The Privacy Governance Framework (the Framework) is a dynamic tool designed to assist New South Wales public sector agencies implement robust privacy governance throughout their organisation to manage personal and health information.

Governance underpins effective and efficient public sector administration and facilitates the policy objectives of each agency, local council, state owned corporation and university. Privacy governance is an integral part of service provision and is the responsibility of governing authorities, the agency head, senior management, legal, information technology and privacy officers (explained in the Governance and Leadership section). While effective governance and leadership are essential, collaboration across the agency is a critical factor in achieving a robust privacy program.  

Privacy Governance Framework - governance and digital

This Framework can be used and incorporated into existing governance mechanisms within an agency. Oversight and accountability for privacy and the management of personal information can be achieved through existing audit and risk committee processes, or similar review and risk management oversight processes which are already in place.

The Privacy Governance Framework exists to provide guidance and help agencies, local councils universities and state-owned corporations to comply with the Privacy and Personal Information Protection Act 1998 (including the Mandatory Notification of Data Breach (MNDB) Scheme) (PPIP Act), and the Health Records and Information Privacy Act 2002 (HRIP Act) by:

  • Better understanding privacy risks and opportunities, including the potential use and implementation of new data driven technologies (e.g., artificial intelligence (AI));
  • Addressing roles and responsibilities throughout the agency in relation to privacy management;
  • Keeping the interests of the individual paramount in a user centric manner;
  • Embedding a proactive approach to privacy management and privacy-by-design throughout the agency;
  • Implementing robust personal information lifecycles – that is, the collection, use, security and disposal of personal information complies with the PPIP Act and the HRIP Act;
  • Prompt notification in the event of an eligible data breach to the NSW Privacy Commissioner and affected individuals where there is unauthorised access to or unauthorised disclosure of, or a loss of personal information that is likely to result in serious harm;
  • Ensuring there are up-to-date privacy policies and procedures (including a privacy impact assessment policy and a data sharing and privacy policy), a privacy management plan and a data breach policy in accordance with the requirements of the PPIP Act, HRIP Act and MNDB Scheme;
  • Ensuring there is privacy-by-default, and a transparent and open governance approach whatever the business practice or technology involved; and
  • Embedding a culture of protecting personal information within the agency.

Read Next: What are the legislative essentials?

Download the Framework and Guide