Checklist - Privacy Management Plans
The Privacy Management Plans Checklist appears below. To download a PDF version of this publication click here Checklist - Privacy Management Plans, updated June 2023
Section 33 of the Privacy and Personal Information Protection Act 1998 (PPIP Act) requires agencies to have a privacy management plan (plan). A plan sets out an agency’s commitment to respecting the privacy rights of clients, employees, and members of the public. It should also explain an agency’s practices and procedures in handling personal information under the PPIP Act and health information under the Health Records and Information Privacy Act 2002 (HRIP Act).
This checklist does not prescribe the structure and format a plan should follow. Rather, it is a useful tool for an agency to assess the content of its plan once it has already been prepared. The NSW Privacy Commissioner also uses this checklist to assess the quality of plans they receive from agencies.
For practical information on how to write a plan, please refer to the Guide to Making Privacy Management Plans.
General
1. Does the plan mention the agency's requirement to have a plan?
- Yes
- Part
- No
- Comments__________________________________________________
2. Does this plan describe the main kinds of personal and health information managed by the agency?
- Yes
- Part
- No
- Comments__________________________________________________
Tip: think about this question in context of the functions and activities of the agency.
Information Protection Principles (Part 2, Division 1 of the PPIP Act)
3. Does this plan explain how the personal information the agency collects is related to the agency's functions and activities (IPP 1)?
- Yes
- Part
- No
- Comments__________________________________________________
e.g. enquiries, complaints handling, core business, human resources, recruitment
4. Does the plan indicate when the agency collects personal information from the person and when it is collected from third parties (IPP 2)?
- Yes
- Part
- No
- Comments__________________________________________________
5. Does the plan explain how and when a person is notified that their personal information is being collected (IPP 3)?
- Yes
- Part
- No
- Comments__________________________________________________
6. Does the plan explain how the agency ensures that the collection of personal information is relevant, not excessive and is not an unreasonable intrusion (IPP 4)?
- Yes
- Part
- No
- Comments__________________________________________________
7. Does the plan explain how the agency stores, protects, and disposes of personal information (IPP 5)?
- Yes
- Part
- No
- Comments__________________________________________________
8. Does the plan explain how the agency helps a person find out:
- whether the agency holds their personal information
- the nature of the information
- the main purpose for which it is collected
- his/her right of access (IPP 6)?
- Yes
- Part
- No
- Comments__________________________________________________
9. Does the plan set out how a person can access their personal information (IPP 7)?
- Yes
- Part
- No
- Comments__________________________________________________
10. Does the plan set out how a person can amend their personal information (IPP 8)?
- Yes
- Part
- No
- Comments__________________________________________________
11. Does the plan explain how the agency checks the accuracy of personal information before using it (IPP 9)?
- Yes
- Part
- No
- Comments__________________________________________________
12. Does the plan mention how the agency limits its use of personal information (IPP 10)?
- Yes
- Part
- No
- Comments__________________________________________________
13. Does the plan mention how the agency limits disclosure of personal information (including other jurisdictions) (IPP 11)?
- Yes
- Part
- No
- Comments__________________________________________________
14. Does the plan explain how the agency deals with sensitive personal information (IPP 12)?
- Yes
- Part
- No
- Comments__________________________________________________
Health Privacy Principles (clauses 1-15, Schedule 1 to the HRIP Act)
15. Does the plan explain how the health information the agency collects is related to the agency’s functions and activities (HPP 1)?
- Yes
- Part
- No
- Comments__________________________________________________
E.g. enquiries, complaints handling, core business, human resources, recruitment
16. Does the plan explain how the agency ensures that the collection of personal information is relevant, not excessive and is not an unreasonable intrusion (HPP 2)?.
- Yes
- Part
- No
- Comments__________________________________________________
17. Does the plan indicate when the agency collects health information from the person and when it is collected from third parties (HPP 3)?
