Which item is included in M-07-16 Privacy and Privacy Reporting?

M-07-16 Privacy and Privacy Reporting emphasizes establishing a formal, agency-wide incident handling policy for privacy incidents. This policy sets how privacy incidents are identified, reported, and managed, including who is responsible, the steps to escalate and notify the right parties, timelines for reporting, and how the incident is coordinated with the broader privacy program. Having this structured policy ensures consistency in response, supports timely regulatory or statutory reporting, helps protect individuals’ information, and provides a clear, repeatable process that can be tested and improved over time. While encryption of data in transit, monthly privacy audits, and third-party risk assessments are important privacy and security practices, they are not the specific policy element highlighted by this item. Encryption protects data in transit, audits are about oversight, and third-party risk assessments focus on external partners—none of these capture the agency-wide incident handling policy focus of M-07-16.