This guide is intended to assist agencies to assess their practices, procedures and activities for compliance with the Information Privacy Act 2009 (Qld) (IP Act), particularly the Information Privacy Principles (IPPs) or the National Privacy Principles (NPPs). The IPPs and NPPs are referred to collectively in this guide as the privacy principles.
This guide is not a one size fits all guide which can be applied strictly to every agency. It provides guidance and suggestions but each agency will have to develop their own self-assessment plan appropriate to their circumstances. Individual business units within the agency may need to further personalise the assessment process.
This guide is based on and draws from the Office of the Victorian Privacy Commissioner's Privacy Audit Manual and the Office of the Privacy Commissioner of Canada's PIPEDA Self-assessment Tool.
This guide should be read in conjunction with the guidelines to the IP Act, particularly the Key Concepts guidelines and the guidelines to the IPPs or the NPPs, as appropriate to the agency.
This guide is generic and is advisory only. It is not binding on agencies and it is not, and should not be relied upon, as legal advice. Agencies requiring legal advice should consult with their internal or external legal advisers.
Privacy self-assessment is a tool agencies can use to evaluate and assess their compliance with the IP Act. The self-assessment may also identify gaps and/or risks in an agency's management of personal information, and allow it to improve its privacy systems and practices.
Regular self-assessments can form part of an agency's privacy management systems and demonstrate a responsible privacy management culture.
There are three basic ways in which an agency could conduct a self-assessment:
An important part of effective self-assessment involves maintaining accurate records of privacy complaints—including how complaints were dealt with and their outcomes—and any breaches of the obligation to comply with the privacy principles. These records should be reviewed as part of any self-assessment exercise to identify:
Where agencies have not maintained specific records of this type, information about privacy complaints could be gathered as part of the assessment process — three years would provides an objective indication of what agency customers think and where issues of concern may lie.
Self-assessment can be approached in a number of ways, for example:
An effective self-assessment process will involve not only reviewing an agency's privacy practices but gathering material to show that the privacy practices are being carried out. For example, if a policy sets out that a specific sort of personal information will only be collected with the consent of the individual, samples of that consent should be examined as part of the assessment process.
Self-assessments should be carefully planned, as they will inevitably involve time and resources, not just of those conducting the assessment but of the business units who will have to divert time from their activities to participate in the review. The fact that the privacy assessment will generally involve additional work for the business unit on a temporary basis should be incorporated into the planning.
In situations where an agency believes a self-assessment would not be sufficient or appropriate, an external third party could be retained to conduct an independent assessment of the agency's personal information practices.
An effective plan will:
A decision will need to be made about what the assessment is going to evaluate. Examples of things which could be assessed are:
A privacy assessment will be easier to conduct if each business unit involved in the assessment creates an inventory of the categories of personal information it collects, holds, uses or discloses. Categories of personal information could be recorded in, for example, a spreadsheet, which describes at a high level the types of personal information, how it is collected, used, disclosed, maintained and disposed of or archived.
The retention and disposal schedules issued by the Queensland State Archivist may be of useful this process.
The following questions could be useful as a guide when preparing a personal information inventory:
This step involves simply making a list of the policies, procedures, standards or work practices that are relevant to each business unit's management and use of personal information. These may be agency documents, or whole-of-government documents such as Information Standards. Any legislation that affects personal information held by the business unit should be included in this inventory.
This step involves reviewing records relating to privacy complaints and privacy breaches. The way the complaints were handled should be assessed, to identify:
Where a complaint identified a privacy breach, or a privacy breach was identified through other means, the measures introduced to stop the breach or prevent it reoccurring should be assessed for effectiveness and appropriateness. If the breach has reoccurred, a different approach will need to be identified.
See the Guideline: Privacy breach management and notification for more information on managing privacy breaches.
Part of the planning process, particularly in large and/or complex agencies, will be deciding which business units are a priority for privacy assessment. There are a number of factors which can affect the prioritisation process, such as strategic planning and level of risk.
Most Queensland government agencies have a strategic plan, which is used to set out long term goals and to priorities agency activities and work. Privacy self-assessments can be linked to, or developed with reference to, the strategic plan, to ensure that the assessment is conducted in accordance with, and contributes to, the agency's priorities.
Business units which present a higher risk than others should be prioritised. There are a number of factors to be considered when determining which business units of an agency may present a higher risk than others, such as:
Developing a risk matrix may assist. A risk matrix allows an agency to identify the likelihood and consequences of a business unit being non-compliant with the privacy principles. Appendix One (PDF, 104.22 KB) contains a risk matrix based on one developed by the Canadian Privacy Commissioner.
Other factors which could affect the prioritisation process are:
Criteria are clear and reasonable standards against which the business unit's personal information handling practices can be assessed. These generally take the form of questions, because questions make it simpler to reach a conclusion, reduce the level of ambiguity or uncertainty, and help to keep the assessment focused.
The criteria need to be:
The primary source of criteria will generally be the IP Act, particularly the privacy principles, and a list of generic high level criteria questions are contained in appendix two (PDF, 128.56 KB). Other sources of criteria may be:
To be effective, the assessment process will involve gathering information and material to answer the criteria questions. There are a number of ways to do this. For example:
There are generally four types of material considered during the assessment process:
It is good practice to review the outcome of the assessment process with the business unit which was assessed before any report is finalised. Any indication that the unit is not compliant with the privacy principles should be discussed to identify any temporary or mitigating circumstances.
If a business unit cannot demonstrate that it is able to meet the assessment criteria, then it may not be compliant with the IP Act. Evaluating the results of the self-assessment will assist an agency to identify any areas which may be of concern and to take steps to address any privacy compliance issues.
Current as at: December 18, 2013