Privacy Management Plan

Purpose

• This privacy management plan supports the AOFM to meet and monitor its ongoing
compliance pursuant to Australian Privacy Principle (APP) 1.2. It does this by identifying areas
where compliance has been met, and specific, measurable goals and targets that the AOFM will
take to implement the four steps outlined in the Office of the Australian Information
Commissioner’s (OAIC’s) Privacy Management Framework.

Step 1. Embed: a culture of privacy that enables compliance

• Action • Responsibility • Status • Due

• In • 30 June
• Adopt a ‘privacy by design’ approach • Privacy Officer
progress 2018
• Assign key roles and responsibilities • Privacy • Comple
• N/A
for privacy management Champion te
• Assign staff responsibility for • Privacy • Comple
• N/A
managing privacy Champion te
• Create reporting mechanisms that
• Comple
ensure senior staff are routinely informed • Privacy Officer • N/A
te
about privacy issues
• Ensure staff understand their privacy • In • 30 June
• Privacy Officer
obligations and the roles of the OAIC progress 2018

• The AOFM embeds a culture of privacy through a number of mechanisms including its
Privacy Policy, Employment Policy and Procedures, Security Policy and value statements. Taken
together, these ensure that staff take responsibility for their actions and undertake their duties
bearing in mind the need to comply with obligations and expectations of the Government, APS,
market participants and public. We monitor compliance in accordance with the Assurance Policy
and performance systems, and are subject to external independent reviews.

• The Privacy Officer will develop a privacy impact assessment (PIA) template 1 (to be added as
an attachment to this document) and training material to ensure that staff maintain an awareness
of the current obligations, including the considerations relevant to identifying, assessing and
managing privacy risks. Privacy risks will be managed at the Business Unit, project or contract
management level commencing with the PIA. If deemed material, privacy risks for a particular
matter can be elevated to the Enterprise Risk Register.

1
The APPs require ‘privacy by design’, an approach whereby privacy compliance is designed into projects dealing with
personal information right from the start, rather than being bolted on afterwards. Conducting privacy impact
assessments (PIAs) helps entities to ensure privacy compliance.

Page 1 of 4
•

2. Establish: robust and effective privacy practices, procedures and systems

• Action • Responsibility • Status • Due

• Keep information about your

• Business Unit • Comple
business’s personal information holdings • N/A
Heads te
up to date
• Develop and maintain processes
around the handling of personal • Business Unit
• Comple
information prior to collection, while Heads, Privacy • N/A
te
personal information is held, and once it is Officer
no longer needed
• Integrate privacy into staff training • In • 30 June
• Privacy Officer
and induction processes progress 2018
• Develop and implement a clearly • Comple
• Privacy Officer • N/A
expressed and up to date privacy policy te
• Implement risk management
• In • 30 June
processes to identify, assess and manage • Privacy Officer
progress 2018
privacy risks across the business
• Establish processes for receiving and
• Comple
responding to privacy enquiries and • Privacy Officer • N/A
te
complaints
• Establish processes that allow
• Comple
individuals to promptly and easily access • Privacy Officer • N/A
te
and correct their personal information
• Chief Risk and • In • 30 June
• Create a data breach response plan
Compliance Officer progress 2018

• The AOFM maintains an understanding about its information holdings through the
maintenance of data risk registers, business procedures, business impact assessments and business
process maps. Processes to collect, hold and dispose of personal information are embedded in
business unit procedures and the information governance framework (under review). These
documents and processes are subject to independent periodic review.

• As the majority of personal information held by the AOFM relates to its employees, this
information is accessible and able to be corrected at any time. Access to personal information is
granted on request from individuals. Contact with relevant AOFM data custodians will depend
on the specific holdings (e.g. employment-related data requests would be handled by Corporate
Development, debt register queries would be handled by Settlements or Computershare, financial
system data would be handled by the Finance Unit). For external parties, the Privacy Policy
outlines the process.

• The Chief Risk and Compliance Officer (CRCO) is progressing the development of a data
breach response plan that will dovetail with the Business Continuity and Information Governance
frameworks.

Page 2 of 4
•

3. Evaluate: your privacy practices, procedures and systems to ensure continued effectiveness

• Action • Responsibility • Status • Due

• Regularly monitor and review privacy • In • 30 June

• Privacy Officer
processes, policies and notices progress 2018
• Document compliance with privacy
obligations, including keeping records on • In • 30 June
• Privacy Officer
privacy process reviews, breaches and progress 2018
complaints
• Measure your performance against • In • 30 June
• Privacy Officer
this privacy management plan progress 2018
• Create channels for staff and
• Comple
customers to provide feedback on privacy • Privacy Officer • N/A
te
processes

The AOFM will implement its Privacy Policy in April 2018. The Privacy Officer will then monitor,
report on and measure the AOFM’s performance against the policy and this plan in August of each
year as part of the ongoing reporting to the Privacy Champion. This will include an assessment of
our compliance with the AOFM’s policy and plan, as well as the ongoing currency of our
arrangements where our context, risk exposure and/or external obligations have changed.

4. Enhance: your response to privacy issues

• Responsibil • Statu
• Action • Due
ity s

• Use the results of evaluations to make

• Privacy • 30 June
changes to practices, procedures and systems to • TBC
Officer 2019
improve privacy processes
• Have your privacy processes externally • Chief Risk
• 30 June
assessed/audited to identify areas for and Compliance • TBC
2020
improvement Officer
• Keep up to date with issues and
• Privacy • Com • Ongoin
developments in privacy law and changing legal
Officer plete g
obligations
• Monitor and address new security risks and • Privacy • Com • Ongoin
threats Officer plete g
• Examine and address the privacy
implications, risks and benefits of new
• Business
technologies. Consider implementing privacy • Ongoin
Unit Heads on a • TBC
enhancing technologies that allow you to g
case-by-case basis
minimize and better manage the personal
information you handle
• Introduce initiatives that promote good • Privacy • Ongoin
• TBC
privacy standards in your business practices Champion g

Page 3 of 4
• Participate in Privacy Awareness Week and • Privacy • Com • Ongoin
other privacy events Officer plete g

The AOFM will determine its continuous improvement priorities on the basis of experience,
research and evaluation.

Privacy Impact Assessment Template

A Privacy Impact Assessment (PIA) is a systematic assessment of an activity that identifies the
impact that the activity might have on the privacy of individuals, and sets out the mitigation
strategies for managing, minimising or eliminating that impact.

PIAs are an important component in the protection of privacy, and should be part of the overall
risk management and planning process of APP entities for their own activities or where a service
provider will be handling personal information on the AOFM’s behalf. To be effective, the PIA
should be an integral part of the project planning process, not an afterthought. Privacy issues that
are not properly addressed can impact on the community’s trust in an entity and undermine the
project’s success.

Completing the PIA will:

 describe the flow of personal information

 assess the possible impact on an individuals’ privacy
 identify options for avoiding, minimising or mitigating negative privacy impacts
 ensure all privacy requirements are met
This assessment should be completed with reference to the APPs. Guidance is available from the
Office of the Australian Information Commissioner website:

https://www.oaic.gov.au/individuals/privacy-fact-sheets/general/privacy-fact-sheet-17-
australian-privacy-principles

https://www.oaic.gov.au/agencies-and-organisations/app-guidelines/

Page 4 of 4