- Is your agency’s privacy management plan (PMP) up to date?
- Does your agency have a register of the types of personal information it holds, where that information is located and when it should be destroyed?
- Is your agency’s data breach response plan (DBR) up to date?
- Do you have a systemised process for reviewing the PMP and DBR? This includes for example:
- a timeframe requirement for the PMP and the DBR to be reviewed, such as annually; and
- specifying the position responsible for carrying out and reporting on the review of each of the PMP and the BDR, together with any recommended updates to the PMP and DBR.
- Is there active personal information lifecycle management occurring on a continuing basis? This includes, for example:
- Is only necessary personal information being collected, used and stored?
- Is there a process in place to reconcile retention of personal information in accordance with record-keeping requirements with the requirement to dispose of personal information that is no longer required to be retained in accordance with the PPIP Act and the HRIP Act?
- What is the mechanism for ensuring that personal information, which is no longer required to be retained, is being securely disposed of?
- What are the roles and responsibilities of those involved in ensuring the above steps are actively managed and the collaboration across agency staff to ensure that personal information lifecycle management is occurring on a continuing basis?
- Are PIAs being carried out throughout the organisation for projects, system changes or changes to current or new technology including AI, involving the processing of personal information?
| Privacy Program Components |
The privacy program includes:
Read next: Complaints and incident management
Download the Framework and Guide
