Privacy management framework: enabling compliance and encouraging good practice (2022)

The Privacy management plan template is now available to help you develop a privacy management plan for your entity.

Download the print version from Trove


This Privacy management framework (Framework) provides steps the Office of the Australian Information Commissioner (OAIC) expects you to take to meet your ongoing compliance obligations under Australian Privacy Principle (APP) 1.2.

APP 1 ensures that personal information is managed in an open and transparent way. APP 1.2 requires you to take reasonable steps to implement practices, procedures and systems that ensure compliance with the APPs. This means that you must be proactive in establishing, implementing and maintaining privacy processes. Compliance with APP 1.2 should be understood as a matter of good governance.

A leadership commitment to a culture of privacy is a foundation for good privacy governance. Good privacy governance can improve business productivity and help to develop more efficient business processes. Good privacy governance will also help you manage both the risk of a privacy breach and your response should one occur. Personal information is one of your most valuable business assets. By embedding a culture that respects privacy, you will build a reputation for strong and effective privacy management that will inspire trust and confidence in your entity.

The Framework has four steps. These are the steps you should take to ensure you practice good privacy governance and meet your ongoing compliance obligations. Which commitments you implement within each step, and who performs these, will depend upon your particular circumstances, including your entity’s size, resources and business model.

Privacy management framework: enabling compliance and encouraging good practice (1)

(Video) NIST Privacy Framework Workshop

Step 1: Embed: a culture of privacy that enables compliance

Good privacy management stems from good privacy governance. Ensure your leadership and governance arrangements create a culture of privacy that values personal information.

To embed a culture of privacy, make a commitment to:

  • treat personal information as a valuable business asset to be respected, managed and protected. Outline how protecting personal information is important for your business

  • appoint key roles and responsibilities for privacy management, including a senior member of staff with overall accountability for privacy. Also have staff responsible for managing privacy, including a key privacy officer, who are responsible for handling internal and external privacy enquiries, complaints, and access and correction requests

  • adopt a ‘privacy by design’ approach. Ensure you consider the seven foundational principles of privacy by design in all your business projects and decisions that involve personal information

  • allocate resources to support the development and implementation of a privacy management plan that aligns your business processes with your privacy obligations. Your plan should outline how you will implement and monitor the steps outlined in this Framework, and meet your goals or objectives for managing privacy

  • implement reporting mechanisms that ensure senior management are routinely informed about privacy issues

  • understand your privacy obligations. The APP guidelines provide guidance on how the OAIC will interpret the APPs and what matters it may take into account when exercising its functions and powers

  • understand the role of the OAIC. The Privacy regulatory action policy explains the OAIC’s approach to using its privacy regulatory powers and how it will communicate information.

    (Video) Amplifying Your Privacy Program: Strategies for Success

Step 2: Establish: robust and effective privacy practices, procedures and systems

Good privacy management requires the development and implementation of robust and effective practices, procedures and systems.

To establish good privacy practices, procedures and systems, make a commitment to:

  • keep information about your business’s personal information holdings (including the type of information you hold and where it is held) up to date. This includes information held off-shore, or that is in the physical possession of a third party

  • develop and maintain processes to ensure you’re handling personal information in accordance with your privacy obligations. Ensure these processes:

  • promote privacy awareness within your entity by integrating privacy into your induction and regular staff training programs (including short term staff, service providers and contractors). This should include training staff on their privacy obligations and your processes. The OAIC has a number of training resources to help you with this

  • develop and implement a clearly expressed and up to date privacy policy. Ensure your privacy notices are also up to date and consistent with your privacy policy. The Guide to developing an APP privacy policy provides tips and a checklist to help you develop and assess your privacy policy

  • implement risk management processes that allow you to identify, assess and manage privacy risks across your business, including personal information security risks. The Guide to securing personal information provides steps and strategies you should consider taking to protect personal information, including privacy impact assessments, information security risk assessments and regular reviews of your personal information security controls

