Here's a list of some elements you may want to put in your binder, largely based on what's in the Customer Information Security Guidelines
1. Executive Summary
2. Risk Management Methodology
(what operating management is responsible for, what compliance is responsible for, your process--implementing risk controls, assessing their sufficiency, testing key controls, reporting violations)
3. Corporate level risk controls
(privacy awareness training, privacy notices, Security Dept's role, Code of Conduct, Data Security practices, change management, segregation of duties, response to violations, contingency planning, physical security, due diligence regarding service providers)
4. Operating Management's risk controls
(What they do to protect data on hard copy (locking things up, shredding), what they do to protect electronic data, privacy awareness, (e.g., knowing to report suspected violations appropriately), due diligence in selecting/monitoring service providers)
Appendices
A. Privacy notice
B. Privacy training
C. Schedule of events
D. Risk assessment questionnaire
E. Due diligence for service providers
F. Testing results
G. Management responses to security breaches
Of course, you have to have a lot of stuff in place before you can say it is part of your program.