Templates to kick-start your privacy management program
Every one of these Template documents has been designed specifically to reflect the requirements of Victorian public sector organisations, regulated by the PDP Act and Health Records Act. Each Template comes as a Word document; simply follow the instructions to quickly create all the key documents needed to support privacy compliance in your organisation.
These templates are only available in one of these Compliance Kits:
- Essential Templates for the Victorian Public Sector, or
- Everything for Victorian Public Sector Organisations.
Template Data Breach Response Plan
While the Victorian privacy laws do not include a general scheme for mandatory data breach notification, in some cases Victorian public sector organisations are required under other laws to notify certain types of data breaches. Plus, OVIC has a notification scheme for cyber incidents. This template document offers a ready-made procedure for your organisation, which will streamline the process of responding to a data breach. This template:
- includes a quick flowchart guide for all staff
- defines for staff what is a data breach, and who they need to report to if they suspect a data breach has occurred
- sets out a four-step response procedure for the Privacy Officer to follow
- allows for different steps according to whether the breach is high / medium / low risk
- calls out when notification is mandatory versus voluntary
- includes a template for both internal and external reporting, and
- includes a template notification letter for affected clients.
Template Privacy Risk Assessment Procedure
Privacy Impact Assessment is a fantastic methodology for assessing the potential privacy risks of projects; but when and how should be PIAs be done? This template will help you establish a Privacy Risk Assessment Procedure, customised for your organisation. It includes:
- a five-step procedure, allowing low-risk projects to be reviewed quickly, while higher-risk projects proceed to a more comprehensive PIA
- a flowchart to visualise all five steps in the procedure
- an explanation of what is required at each point of the procedure
- a threshold privacy assessment questionnaire, and
- a comprehensive Privacy Risk Assessment Questionnaire to test for compliance with the PDP Act and Health Records Act, which can be applied to projects or business units across your organisation to help teams self-identify any privacy risks, gaps or weaknesses. The Questionnaire also includes extra topics to assess if your organisation is regulated by the GDPR.
Template PIA Report
Having followed your Privacy Risk Assessment Procedure to the point of conducting a PIA, a project manager might now be wondering how to actually write up their PIA Report. This template offers a standard structure for a project manager (or the Privacy Officer) to follow, with plain language explanations of the law to be considered, and tips on what types of recommendations might be needed to deal with different types of privacy risks.
Template Privacy Audit Survey
This Privacy Audit Survey is designed as an information gathering tool for the Privacy Officer to kick-start a data inventory process, and/or an organisation-wide privacy audit or compliance review. It includes instructions on how to conduct a privacy audit of your organisation.
Template Privacy Audit Report
This template offers a standard structure for a Privacy Officer to follow when writing up the results of their privacy audit. It includes plain language explanations of the law to be considered, and tips on what types of recommendations might be needed to deal with different types of privacy risks. Includes a risk rating methodology, a plain language summary of the IPPs and HPPs, and detailed instructions to follow.
Template Collection Notices and Consent Forms
This document offers a set of different templates, with instructions on what information to fill in where, to help you customise Collection Notices and Consent Forms for your organisation. It also helps explain when you will need a Consent Form, compared with when a Collection Notice will do. It also includes the extra bits you will need if your organisation is regulated by the GDPR as well.
Template Contract Clauses
This document will help you develop standard contract clauses, suitable to be included in agreements you are drafting or negotiating with third party suppliers, vendors, contractors or other organisations or individuals. Once you have customised these clauses to suit your agency, you can require all teams to include these clauses, or look for similar requirements, whenever they are dealing with third parties, no matter the size or type of contract or arrangement. It also includes the extra clauses you will need for your data processors if your organisation is regulated by the GDPR as well.
Template Data Governance Protocol
The objective of a Data Governance Protocol is to provide a structured approach to managing the various regulatory and operational demands on customers’ data, in a way that reflects your organisation’s day-to-day decision-making needs. For any given dataset, a Data Governance Protocol can set out a definition of the primary purpose of each collection, as well as allowed secondary purposes. The Protocol then becomes a ready guide for anyone in the organisation wondering if they can use a certain type of personal information for a particular purpose, whether for ‘business as usual’ or more innovative projects.
This document offers a template Data Governance Protocol, with instructions on what information to fill in where, for each major dataset held by your organisation.
Template Data Use Protocol
How do you manage the legal and ethical considerations when using personal information in new ways? Who should approve internal requests to access or use data, and what criteria should they use?
Privacy risks are contextual, so this template Data Use Protocol offers a risk management approach which flexes to the circumstances of each data use request. A set of clear risk indicators is used to channel data use requests into tiered approval pathways: ‘red flags’ suggest higher level risks or possible reasons not to proceed, while ‘amber flags’ suggest the need for caution, ethical consideration, and/or additional risk mitigation controls. Three tiered approval pathways reflect the degree of risk posed by different data use proposals, and offer clarity around who must be involved in the approval process, the criteria involved in granting approval, the conditions placed upon data access and use, and the degree of on-going oversight needed, for any particular data use proposal.
Template Privacy Manual
This template will help you quickly customise a plain language guide to their obligations for staff across your organisation.
Template Staff Undertaking
This template will help you quickly draft a document for staff to sign at induction, or as part of training or on-boarding new users to a system. It explains what privacy and confidentiality obligations they have, and the penalties associated with non-compliance.