This policy describes the requirements for entities planning digital investments involving privacy protection considerations.
Applicability
Digital investment proposals are assessed against this policy by the DTA through the Digital and ICT investment oversight framework (IOF).
Commonwealth entities are encouraged to apply this policy to all digital investments.
Policy requirements
-
Comply with legislation
Entities must comply with the Privacy Act (1998), which governs all Australian government entities. This includes adherence with the Australian Privacy Principles.
-
Align to guidelines and standards
Entities are required to comply with the Protective Security Policy Framework, and any other relevant mandatory frameworks, policies, and standards.
-
Be private-by-design
Privacy must be integrated as a core element of digital products and services from the design phase through to deployment and beyond. This approach ensures privacy considerations are embedded throughout the lifecycle of the investment.
-
Take a proactive approach to privacy risks and incident responses
Proactive development of overarching as well as programme-specific approaches to privacy, proactively assess and manage risk, enables both confidence in the system, and response to incidents in a considered and timely manner.
-
Adhere to reuse principles
Entities must give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.