Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.
We respect your Do Not Track preference.
The purpose of this pou is to ensure that your organisation can build a self-sustaining privacy culture that isn’t just ‘once and done’ but is embedded and ongoing.
OPC often see that organisations’ privacy programmes are reactive, responding to a specific event or inquiry or not having the time or resources to implement a proper strategy. Organisations often improve practice by responding to the event but may then lose momentum. Building an effective privacy management system requires continuous improvement to lift capability, maintain good practice once this is achieved, and establish a privacy culture that reflects the values of your organisation.
Monitoring your privacy programme is a key part of ensuring continuous improvement in your organisation’s privacy practices. Monitoring can provide you with a holistic picture of your programme and identify areas where training, culture, and processes may need to be improved.
Monitoring activities will look different in different organisations. However, we consider there are some ‘must-dos’ for all organisations.
These are:
Other monitoring activities may include:
Your monitoring activities should give you the data you need to be able to measure the effectiveness of your privacy programme over time. For example, keeping an incident log of breaches and near misses enables you to report on the number and types of incidents, and identify and analyse trends.
Collecting data is a useful way to communicate the current state of your organisation’s privacy practices and the effectiveness of your privacy programme over time. It’s also a useful tool to monitor compliance with certain privacy obligations, including the management of privacy requests.
The table below (attached as PDF) provides you with examples of useful ways to measure different aspects of your privacy programme, including what they might tell you, and things to look out for.
You will need to consider which measures will help you achieve your organisation’s privacy goals and outcomes. These should be based on the key objectives and actions you have committed to in your privacy management plan.
Note: If you’re a public sector organisation then you will be required to complete the Privacy Maturity Assessment Framework (PMAF) to measure, and report on, your privacy programme.
View the table of examples [PDF, 134 KB].
Assurance is about providing your leadership, governance function, and other key stakeholders with a clear message about your organisation’s privacy practices, to give them confidence that the expected privacy outcomes and benefits are being achieved. It helps to measure the effectiveness of your privacy procedures, demonstrate compliance, increase privacy awareness, highlight any gaps, and provide a basis to support improvements to your privacy programme.
Providing assurance by using reports, assessments, and communication (at all levels of your organisation) are all good ways to ensure privacy assurance is a key component of your privacy programme.
You may also consider seeking independent assurance of your privacy practices and culture overall. For example, using an external audit provider every five years to provide your organisation with an independent assessment.
Reports to senior leadership or relevant governance groups should include the data from the measures you have selected above, as well as an accompanying comment about your organisation’s privacy practices and programme. Data is most useful when used to tell a story about what is happening. Numbers alone won’t usually paint an accurate picture. The trends or patterns you are seeing over time, plus the reason for them, is what is important. You can use the ‘What can this tell you?’ section of the table above as a starting point to help inform your reporting.
We’ve included some use cases based on fictional organisations to demonstrate each of the pou in practice. Read more of the background on our Organisation Examples page.
As a large business, Fern Leaf adopts a three line of defence model. This is a risk governance framework that splits responsibility for operational risk management across three areas. People in the first ‘line’ own and manage risk directly. The second line oversees the first line, setting policies, defining risk tolerances, and making sure they’re met.
The third line, consisting of internal audit, provides independent assurance of the first two lines. Privacy risks are part of Fern Leaf’s overall risk strategy. This greatly assists the workload of the privacy team as they can collaboratively work with the risk function to document what they decide to measure and how they will do so. Results of assurance reporting are regularly reported to Fern Leaf’s Board and incorporated into their risk strategy conversations.
Reach High has developed a Privacy Risk Register to capture all its privacy risks and events. The register is an excel spreadsheet with tabs for the following privacy-related activities or events:
The director of support services manages the register and reports on this to the CEO and other senior leaders monthly. As a small business, this approach is appropriate, and ensures that the CEO has oversight of key privacy metrics.
Given their size and limited resources, Swiftstart NZ decides to adopt a streamlined approach to privacy measurements. The operations manager produces quarterly documentation of key measurements to ensure Swiftstart NZ’s founders maintain visibility of its privacy practices without overwhelming their capacity.
Measurements include the number of reported incidents or breaches, response time to incidents, and effectiveness of remediation measures. Additionally, the operations manager confirms completion rates of staff privacy training. These minimal yet essential measurements not only demonstrate accountability but also enable Swiftstart NZ to efficiently report to clients if necessary, fostering trust and transparency in its operations.
Green Gardens has developed a Privacy Register which is an excel spreadsheet that captures the following privacy-related activities and incidents:
The Administrator manages the register and uses it to report to the owner/manager as part of their six-monthly business meetings, where they have a standing agenda item for privacy.
Jo Jones maintains a Privacy Register which is an excel spreadsheet that captures the following privacy-related activities and incidents:
The Ministry has a well-established risk and audit function and an audit and risk committee made up of external and Tier 3 level members, who receive regular reporting on all identified risk, including privacy. Reporting on completion of Privacy Threshold Assessments, PIAs, complaints, breaches, near misses, and other privacy events are provided to the committee regularly.
The Committee can make recommendations to SLT to remediate risk. The Ministry also plans to get an independent assurance review of its privacy risk management approach every 5 years or more frequently if themes are identified through reporting.
