33Preparation and implementation of privacy management plans

#### 33 Preparation and implementation of privacy management plans 33 Preparation and implementation of privacy management plans > > (1) Each public sector agency must have and implement a privacy management plan. > > > (2) The privacy management plan of a public sector agency must include provisions relating to the following— > > > > > (a) the devising of policies and practices to ensure compliance by the agency with the requirements of this Act or the [Health Records and Information Privacy Act 2002](/view/html/inforce/current/act-2002-071), if applicable, > > > > > (b) the dissemination of those policies and practices to persons within the agency, > > > > > (c) the procedures that the agency proposes to provide in relation to internal review under Part 5, > > > > > (c1) the procedures and practices used by the agency to ensure compliance with the obligations and responsibilities set out in Part 6A for the mandatory notification of data breach scheme, > > > > > (d) such other matters as are considered relevant by the agency in relation to privacy and the protection of personal information held by the agency. > > > (3) (Repealed) > > > (4) An agency may amend its privacy management plan from time to time. > > > (5) An agency must provide a copy of its privacy management plan to the Privacy Commissioner as soon as practicable after it is prepared and whenever the plan is amended. > > > (6) The regulations may make provision for or with respect to privacy management plans, including exempting certain public sector agencies (or classes of agencies) from the requirements of this section. > > **s 33:** Am 2002 No 71, Sch 3 \[13\]; 2009 No 56, Sch 1.31; 2022 No 74, Sch 1\[6\] \[7\].