    (Video) Your Journey to ISO 27001 – Project initiation, securing management support, and gap analysis

  • undertake privacy impact assessments for business projects or decisions that involve new or changed personal information handling practices (including implementing new technologies). The Guide to undertaking privacy impact assessments includes information on threshold assessments, which will help you determine whether a privacy impact assessment is necessary

  • establish processes for receiving and responding to privacy enquiries and complaints. The Handling privacy complaints resource provides information to help you address a privacy complaint

  • establish processes that allow individuals to promptly and easily access and correct their personal information

  • develop a data breach response plan. The Data breach notification — A guide to handling personal information security breaches provides guidance to assist you respond effectively to data breaches.

Step 3: Evaluate: your privacy practices, procedures and systems to ensure continued effectiveness

Systematically examine the effectiveness and appropriateness of your privacy practices, procedures and systems to ensure they remain effective and appropriate.

To evaluate your privacy practices, procedures and systems, make a commitment to:

  • monitor and review your privacy processes regularly. This could include assessing the adequacy and currency of your practices, procedures and systems, including your privacy policy and privacy notices, to ensure they are up to date and being adhered to

  • document your compliance with your privacy obligations, including keeping records on privacy process reviews, breaches and complaints. Ensure senior management and those with responsibility for privacy management are briefed on risks or issues identified

  • measure your performance against your privacy management plan. Regularly review your implementation of this Framework and your progress towards your objectives or goals

    (Video) Good practices for ensuring data protection and privacy in SP Systems – the case of Indonesia

  • create channels for both your staff and customers to provide feedback on your privacy processes, such as a suggestion box and feedback form.

Step 4: Enhance: your response to privacy issues

Good privacy management requires you to be proactive, forward thinking and to anticipate future challenges. By continually improving your privacy processes, you will ensure you are responsive to new privacy issues and that implementation will not be a burden.

To enhance your response to privacy issues, make a commitment to:

  • use the results of your Step 3 evaluations to make changes to your practices, procedures and systems that improve your privacy processes. Track the performance of any new measures you implement

  • consider having your privacy processes externally assessed to identify areas for improvement

  • consider adopting good privacy practices that go beyond the requirements of the APPs, where appropriate. The APP guidelines and other OAIC resources provide examples of good privacy practices

  • keep informed of issues and developments in privacy law and changing legal obligations. Subscribe to the OAIC’s news email list OAICnet for updates and participate in privacy seminars, including the OAIC’s webinars

  • monitor and address new security risks and threats. Subscribe to Stay Smart Online Alert Service and follow the steps it suggests for ensuring online security, including implementing software updates and patches. The Australian Cyber Security Centre and CERT Australia also provides guidance on cyber security issues

  • examine and address the privacy implications, risks and benefits of new technologies. Consider implementing privacy enhancing technologies that allow you to minimise and better manage the personal information you handle

    (Video) Veriglif and Privacy Law Compliance Presentation

  • introduce initiatives that promote good privacy standards in your business practices. Highlight examples of good personal information handling so that your staff know what is expected of them

  • participate in Privacy Awareness Week and other privacy events. By bringing privacy into the spotlight, you will ensure your staff remain privacy aware.


How do you monitor privacy compliance? ›

Here are 7 habits of highly effective privacy compliance programs to help keep you on track:
  1. Appoint a Chief Privacy Officer. ...
  2. Document data process flows. ...
  3. Define and communicate privacy policies. ...
  4. Title of numbered list element. ...
  5. Monitor controls and use of personal information. ...
  6. Establishing incident response procedures.
Feb 7, 2020

Which key roles would be involved in privacy governance? ›

Managers are responsible for considering privacy issues, implementing privacy policies and procedures and managing the handling of personal information across their business unit activities (projects, programs and service delivery). Front line staff comply with the policies and procedures set out by their agency.

What is privacy management framework? ›

The Privacy Management Framework (PMF) can be used as a foundational element in establishing and operating a comprehensive information privacy program that addresses privacy obligations and risks while facilitating current and future business opportunities.

