review process? e.g. how to apply for one, relevant timeframes, who makes the decision, how decisions are made, how the applicant is advised of the decision. Tip: if an agency does not have its own form, it can use the generic form on our website. |
β |
β |
β |
|
| 40. Does the plan explain the notification process and the role of the Privacy Commissioner? |
β |
β |
β |
|
| 41. Does the plan explain a personβs right to an external review from the NSW Civil and Administrative Tribunal (NCAT) if dissatisfied with the internal review outcome? |
β |
β |
β |
|
| 42. Does the plan set out the agencyβs alternative complaint process at the agency if a person wants to resolve an issue informally? |
β |
β |
β |
|
| 43. Does the plan include the option to make a complaint to the Privacy Commissioner? |
β |
β |
β |
|
| Mandatory Notification Data Breach (MNDB) | ||||
| 44. Does the plan provide information on how data breaches will be managed by the agency? |
β |
β |
β |
|
| 45. Does the plan provide information on how to access the agencyβs Data Breach Policy and provide a link to the Policy? |
β |
β |
β |
|
| 46. Does the plan provide information on the process for assessing and notifying eligible data breaches to the Privacy Commissioner? |
β |
β |
β |
|
| Offences | ||||
| 47. Does the plan generally explain the offences in the PPIP Act and HRIP Act? |
β |
β |
β |
|
| Raising awareness of the plan and using it | ||||
|
48. Does the plan set out how the agency trains staff to use the plan and comply with their privacy obligations? e.g. induction, periodic training, day to day work, what staff should do if unsure about a privacy issue |
β |
β |
β |
|
|
49. Does the plan set out how the agency educates members of the public in the agencyβs privacy obligations and their privacy rights? e.g. published on the web, mentioned on forms that collect personal or health information |
β |
β |
β |
|
| Other agencies | ||||
| 50. Does the plan cover more than one agency? |
β |
β |
β |
|
| 51. If so, are the agencies listed individually? |
β |
β |
β |
|
| 52. Does the plan go into enough detail about the functions and the personal and health information managed by each agency covered? |
β |
β |
β |
|
| Privacy-related policies and procedures | ||||
| 53. Does the plan describe how the agency devises its policies and practices to comply with the PPIP Act and the HRIP Act? |
β |
β |
β |
|
| 54. Does the plan specify whether there are other policies and procedures relevant to the plan? |
β |
β |
β |
|
|
55. If so, does the plan mention how the agency makes these documents available to staff and members of the public? Tip: website links can be useful here |
β |
β |
β |
|
| Accuracy | ||||
| 56. Is there an adoption/version date on the plan? |
β |
β |
β |
|
| 57. Is there a review date on the plan? |
β |
β |
β |
|
| 58. Are any references to legislation in the plan current? |
β |
β |
β |
|
| 59. If applicable, do the website links in the plan work? |
β |
β |
β |
|
| Readability | ||||
| 60. Is the structure of the plan logical? |
β |
β |
β |
|
| 61. Does the plan have a table of contents? |
β |
β |
β |
|
| 62. Is the level of detail and length of the plan appropriate? |
β |
β |
β |
|
|
63. Is the plan written in plain English? Tip: show your draft plan to a new staff member or a member of the public and ask whether they can understand it |
β |
β |
β |
|
| 64. Is the plan helpful to members of the public and staff? |
β |
β |
β |
|
| Contact details | ||||
| 65. Does the plan include current contact details for the Privacy Contact Officer or relevant privacy section at the agency for privacy-related enquiries? |
β |
β |
β |
|
| 66. Does the plan include current contact details for the Information and Privacy Commission NSW (IPC)? |
β |
β |
β |
|
| 67. Does the plan include current contact details for the NSW Civil and Administrative Tribunal (NCAT)? |
β |
β |
β |
|
| Accessibility | ||||
|
68. Does the plan explain how the agency makes it available to staff and members of the public? e.g. website, over the counter, mailed out on request |
β |
β |
β |
|
|
69. Will the plan be on the agencyβs website and easy to find? Note: the plan is a policy document (open access information) under the Government Information (Public Access) Act 2009 (GIPA Act) |
β |
β |
β |
|
| General comments |
|---|
|
|
For more information contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au