- Yes
- Part
- No
- Comments__________________________________________________
18. Does the plan explain how and when a person is notified that their health information is being collected (HPP 4)?
- Yes
- Part
- No
- Comments__________________________________________________
19. Does the plan explain how the agency stores, protects and disposes of health information (HPP 5)?
- Yes
- Part
- No
- Comments__________________________________________________
20. Does the plan explain how the agency helps a person find out:
- whether the agency holds their health information
- the nature of the information
- the main purpose for which it is collected
- his/her right of access (HPP 6)?
- Yes
- Part
- No
- Comments__________________________________________________
21. Does the plan set out how a person can access his/her health information (HPP 7)?
- Yes
- Part
- No
- Comments__________________________________________________
22. Does the plan set out how a person can amend his/her health information (HPP 8)?
- Yes
- Part
- No
- Comments__________________________________________________
23. Does the plan mention how the agency checks the accuracy of personal information before using it (HPP 9)?
- Yes
- Part
- No
- Comments__________________________________________________
24. Does the plan mention how the agency limits its use of health information (HPP 10)?
- Yes
- Part
- No
- Comments__________________________________________________
25. Does the plan mention how the agency limits disclosure of health information (HPP 11)?
- Yes
- Part
- No
- Comments__________________________________________________
26. Does the plan mention whether the agency assigns identifiers to individuals (if applicable) (HPP 12)?
- Yes
- Part
- No
- Comments__________________________________________________
27. Does the plan mention whether it gives individuals the opportunity to remain anonymous (HPP 13)?
- Yes
- Part
- No
- Comments__________________________________________________
28. Does the plan mention whether the agency discloses health information to individuals or bodies outside of NSW (HPP 14)?
- Yes
- Part
- No
- Comments__________________________________________________
e.g. Commonwealth, interstate, overseas
29. Does the plan mention whether the agency includes health information in a health records linkage system (if applicable) (HPP 15)?
- Yes
- Part
- No
- Comments__________________________________________________
Exemptions
30. Does the plan mention whether any exemptions in the PPIP Act or the HRIP Act are particularly relevant to the agency?
- Yes
- Part
- No
- Comments__________________________________________________
31. Does the plan mention whether there are any particular codes of practice or public interest directions relevant to the agency?
- Yes
- Part
- No
- Comments__________________________________________________
32. Does the plan mention whether there is any relevant legislation that allows the agency not to comply with any of the IPPs or HPPs?
- Yes
- Part
- No
- Comments__________________________________________________
33. Does the plan mention whether the agency has any Memorandums of Understanding or referral arrangements with other agencies?
- Yes
- Part
- No
- Comments__________________________________________________
34. If any of the above are applicable, does the plan briefly explain how they actually impact on the agency’s handling of personal or health information?
- Yes
- Part
- No
- Comments__________________________________________________
Public registers
35. Does the plan advise whether the agency has any public registers that contain personal or health information?
- Yes
- Part
- No
- Comments__________________________________________________
36. If so, does the plan explain whether the personal or health information in these public registers can be accessed, and how?
- Yes
- Part
- No
- Comments__________________________________________________
37. Does the plan explain how a person can apply for personal or health information to be suppressed in a public register?
- Yes
- Part
- No
- Comments__________________________________________________
Internal reviews and complaints
38. Does the plan explain a person’s right to seek an internal review?
- Yes
- Part
- No
- Comments__________________________________________________
39. Does the plan set out the internal review process?
- Yes
- Part
- No
- Comments__________________________________________________
e.g. how to apply for one, relevant timeframes, who makes the decision, how decisions are made, how the applicant is advised of the decision
Tip: if an agency does not have its own form, it can use the generic form on our website
40. Does the plan explain the notification process and the role of the Privacy Commissioner?
- Yes
- Part
- No
- Comments__________________________________________________
41. Does the plan explain a person’s right to an external review from the NSW Civil and Administrative Tribunal (NCAT) if dissatisfied with the internal review outcome?