What are 13 Australian privacy Principles? ›

Australian Privacy Principles
  • the collection, use and disclosure of personal information.
  • an organisation or agency's governance and accountability.
  • integrity and correction of personal information.
  • the rights of individuals to access their personal information.

Why is privacy compliance important? ›

Privacy compliance is the line between the legal and the illegal. Such regulations help protect consumers in different countries by ensuring data is handled appropriately. Another reason why organizations must comply is to avoid heavy fines.

What is privacy compliance and why is it important? ›

A privacy compliant organization provides solid administrative, technical, and physical security safeguards to ensure confidentiality, integrity, and availability of data. This includes the effective ability to detect and prevent unauthorized or inappropriate access to data.

What strategies can be used to improve privacy protection by an organization? ›

5 Ways Your Organization Can Ensure Improved Data Security
  • Train Your Workforce. ...
  • Embrace a Data-Centric Security Strategy. ...
  • Implement Multi-Factor Authentication (MFA) ...
  • Set Strict Permissions for the Cloud. ...
  • Exercise Vigilance for Patch Management. ...
  • Just the Beginning of Data Security.
Jan 28, 2020

What are the five privacy framework functions? ›

Privacy Framework: Core continued…

The five Functions, Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P, defined below, can be used to manage privacy risks arising from data processing.

What are three 3 ways you can protect a client's privacy? ›

Despite technological advancements, some rules will always apply: Keep your clients' files in a safe cabinet. Use the shredding machine. Never leave documents where people can get them.

What are the 5 principles of communication privacy management theory? ›

The listed elements provide understanding of how we can better understand communication between people about their own information. The five core theory elements are private information, private boundaries, control and ownership, rule-based management, and privacy management.

Which are the 4 basic principles of data privacy? ›

Generally, these principles include: Purpose limitation. Fairness, lawfulness, and transparency. Data minimization.

What are the 3 principles of data privacy? ›

Principles of Transparency, Legitimate Purpose and Proportionality. The processing of personal data shall be allowed subject to adherence to the principles of transparency, legitimate purpose, and proportionality.

What are the 8 rights to privacy? ›

These eight rights are:
  • The Right to Be Informed.
  • The Right of Access.
  • The Right to Rectification.
  • The Right to Erasure.
  • The Right to Restrict Processing.
  • The Right to Data Portability.
  • The Right to Object.
  • The Right to Avoid Automated Decision-Making.
Jul 1, 2022

What are the Australian privacy principles and why are they are important? ›

Ensures that APP entities manage personal information in an open and transparent way. This includes having a clearly expressed and up to date APP privacy policy. Requires APP entities to give individuals the option of not identifying themselves, or of using a pseudonym.

What are the 6 privacy principles? ›

The GDPR: Understanding the 6 data protection principles
  • Lawfulness, fairness and transparency. ...
  • Purpose limitation. ...
  • Data minimisation. ...
  • Accuracy. ...
  • Storage limitation. ...
  • Integrity and confidentiality.
Dec 9, 2021

How do you monitor compliance in the workplace? ›

Corporate Compliance Law: How to Ensure Your Workplace is Compliant
  1. Creating a risk management plan to aid in the identification and handling of risks and hazards.
  2. Regularly assess the work environment and procedures, ensuring they comply with safety best practices.
Feb 20, 2022

Who monitors data privacy compliance of an organization? ›

A data protection officer (DPO) is an enterprise security leadership role required by the General Data Protection Regulation (GDPR). Data protection officers are responsible for overseeing a company's data protection strategy and its implementation to ensure compliance with GDPR requirements.

What does it mean to monitor compliance? ›

Compliance monitoring meaning

Compliance monitoring is a continuous process to ensure that affected staff is following all policies and procedures in the manual. Its purpose is to spot compliance risk issues in an organization's operations or function.

What is compliance monitoring procedure? ›

Compliance monitoring refers to the quality assurance tests organizations do to check how well their business operations meet their regulatory and internal process obligations.

