Guidelines for Implementing a Privacy Management Program
Developed August 2017
Privacy Accountability in Manitoba’s Public Sector
Manitobans entrust public bodies and trustees (organizations) with their information, including highly sensitive information, to receive services, programs and benefits. Responsible management of that information is critical for building and maintaining the trust and confidence of citizens.
Transparency about an organization’s measures to protect personal and personal health information is important and the public should have access to meaningful information about the privacy management program.
Having a privacy management program assists organizations in meeting their legislated privacy obligations. Our office will apply these guidelines in our privacy investigations in looking for indications of accountable privacy management.
Prior to designing a privacy management program, an organization should first assess its existing approaches to privacy compliance. This will enable the organization to identify gaps and develop an action plan to implement any elements of a privacy management program that are missing.
Using the Guidelines
Our Guidelines provides a scalable framework that can be used by all organizations to implement a privacy management program. The guidelines cover the following components:
- Organizational commitment
- Demonstrate senior management commitment and support
- Designate and empower a privacy officer
- Establish compliance reporting mechanisms
- Program Controls
- Inventory of personal information and/or personal health information
- Policies
- Breach management response procedures
- Training
- Privacy and security risk assessment tools
- Service provider management, information manager and research agreements
- Transparent communication with individuals
C. Ongoing assessment and revision
- Develop an oversight and review plan
- Assess and revise program controls as necessary