- Yes
- Part
- No
- Comments__________________________________________________
42. Does the plan set out the agency’s alternative complaint process at the agency if a person wants to resolve an issue informally
- Yes
- Part
- No
- Comments__________________________________________________
43. Does the plan include the option to make a complaint to the Privacy Commissioner?
- Yes
- Part
- No
- Comments__________________________________________________
Offences
44. Does the plan generally explain the offences in the PPIP Act and HRIP Act?
- Yes
- Part
- No
- Comments__________________________________________________
45. Does the plan set out how the agency trains staff to use the plan and comply with their privacy obligations?
- Yes
- Part
- No
- Comments__________________________________________________
e.g. introduction, periodic training, day to day work, what staff should do if unsure about a privacy issue.
46. Does the plan set out how the agency educates members of the public in the agency’s privacy obligations and their privacy rights?
- Yes
- Part
- No
- Comments__________________________________________________
e.g. published on the web, mentioned on forms that collect personal or health information.
Other agencies
47. Does the plan cover more than one agency?
- Yes
- Part
- No
- Comments__________________________________________________
48. If so, are the agencies listed individually?
- Yes
- Part
- No
- Comments__________________________________________________
49. Does the plan go into enough detail about the functions and the personal and health information managed by each agency covered?
- Yes
- Part
- No
- Comments__________________________________________________
Privacy-related policies and procedures
50. Does the plan describe how the agency devises its policies and practices to comply with the PPIP Act and the HRIP Act?
- Yes
- Part
- No
- Comments__________________________________________________
51. Does the plan specify whether there are other policies and procedures relevant to the plan?
- Yes
- Part
- No
- Comments__________________________________________________
52. If so, does the plan mention how the agency makes these documents available to staff and members of the public?
- Yes
- Part
- No
- Comments__________________________________________________
Tip: website links can be useful here
Accuracy
53. Is there an adoption/version date on the plan?
- Yes
- Part
- No
- Comments__________________________________________________
54. Is there a review date on the plan?
- Yes
- Part
- No
- Comments__________________________________________________
55. Are any references to legislation in the plan current?
- Yes
- Part
- No
- Comments__________________________________________________
56. If applicable, do the website links in the plan work?
- Yes
- Part
- No
- Comments__________________________________________________
Readability
57. Is the structure of the plan logical?
- Yes
- Part
- No
- Comments__________________________________________________
58. Does the plan have a table of contents?
- Yes
- Part
- No
- Comments__________________________________________________
59. Is the level of detail and length of the plan appropriate?
- Yes
- Part
- No
- Comments__________________________________________________
60. Is the plan written in plain English?
- Yes
- Part
- No
- Comments__________________________________________________
Tip: show your draft plan to a new member of staff or a member of the public and ask whether they can understand it.
Contact details
61. Is the plan helpful to members of the public and staff?
- Yes
- Part
- No
- Comments__________________________________________________
62. Does the plan include current contact details for the Privacy Contact Officer or relevant privacy section at the agency for privacy-related enquiries?
- Yes
- Part
- No
- Comments__________________________________________________
63. Does the plan include current contact details for the Information and Privacy Commission NSW (IPC)?
- Yes
- Part
- No
- Comments__________________________________________________
64. Does the plan include current contact details for the NSW Civil and Administrative Tribunal (NCAT)?
- Yes
- Part
- No
- Comments__________________________________________________
Accessibility
65. Does the plan explain how the agency makes it available to staff and members of the public (eg website, over the counter, mailed out on request)?
- Yes
- Part
- No
- Comments__________________________________________________
66. Will the plan be on the agency’s website and easy to find?
- Yes
- Part
- No
- Comments__________________________________________________
For more information contact the Information and Privacy Commission NSW (IPC):
Freecall: 1800 472 679
Email: ipcinfo@ipc.nsw.gov.au
Website: www.ipc.nsw.gov.au