How do you encourage compliance? ›

How To Ensure Compliance In The Workplace: 9 Tips
  1. Documenting policies and procedures is key. ...
  2. Consistently apply your policies and procedures. ...
  3. Remove barriers to compliance. ...
  4. Reinforce with training. ...
  5. Stay current with ever-changing laws and regulations. ...
  6. Make sure all employees are following procedures.
Mar 25, 2021

What are three examples of compliance? ›

Examples of regulatory compliance laws and regulations include the Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), Sarbanes-Oxley Act (SOX), EU's General Data Protection Regulation (GDPR) and the ...

What methods can you use to ensure compliance? ›

5 Steps to Ensure Compliance
  • Stay on track with changing laws and regulations. Compliant is not something your organization just is. ...
  • Involve specialists. Especially small and growing organizations may unintentionally break laws. ...
  • Ensure employees follow procedures. ...
  • Schedule regular internal audits. ...
  • Use the right software.
Apr 8, 2020

What is privacy in compliance? ›

The area of privacy compliance law addresses how organizations meet legal and regulatory requirements for collecting, processing, or maintaining personal information. Data privacy breaches can lead to regulatory investigations and fines.

What is compliance in data privacy? ›

Privacy compliance is a company's accordance with established personal information protection guidelines, specifications or legislation.

What are the 5 key responsibilities of a data protection officer? ›

Responsibilities of the data protection officer
  • Uphold data protection laws and practices. ...
  • Monitor compliance. ...
  • Support business operations and data handling. ...
  • Notify teams and authorities of data breaches. ...
  • Foster a security-aware culture.
Dec 13, 2021

What is compliance example? ›

External compliance, also known as regulatory compliance, refers to following the rules, regulations and industry standards set by the law. These are mandatory guidelines you must follow in order to stay in business. For example, registering your business name is an act of practicing external compliance.

What are the 7 elements of compliance? ›

7 Elements Of A Legally Effective Compliance Program
  • Policies & Procedures.
  • Chief Compliance Officer/Compliance Committee.
  • Education & Training.
  • Reporting.
  • Monitoring & Auditing.
  • Enforcement.
  • Responding To Issues.

What are the 3 phases of compliance? ›

The Three-Stage Preparation to Meet Compliance Requirements
  • Define and list down organization risks.
  • Continuous audit and compliance.
  • Best practices to Implement SOD.
Nov 14, 2019

What is the purpose of compliance management? ›

What is Compliance Management? Compliance management is the process of ensuring employees and activities across the organization are in line with laws, regulations, and requirements. Requirements are set by a wide range of entities, including governments, regulatory and industry bodies, and employee unions.

What are the responsibilities of compliance? ›

Compliance officers are responsible for ensuring their organization adheres to government regulations — domestically as well as globally, if applicable — and avoids missteps that could result in hefty fines, legal ramifications and reputation damage.


1. Developing the NIST Privacy Framework - Part 1
(Brookings Institution)
2. The 9ine Data Privacy Framework
(9ine Consulting)
3. HIPAA Privacy and Breach Compliance in 2022: Everything You Need to Know
(Intraprise Health)
4. NIST Risk Management Framework (RMF) Explained in 5 Minutes
5. A Conversation on the NIST Privacy Framework
(Center for Strategic & International Studies)

Top Articles

Latest Posts

Article information

Author: Margart Wisoky

Last Updated: 10/05/2022

Views: 5791

Rating: 4.8 / 5 (58 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: Margart Wisoky

Birthday: 1993-05-13

Address: 2113 Abernathy Knoll, New Tamerafurt, CT 66893-2169

Phone: +25815234346805

Job: Central Developer

Hobby: Machining, Pottery, Rafting, Cosplaying, Jogging, Taekwondo, Scouting

Introduction: My name is Margart Wisoky, I am a gorgeous, shiny, successful, beautiful, adventurous, excited, pleasant person who loves writing and wants to share my knowledge and understanding with you.