Role of this guide
This guide is intended to assist agencies to assess their practices, procedures and activities for compliance with the Information Privacy Act 2009 (Qld) (IP Act), particularly the Information Privacy Principles (IPPs) or the National Privacy Principles (NPPs). The IPPs and NPPs are referred to collectively in this guide as the privacy principles.
This guide is not a one size fits all guide which can be applied strictly to every agency. It provides guidance and suggestions but each agency will have to develop their own self-assessment plan appropriate to their circumstances. Individual business units within the agency may need to further personalise the assessment process.
This guide is based on and draws from the Office of the Victorian Privacy Commissioner's Privacy Audit Manual and the Office of the Privacy Commissioner of Canada's PIPEDA Self-assessment Tool.
This guide should be read in conjunction with the guidelines to the IP Act, particularly the Key Concepts guidelines and the guidelines to the IPPs or the NPPs, as appropriate to the agency.
This guide is generic and is advisory only. It is not binding on agencies and it is not, and should not be relied upon, as legal advice. Agencies requiring legal advice should consult with their internal or external legal advisers.
Privacy self assessment
Privacy self-assessment is a tool agencies can use to evaluate and assess their compliance with the IP Act. The self-assessment may also identify gaps and/or risks in an agency's management of personal information, and allow it to improve its privacy systems and practices.
Regular self-assessments can form part of an agency's privacy management systems and demonstrate a responsible privacy management culture.
There are three basic ways in which an agency could conduct a self-assessment:
- individual business units within the agency analyse their personal information management practices and assess their compliance against the IP Act
- another party within the agency, separate from the business unit being analysed, reviews and assesses the business unit's compliance; or
- one party in the agency, for example the officer or team responsible for IP Act compliance, could assess all of an agency's business units as part of an assessment of the entire agency.
An important part of effective self-assessment involves maintaining accurate records of privacy complaints—including how complaints were dealt with and their outcomes—and any breaches of the obligation to comply with the privacy principles. These records should be reviewed as part of any self-assessment exercise to identify:
- common or systemic issues with personal information handling which could lead to a breach of the IP Act
- issues with the privacy complaint handling process; and
- the effectiveness of measures introduced to prevent further breaches.
Where agencies have not maintained specific records of this type, information about privacy complaints could be gathered as part of the assessment process — three years would provides an objective indication of what agency customers think and where issues of concern may lie.
Self-assessment can be approached in a number of ways, for example:
- conducting a single assessment exercise across the whole agency at one time
- creating a schedule which allows for business units to be assessed on the basis of a risk management approach, first assessing those business units considered to be highest risk then moving to those which are lower risk
- a pilot project could be conducted in one unit, or several smaller units, to assess the effectiveness of the self-assessment, which would allow the approach to be adjusted before moving on to the rest of the agency.
An effective self-assessment process will involve not only reviewing an agency's privacy practices but gathering material to show that the privacy practices are being carried out. For example, if a policy sets out that a specific sort of personal information will only be collected with the consent of the individual, samples of that consent should be examined as part of the assessment process.
Self-assessments should be carefully planned, as they will inevitably involve time and resources, not just of those conducting the assessment but of the business units who will have to divert time from their activities to participate in the review. The fact that the privacy assessment will generally involve additional work for the business unit on a temporary basis should be incorporated into the planning.
- develop an assessment plan
- conduct a personal information inventory
- conduct a policy and procedure inventory and review; and
- keep and review records of privacy complaints and any privacy breaches.
In situations where an agency believes a self-assessment would not be sufficient or appropriate, an external third party could be retained to conduct an independent assessment of the agency's personal information practices.
Developing an assessment plan
An effective plan will:
- describe the business units of the agency which are to be assessed
- provide a brief description of their responsibilities and activities and the relevant privacy principles against which their personal information practices will be assessed; and
- set out the proposed schedule for the unit's assessment.
A decision will need to be made about what the assessment is going to evaluate. Examples of things which could be assessed are:
- the extent to which the policies and procedures are being implemented effectively. For example, if a security protocol is supposed to limit access to human resources information, access to the information should be tested and past access audited to determine if the control is, in fact, limiting access; and
- whether the controls or policies have been implemented and are operating effectively.
Conducting a personal information inventory
A privacy assessment will be easier to conduct if each business unit involved in the assessment creates an inventory of the categories of personal information it collects, holds, uses or discloses. Categories of personal information could be recorded in, for example, a spreadsheet, which describes at a high level the types of personal information, how it is collected, used, disclosed, maintained and disposed of or archived.
The retention and disposal schedules issued by the Queensland State Archivist may be of useful this process.
