Effective oversight for privacy practice through effective governance.
Guidance note
The success of an agency’s activities to build a privacy culture, develop privacy capability and implement its privacy programme requires governance and oversight by the senior leadership or executive team.
Ensuring that the privacy officer provides regular updates and is able to discuss the agency’s various privacy activities with the senior leadership or executive team, increases the likelihood of a successful, appropriate and efficient implementation of these activities.
An agency will have existing oversight structures and practices. These will be the natural starting point for designing and implementing effective oversight of privacy activities and the monitoring processes that support and enable effective oversight.
Criteria 1: Privacy reporting
Informal
The senior leadership or executive team has little awareness of, or pays little attention to, privacy and its management.
Foundational
The privacy officer engages with the senior leadership or executive team, governance board and/or committees when there are specific issues and events that need to be addressed.
Managed
The privacy officer has regular updates and discussions with the senior leadership or executive team, governance board and/or committees on the agency’s privacy culture and values, privacy strategy and programme, and privacy issues and risks.
Criteria 2: Privacy and risk management
An agency needs to be aware there is a difference between assessing a project’s privacy risk and assessing its organisational privacy risk.
While a Privacy Impact Assessment (PIA) assesses a project’s privacy risk, to assess organisational privacy risk an agency needs to understand what personal information it holds and how privacy is reflected in its values, policies and culture.
It’s important that senior leadership and risk management and privacy teams work together to ensure privacy risks are integrated into the agency’s risk management.
People have an idea of who is responsible for aspects of privacy. Day-to-day functional leadership responsibilities have not been clearly assigned and privacy is not integrated into the agency’s risk management structure.
Foundational
A senior leader has been assigned responsibility for functional oversight for privacy, though privacy is not integrated into the agency’s risk management structure.
Managed
Functional oversight for privacy and its work programme is integrated into the risk management organisational structure and includes monitoring compliance.
2. Delivery of objectives
Delivery of objectives through management structure, roles and responsibilities, and the capacity to achieve these objectives.
Guidance note
To achieve the agency’s privacy objectives, a privacy officer or team relies on the structure of other teams and accountabilities to get suitable visibility of the progress of the privacy work programme. This visibility helps privacy officers or teams to:
accurately report to senior leadership on the privacy work programme’s progress
know when to provide privacy advice, support and direction to teams.
Project teams, planners and resource managers need to understand what and how they contribute to these objectives and know that these objectives are linked to organisational priorities.
It is essential to have the right resourcing, both in number and capability, for the senior leadership or executive team to have confidence that privacy objectives will be met. For example, the number of planned privacy-related tasks or activities in a work programme needs to be sufficiently resourced for the work programme to be successful.
Criteria 1: Responsibility and accountability
Informal
Responsibility and accountability for the implementation of the privacy strategy and work programme are unclear or absent.
Foundational
The responsibility and accountability for the implementation of the privacy strategy and work programme are seen as the sole responsibility of the privacy officer or team and are not suitably distributed throughout the agency.
Managed
Formal line management and governance includes responsibility and accountability for the implementation of the privacy strategy and work programme. These responsibilities are suitably distributed throughout the agency.
Criteria 2: Resourcing
Informal
Resourcing for privacy staff and activities is ad hoc and not commensurate with the agency’s privacy profile and privacy work programme.
Foundational
Resourcing for privacy staff and activities is planned at the individual initiative level.
Managed
Resourcing for privacy staff and activities is considered at a strategic level within the agency and is commensurate with the agency’s privacy profile and privacy work programme.
Criteria 3: Oversight and visibility
Informal
Privacy activities are ad hoc or reactive.
Foundational
Because privacy objectives are planned at the individual initiative level, the privacy officer or team does not have sufficient visibility and oversight of the initiatives that need to deliver privacy objectives.
Managed
The privacy officer or team oversees the privacy work programme, maintains central oversight of privacy initiatives and activities on an agency-wide basis, communicates regularly with other related functions (for example, information management, security, risk management), and has clear alignment (where applicable) with their work programmes.
3. Confidence in organisational progress
Confidence in organisational progress through appropriate monitoring and assurance practices.
Guidance note
The integration of monitoring and assurance practices with the conduct of privacy activities is a key element of good practice for the same reasons that monitoring and assurance are used in any other areas of an agency’s business.
Criteria 1: Privacy and assurance
Informal
The privacy risk ownership and responsibilities are reactive and ad hoc. Some controls are functioning to enable timely risk management. The governance group does not have assurance reviews about its controls and risk management processes.
Foundational
The privacy risk ownership and responsibilities are defined in documented practices and processes. The risk management protocols are applied by individual initiatives or teams. The governance group relies on periodic assurance reviews to provide confidence on its controls and risk management processes.
Managed
Well-functioning controls and assurance mechanisms are in place to enable the ongoing monitoring of privacy risk. The existing systems and processes make it easy to identify a privacy risk early and escalate it in real time to be able to proactively mitigate risk.
The agency has a controlled and measured assurance environment that allows it to continuously learn and refine its internal practices. The governance group is reasonably confident in the agency’s privacy risk management.
