We have developed a number of Templates, Checklists and Briefing Papers to help you manage your privacy compliance. They are available when you choose one of our Compliance Kits. This page explains what each document includes.
The following Templates, Checklists & Briefing Papers are designed for organisations regulated by the Australian Privacy Act. They also incorporate the requirements of the European General Data Protection Regulation (GDPR), where relevant.
Template: Data Breach Response Plan
Under Australian privacy law it is mandatory to notify the Privacy Commissioner and affected individuals about certain types of data breaches. Every organisation will need a way to manage data breaches, including the notification requirements. This is a Word document you can download. It offers a template Data Breach Response Plan, with instructions on what information to fill in where, to quickly customise it to suit your organisation. The Template Plan:
- has a quick decision-tree guide for all staff
- defines for your staff what is a data breach, and who they need to report to if they suspect a data breach has occurred
- sets out a four-step response procedure for the Privacy Officer to follow
- offers guidance on how to establish a Breach Response Team
- lists the factors to consider when assessing the ‘serious harm’ threshold test
- allows for different steps according to whether the breach is high / medium / low risk
- calls out the additional obligations under EU law if the European General Data Protection Regulation (GDPR) applies to you
- calls out the additional obligations under New Zealand law if the Privacy Act (NZ) applies to you
- includes a template for both internal and external reporting, and
- includes a template notification letter for affected customers.
Template: Privacy Impact Assessment Framework with Privacy Risk Assessment Questionnaire
Privacy Impact Assessment is a fantastic methodology for assessing the potential privacy risks of projects, but organisations often struggle with implementation, such as clarifying when and how PIAs should be done. This Privacy Impact Assessment Framework is a Word document you can download. It includes instructions on what information to fill in where, to help you establish a Privacy Risk Assessment Procedure, customised for your organisation. It includes:
- a five-step procedure, allowing low-risk projects to be reviewed quickly, while higher-risk projects proceed to a more comprehensive PIA
- a flowchart to visualise all five steps in the procedure
- an explanation of what is required at each point of the procedure
- a Threshold Privacy Assessment questionnaire (updated in December 2021 to reflect the latest privacy regulator advice from the OAIC and EDPB)
- a Risk Rating Table and simple methodology, and
- a comprehensive Privacy Risk Assessment Questionnaire, which can be applied to projects or business units across your organisation to help teams self-identify any privacy risks, gaps or weaknesses. The Questionnaire includes extra topics to assess if you are regulated by the GDPR, and/or if your project includes AI or other algorithmic systems.
Template: PIA Report
Having followed your Privacy Impact Assessment Procedure to the point of conducting a PIA, a project manager might now be wondering how to actually write up their PIA Report. This template offers a standard structure for a project manager (or the Privacy Officer) to follow, with plain language explanations of the law to be considered, and tips on what types of recommendations might be needed to deal with different types of privacy risks. The updated 2021 edition includes extra sections on meeting community expectations, and assessing privacy harms.
Template: Privacy Audit Survey
This Privacy Audit Survey is designed as an information gathering tool for the Privacy Officer to kick-start a data inventory process, and/or an organisation-wide privacy audit or compliance review. It includes instructions on how to conduct a privacy audit of your organisation.
Template: Privacy Audit Report
This template offers a standard structure for a Privacy Officer to follow when writing up the results of their privacy audit. It includes plain language explanations of the law to be considered, and tips on what types of recommendations might be needed to deal with different types of privacy risks. Includes a risk rating methodology and detailed instructions.
Template: Data Use Protocol
How do you manage the legal and ethical considerations when using personal information in new ways? Who should approve internal requests to access or use data, and what criteria should they use? Privacy risks are contextual, so this template Data Use Protocol offers a risk management approach which flexes to the circumstances of each data use request. A set of clear risk indicators is used to channel data use requests into tiered approval pathways: ‘red flags’ suggest higher level risks or possible reasons not to proceed, while ‘amber flags’ suggest the need for caution, ethical consideration, and/or additional risk mitigation controls. Three tiered approval pathways reflect the degree of risk posed by different data use proposals, and offer clarity around who must be involved in the approval process, the criteria involved in granting approval, the conditions placed upon data access and use, and the degree of on-going oversight needed, for any particular data use proposal.
Template: Data Governance Protocol
This is a Word document you can download. It offers a template Data Governance Protocol, with instructions on what information to fill in where, for each major dataset held by your organisation. You will still have to do some legwork to fill in the blanks, but this at least has all the basics laid out for you.
Template: Collection Notices & Consent Forms
This is a Word document you can download. It offers a set of different templates, with instructions on what information to fill in where, to help you customise Collection Notices and Consent Forms for your organisation. It also helps explain when you will need a Consent Form, compared with when a Collection Notice will do. It also includes the extra bits you will need if you are regulated by the GDPR as well.
Template: Contract clauses
This is a Word document you can download. It offers a template format, with instructions on what information to fill in where, to help you develop contract clauses, suitable to be included in agreements you are drafting or negotiating with third party suppliers, vendors, contractors or other companies or individuals. Once you have customised these clauses to suit your organisation, you can require all teams to include these clauses, or look for similar requirements, whenever they are dealing with third parties, no matter the size or type of contract or arrangement. It also includes the extra clauses you will need for your data processors if you are regulated by the GDPR as well.
Template: Privacy Manual for Staff
This is a Word document you can download. It offers a template format, with instructions on what information to fill in where, to help you customise a plain language guide to their obligations for staff across your organisation.
