DRAFT FOR CONSULTATION, MAY 2024 Privacy Management Plan Overview The purpose of a Privacy Management Plan is to identify specific, measurable goals to improve your organisation’s privacy capability and outline how these goals will be achieved. [...] DRAFT FOR CONSULTATION, MAY 2024 Governance Key objectives • The governance function can demonstrate that it takes action to ensure that privacy risks, gaps or issues are appropriately identified, documented and addressed. [...] DRAFT FOR CONSULTATION, MAY 2024 • Staff understand what personal information is and how they can use it in their role. [...] • There is a central log or record of the organisation’s current sharing agreements. • Policies for data classification, including handling and retention, are documented and compliance with these policies is assessed. [...] policies, procedures, and decisions) are regularly reviewed and fit for purpose. DRAFT FOR CONSULTATION, MAY 2024 Action examples Position responsible Due Status Ensure staff understand their privacy obligations and access controls relevant to their role Develop processes and procedures for managing staff access to facilities and systems Establish and maintain a log of [...] • Privacy notices and statements are accessible and can be understood by their intended audienceDRAFT FOR CONSULTATION, MAY 2024 Action examples Position responsible Due Status Establish processes for individuals to easily access and correct their personal information Establish processes for receiving and responding to privacy enquiries and complaints Regularly monitor [...] via training, refreshers, or targeted sessions). DRAFT FOR CONSULTATION, MAY 2024 Action examples Position responsible Due Status Identify the training needs of all staff and use this information to develop a training programme Ensure staff receive induction training prior to accessing personal information Develop and maintain staff training records including comple [...] DRAFT FOR CONSULTATION, MAY 2024 Action examples Position responsible Due Status Assign roles and responsibilities for managing breaches and incidents Create and test an incident response plan Create and maintain an incident log for breaches and near misses Develop procedures and systems to facilitate the reporting of security incidents and breaches Under [...] Action examples Position responsible Due Status Implement risk management processes to identify, assess and manage privacy risks across the businessDRAFT FOR CONSULTATION, MAY 2024 Adopt a ‘privacy by design’ approach Ensure staff training includes the need to consider a privacy risk assessment at the start of any project involving personal information Measure and [...] Measurement outcomes are regularly reviewed by the organisation’s governance function to ensure they remain fit for purpose. • The organisation can demonstrate where performance has improved, and where monitoring has led to changes in practice/process/structure that have improved privacy outcomes. • Processes are in place to hear from staff about privacy issues. Action Position responsi