Minimum you need to do
Embed privacy into service design at the outset of your project.
Contact your agency’s privacy contact officer or legal team for advice on how to embed robust privacy practices from the start of your project.
Use the Information and Privacy Commission’s checklist to identify privacy issues to help you identify any relevant issues to discuss.
Ensure your teams think about your customers’ points of view. Consider for example:
- What information do you tell them you will be collecting?
- How do they feel about giving you their address or phone number?
- Is it necessary to collect this information?
- How will you manage and store the information you collect?
- Have you sought full consent from your customer to collect and use the information?
Privacy by design
Look into applying 'privacy by design'. Privacy by design is a process for embedding practices into your design. It helps you to proactively identify any privacy risks while developing your service, so you can offset them as part of the design. Talk to your privacy contact officer.
Privacy management plan
Familiarise yourself with your agency’s privacy management plan. It sets out how your agency will comply with the privacy legislation. Every NSW Government agency must have one.
Privacy impact assessment
Use a privacy impact assessment (PIA) when planning your project to help:
- identify the risk of any breach of the Information Protection Principles and the Health Privacy Principles
- identify the impact that an activity might have on the privacy of individuals
- set out recommendations for managing, minimising or eliminating that impact.
Use your PIA as a tool rather than a compliance exercise. You should update it as you make changes to your service design. For more information go to the guide to privacy impact assessments in NSW.
How to show you’ve met this privacy planning need
You will have:
talked to your privacy contact officer, legal team or the Information and Privacy Commission NSW to help meet privacy requirements when designing your service
read your agency’s privacy management plan
assessed whether you need a privacy impact assessment for your project and used one if suitable.