The following questions could be useful as a guide when preparing a personal information inventory:
- What personal information does the business unit collect?
- How is it collected and in which situations?
- Why is it collected?
- Who in the agency uses the personal information?
- Who has access to it?
- Where and how is it stored?
- What methods are used to ensure it is secure?
- Is it disclosed outside the agency? If so, to whom and why is it disclosed?
- How long is the personal information kept, and when and how is it disposed of (keeping in mind the obligations under the Public Records Act 2002)?
Conducting a policy and procedure inventory
This step involves simply making a list of the policies, procedures, standards or work practices that are relevant to each business unit's management and use of personal information. These may be agency documents, or whole-of-government documents such as Information Standards. Any legislation that affects personal information held by the business unit should be included in this inventory.
Review privacy complaint and breach records
This step involves reviewing records relating to privacy complaints and privacy breaches. The way the complaints were handled should be assessed, to identify:
- any possible improvements to be made in the privacy complaint handling system used by the agency; and
- areas of common concern among the agency's customers.
Where a complaint identified a privacy breach, or a privacy breach was identified through other means, the measures introduced to stop the breach or prevent it reoccurring should be assessed for effectiveness and appropriateness. If the breach has reoccurred, a different approach will need to be identified.
See the Guideline: Privacy breach management and notification for more information on managing privacy breaches.
Part of the planning process, particularly in large and/or complex agencies, will be deciding which business units are a priority for privacy assessment. There are a number of factors which can affect the prioritisation process, such as strategic planning and level of risk.
Most Queensland government agencies have a strategic plan, which is used to set out long term goals and to priorities agency activities and work. Privacy self-assessments can be linked to, or developed with reference to, the strategic plan, to ensure that the assessment is conducted in accordance with, and contributes to, the agency's priorities.
Business units which present a higher risk than others should be prioritised. There are a number of factors to be considered when determining which business units of an agency may present a higher risk than others, such as:
- the sensitivity of the personal information
- the consequences of the breach
- any trends in privacy complaints and enquiries
- issues that are the focus of public attention or concern
- emerging technological issues
- other agency activities which could impact on the assessment, such as the annual budget process or Estimates hearings.
Developing a risk matrix may assist. A risk matrix allows an agency to identify the likelihood and consequences of a business unit being non-compliant with the privacy principles. Appendix One (PDF, 104.22 KB) contains a risk matrix based on one developed by the Canadian Privacy Commissioner.
Other factors which could affect the prioritisation process are:
- the ease with which a business unit can be assessed, taking into account the level of difficulty, the sensitivity or accessibility of the personal information involved, and the resources that would be required
- the importance of scheduling the assessment process at a time that will not interfere with the activities of the business unit; and
- the extent to which the results of the assessment will assist other business units in privacy compliance, or mean that assessments of some other units will be made simpler or rendered unnecessary.
Criteria are clear and reasonable standards against which the business unit's personal information handling practices can be assessed. These generally take the form of questions, because questions make it simpler to reach a conclusion, reduce the level of ambiguity or uncertainty, and help to keep the assessment focused.
The criteria need to be:
- complete; and
The primary source of criteria will generally be the IP Act, particularly the privacy principles, and a list of generic high level criteria questions are contained in appendix two (PDF, 128.56 KB). Other sources of criteria may be:
- guidelines produced by the Office of the Information Commissioner
- any relevant public interest approvals
- the agency's privacy and related policies, practices and standards
- previous assessments or audits of the relevant business unit; and
- any relevant legislation.
Conducting the assessment
To be effective, the assessment process will involve gathering information and material to answer the criteria questions. There are a number of ways to do this. For example:
- conducting interviews with relevant business unit officers
- circulating hard copy or electronic surveys or questionnaires
- reviewing files and documents; and
- direct observation or physical inspection.
Types of material
There are generally four types of material considered during the assessment process:
- physical, which may be gathered by, for example, observation of work practices or inspecting an asset (this may not be relevant to all business units)
- documentary, such as reports, correspondence and audit logs
- verbal, often gathered through the interview process; and
- analytical, which comes from evaluating the other types of material and assessing the degree to which there is support for the conclusions reached in the assessment process.
Outcome of the assessment
It is good practice to review the outcome of the assessment process with the business unit which was assessed before any report is finalised. Any indication that the unit is not compliant with the privacy principles should be discussed to identify any temporary or mitigating circumstances.
If a business unit cannot demonstrate that it is able to meet the assessment criteria, then it may not be compliant with the IP Act. Evaluating the results of the self-assessment will assist an agency to identify any areas which may be of concern and to take steps to address any privacy compliance issues.
Current as at: December 18, 2013