Templates to kick-start your privacy management program
Quickly produce the foundational documents needed for your privacy compliance program, such as a Data Breach Response Plan, Privacy Impact Assessment Report, audit tools, collection notices, consent forms and more.
Every one of these Template documents has been designed specifically to reflect the requirements of NSW public sector agencies, regulated by NSW privacy laws. Each Template comes as a Word document; simply follow the instructions to quickly create all the key documents needed to support privacy compliance in your agency.
These templates are only available in one of these Compliance Kits:
Template Data Breach Response Plan (including Data Breach Policy)
From November 2023, the Mandatory Notification of Data Breaches Scheme requires NSW public sector agencies to report to the NSW IPC, and to notify affected individuals, about certain types of data breaches. Plus in some cases other laws will apply additional reporting or notification requirements. This template document offers a ready-made procedure for your agency, which will streamline the process of responding to a data breach. This Template Plan:
- has a quick decision-tree guide for all staff
- defines for your staff what is a data breach, and who they need to report to if they suspect a data breach has occurred
- offers guidance on how to establish a Breach Response Team
- sets out a four-step response procedure for the Privacy Officer and Breach Response Team to follow
- lists the factors to consider when assessing the ‘serious harm’ threshold test
- allows for triaging – i.e. different steps according to whether the breach is high / medium / low risk
- calls out the additional obligations under EU law if the European General Data Protection Regulation (GDPR) applies to you
- calls out the additional obligations under New Zealand law if the Privacy Act (NZ) applies to you
- includes a template for both internal and external reporting
- includes a template notification letter for affected customers, and
- explains the role of a Data Breach Response Plan versus a Data Breach Policy, and how to develop your public-facing Policy out of your comprehensive internal-facing Plan, reflecting guidance issued by the IPC.
Template Privacy Risk Assessment Procedure
Privacy Impact Assessment is a fantastic methodology for assessing the potential privacy risks of projects; but when and how should be PIAs be done? This template will help you establish a Privacy Risk Assessment Procedure, customised for your organisation. It includes:
- a five-step procedure, allowing low-risk projects to be reviewed quickly, while higher-risk projects proceed to a more comprehensive PIA
- a flowchart to visualise all five steps in the procedure
- an explanation of what is required at each point of the procedure
- a threshold privacy assessment questionnaire, and
- a comprehensive Privacy Risk Assessment Questionnaire to test for compliance with PPIPA and HRIPA, which can be applied to projects or business units across your agency to help teams self-identify any privacy risks, gaps or weaknesses. The Questionnaire also includes extra topics to assess if your agency is regulated by the GDPR.
Template PIA Report
Having followed your Privacy Risk Assessment Procedure to the point of conducting a PIA, a project manager might now be wondering how to actually write up their PIA Report. This template offers a standard structure for a project manager (or the Privacy Officer) to follow, with plain language explanations of the law to be considered, and tips on what types of recommendations might be needed to deal with different types of privacy risks.
Template Privacy Audit Survey
This Privacy Audit Survey is designed as an information gathering tool for the Privacy Officer to kick-start a data inventory process, and/or an organisation-wide privacy audit or compliance review. It includes instructions on how to conduct a privacy audit of your agency.
Template Privacy Audit Report
This template offers a standard structure for a Privacy Officer to follow when writing up the results of their privacy audit. It includes plain language explanations of the law to be considered, and tips on what types of recommendations might be needed to deal with different types of privacy risks. Includes a risk rating methodology and detailed instructions.
Template Collection Notices and Consent Forms
This document offers a set of different templates, with instructions on what information to fill in where, to help you customise Collection Notices and Consent Forms for your agency. It also helps explain when you will need a Consent Form, compared with when a Collection Notice will do. It also includes the extra bits you will need if your agency is regulated by the GDPR as well.
Template Data Use Protocol
How do you manage the legal and ethical considerations when using personal information in new ways? Who should approve internal requests to access or use data, and what criteria should they use?
Privacy risks are contextual, so this template Data Use Protocol offers a risk management approach which flexes to the circumstances of each data use request. A set of clear risk indicators is used to channel data use requests into tiered approval pathways: ‘red flags’ suggest higher level risks or possible reasons not to proceed, while ‘amber flags’ suggest the need for caution, ethical consideration, and/or additional risk mitigation controls. Three tiered approval pathways reflect the degree of risk posed by different data use proposals, and offer clarity around who must be involved in the approval process, the criteria involved in granting approval, the conditions placed upon data access and use, and the degree of on-going oversight needed, for any particular data use proposal.
Template Data Governance Protocol
The objective of a Data Governance Protocol is to provide a structured approach to managing the various regulatory and operational demands on customers’ data, in a way that reflects your agency’s day-to-day decision-making needs. For any given dataset, a Data Governance Protocol can set out a definition of the primary purpose of each collection, as well as allowed secondary purposes. The Protocol then becomes a ready guide for anyone in the agency wondering if they can use a certain type of personal information for a particular purpose, whether for ‘business as usual’ or more innovative projects.
This document offers a template Data Governance Protocol, with instructions on what information to fill in where, for each major dataset held by your agency.
Template Contract Clauses
This document will help you develop standard contract clauses, suitable to be included in agreements you are drafting or negotiating with third party suppliers, vendors, contractors or other organisations or individuals. Once you have customised these clauses to suit your agency, you can require all teams to include these clauses, or look for similar requirements, whenever they are dealing with third parties, no matter the size or type of contract or arrangement. It also includes the extra clauses you will need for your data processors if your agency is regulated by the GDPR as well.
Template Staff Undertaking
This template will help you quickly draft a document for staff to sign at induction, or as part of training or on-boarding new users to a system. It explains what privacy and confidentiality obligations they have, and the penalties associated with non-compliance.
Template Privacy Manual
This template will help you quickly customise a plain language guide to their obligations for staff across your agency.