Template: Staff Undertaking
This is a Word document you can download. It offers a template format, with instructions on what information to fill in where, to help you quickly draft a document for staff to sign at induction, or as part of training or on-boarding new users to a system. It explains what privacy and confidentiality obligations they have, and the penalties associated with non-compliance.
Template: Best Practice Privacy Principles for NGOs
Non-government organisations (NGOs) may find themselves regulated by more than one privacy law in Australia, for example if they are a private sector health service provider, and/or a contracted service provider to government agencies, operating in more than one State or Territory. Each privacy law has its own set of privacy principles, definitions and exemptions. Having to explain multiple sets of privacy rules to staff is time-consuming and confusing.
This Template instead offers a set of organisation-wide, plain language internal privacy rules you can use to guide your day-to-day operations. We have developed this set of Best Practice Privacy Principles, as a Word document you can download, by mapping the privacy statutes in NSW, the ACT, Victoria, Tasmania, Queensland and the Northern Territory, in addition to the federal Privacy Act, and then adopting the highest standard for each principle, and explaining it in plain language. That way, by following one set of best practice rules, your staff will be ensuring their compliance with all the rules.
Briefing Paper: Australian Privacy Law Index
This Briefing Paper is designed for use by organisations either regulated by, or providing advice about, more than one privacy law in Australia.
Each privacy law has its own set of privacy principles, definitions and exemptions. For example some laws protect the privacy of the deceased, but for differing lengths of time. Some have employment-related exemptions, others don’t. Some laws regulate contracted service providers directly; others can only apply via contracts or funding agreements.
This Index is the result of mapping the privacy statutes in NSW, the ACT, Victoria, Tasmania, Queensland and the Northern Territory, in addition to the federal Privacy Act. (SA and WA do not have their own privacy laws.) In table format, it sets out the general scope of each Act (i.e. which organisations it regulates, what type of personal information it covers, whether it covers contracted service providers, and what the major exemptions are), as well as which principle to look at for any particular topic. The Index will help you quickly find the correct privacy rule that applies to your organisation in any given jurisdiction or situation. It doesn’t replicate the rule, just points you in the right direction. For example, if you want to know what the rules are about collecting information about a person’s religion for a health service in Wollongong, you can quickly see from the Index that you need to check APP 3.3-3.4 in the federal Privacy Act, as well as HPP 1 in the NSW health-specific legislation.
Briefing Paper: Privacy, Marketing and Cookies
This Briefing Paper is designed to assist those who work in marketing and customer communications, and the privacy officers who support them. It explains in plain language how the Privacy Act, Spam Act and Do Not Call Register Act work in relation to marketing activities, and also covers the New Zealand privacy and spam laws, Californian law (CCPA) and European laws (the GDPR and ePrivacy Directive, aka ‘the cookie law’) which impact on Australian companies. It includes an at-a-glance summary of the legal requirements when engaging in common marketing-related activities, such as: collecting contact details to add to a marketing database; adding data to a customer profile to use later for tailored messaging; sending a marketing email; and adding a cookie to a person’s device. Updated February 2023 to reflect the latest guidance on consent and cookies from the EU, as well as proposals to reform direct marketing requirements in the Privacy Act.
Briefing Paper: GDPR in a nutshell
The European General Data Protection Regulation (GDPR) will affect many organisations in Australia. This Briefing Paper offers a three-page overview of the GDPR, suitable for your exec team. It covers at a high level what the GDPR is about, who and what it regulates, the new privacy rules, management’s responsibilities, and links to further resources.
Checklist: 10 Steps Towards GDPR Compliance
The GDPR is not a standard against which compliance can be easily measured or certified. We have developed this Checklist for an intended audience of Australian organisations already regulated by the Australian Privacy Act 1988, now needing to also ensure their compliance with the GDPR. It focuses on the ten most critical steps, outlining in concise and practical terms what is most important for you to do, review and update. Updated December 2021 to reflect the latest EDPB guidance about international data transfers.
Checklist: Common Privacy Risks and Controls
This guide offers a list of common privacy risks, and potential controls to mitigate those risks, under broad principle-based headings such as Collection, Use & Disclosure, and Data Security. It is designed to be used during PIAs, privacy audits or ad-hoc privacy risk assessments.
Checklist: Cloud computing and the cross-border disclosure rule
This concise guide includes advice about when the Cross-Border Disclosure rule (APP 8) applies and when it doesn’t; how the Cross-Border Disclosure rule interacts with the Data Security rule (APP 11); how both rules apply to cloud computing; steps to take to comply with APP 8; and the questions to ask of third-party vendors/suppliers. Updated September 2021.
Checklist: Handling a privacy complaint
This checklist offers a nine step process to follow when handling a privacy complaint about a breach of the APPs, from initial acknowledgement of the complaint through to finalisation. Includes an explanation of the principles involved in awarding compensation, and a table summarising all OAIC determinations (as at 31 December 2022) in which compensation was ordered.
Checklist: Risks to avoid when selecting and configuring CRM systems
If your new project involves procuring, developing, configuring or deploying a database that holds personal information about your customers, then this checklist is for you. As a result of conducting numerous audits and PIAs of new and existing systems which hold or report on data about people, such as Customer Relationship Management systems, student management systems and Business Intelligence reporting systems, we know what to look for, and what to avoid. This concise guide includes a checklist of:
- considerations when selecting a new system
- privacy risks to avoid, and
- matters to consider in configuration and deployment.