Hi, usually if you are a big organization and you have an internal PKI implementation, you would usually need some kind of privacy statement in place. The audience of this statement are any person who will interact with your PKI infrastructure directly or indirectly. For example, people who are holding certificates from your PKI infrastructure should be aware of this privacy statement.
I have read all best practices and RFCs that are talking about this topic and i came with a sample PKI Privacy Statement that you can download and use it at your side.
In some companies, i see that they have a portal with links to their PKI privacy statement, their certificate policy and other publicly accessible PKI policies.
Download the Sample PKI Privacy Statement here