How To Do Privacy Right

By Emma Pond, Director of Simply Privacy Ltd.


It’s been a long time coming but finally, we have a new privacy law - the Privacy Act 2020, which comes into effect on 1 December 2020. That’s pretty soon, but don’t stress too much if you haven’t thought much about what its impact might be on your business – you still have time to get started.


At Simply Privacy we are all about supporting organisations (and their heroic Privacy Officers) to ‘do privacy right’. And to help get you in shape for the new law we’ve made a checklist of the things we think every organisation that handles personal information should do before then.


Simply Privacy logo

Simply Privacy is a specialist consultancy providing privacy advice, strategy and consultancy services to public and private sector organisations. They believe in a holistic, pragmatic approach to privacy practice and work with their clients to ensure that privacy solutions fit with their business needs and wider goals.




The big changes are a new obligation to notify the Office of the Privacy Commissioner and affected individuals of serious privacy breaches; greater accountability when transferring personal information overseas (including a new Information Privacy Principle (IPP)); and new and stronger compliance and enforcement powers for the Office of the Privacy Commissioner.


As always, we suggest taking a risk-based approach, prioritising the actions that impact on the more sensitive and/or high volumes of personal information that your organisation handles. If you need more information, the Office of the Privacy Commissioner website has a lot to offer, and of course, if you need some help, we’d be happy to have a chat.


Get Your Governance Settings Right

  • Appoint a Privacy Officer if you haven’t already – it’s a mandatory requirement.

  • Formalise your privacy accountabilities and reporting to ensure that privacy gets the appropriate level of attention and resourcing for your organisation’s risk level and risk appetite.

  • Map where personal information sits within your organisation’s systems, and who has access to it.


Prepare For Mandatory Breach Notification

  • Ensure the systems holding your more sensitive personal information enable you to determine who has accessed what and when in the event of a breach.

  • Check your service providers have satisfactory security safeguards in place.

  • Ensure your service providers are required to notify you of a privacy breach and help you deal with it.

  • Train your staff so they can identify a privacy breach and know who to report it to.

  • Establish a privacy breach response plan.

  • Practice your privacy breach response plan with the right people involved.

  • Draft some notification communications to have ready to go (for the Privacy Commissioner and affected individuals).

  • Think about who else you might have to notify in the event of a privacy breach (e.g. insurers/Police/under contract).

  • Ensure you can manage a privacy breach in the midst of a privacy breach (e.g. if you can’t access your systems).

  • Play around with the online reporting tool ‘NotifyUs’ on the Office of the Privacy Commissioner website to get a feel for how it works.


Get Ready For Cross-Boarder Information Sharing

  • Identify what personal information your organisation is sharing overseas, and for what purpose.

  • Remember – disclosures to overseas service providers who are not using the information for their own purposes are not covered by the new IPP 12, but must comply with IPP 5 (your data must be kept protected).