Assessing the PMAF elements

To complete a privacy maturity self-assessment, an agency will use the Privacy Maturity Assessment Framework (PMAF).

PMAF covers 4 sections:

• Core expectations: how privacy is conducted within the public service
• Leadership: how leadership champions privacy maturity
• Planning, policies and practice: how strategy and planning progress privacy maturity
• Privacy domains: what is essential to privacy maturity.

Each section has 2 to 6 elements to assess, and each element has 1 to 3 criteria to meet. How an agency assesses itself against each criterion depends on its size, purpose and legislative requirements.

• Core expectations
• Leadership
• Planning, policies and practices
• Privacy domains

Understanding that maturity is contextual

Agencies vary in size, purpose and legislative requirements. Large agencies with a diverse range of businesses will approach their self-assessment in a different way to smaller, less diverse agencies.

It is important to understand that how an agency assesses its maturity levels should be contextual. This means an agency takes into consideration what’s appropriate for its size, purpose and legislative requirements.

For example, the only personal information an agency collects may be human resources-related personal information. This means that their assessment of their privacy practice would be applied to the personal information they collect about their employees. The breadth and depth of what they need to be ‘managed’ is different to an agency that has many service users and collects sensitive data.

Similarly, when looking at the Data Protection and Use Policy (DPUP) Principles and Guidelines, an agency with regulatory or enforcement powers would need to interpret those in a way that’s appropriate for their context.

DPUP relates to the respectful, trusted and transparent collection and use of information. Some agencies may not be sure if DPUP is applicable for their context. However, if your agency collects, uses or manages information from customers, clients or employees, for example, then a DPUP-centred approach will apply.

Data Protection and Use Policy (DPUP)

Completing a self-assessment

Who to involve when completing a self-assessment

Although there is no one right way to complete a self-assessment, privacy officers or teams may find it useful to consult with the various business units on their privacy practices, achievements and challenges.

Business units may include:

• ICT, security and information management
• legal, funding, contracting and partnership
• service and programme design and implementation
• analysis, research and evaluation
• policy development
• human resources
• Māori engagement.

Depending on the size of an agency, privacy officers or privacy teams might:

• request information from other business units, then collate the replies
• do the self-assessment themselves and send it to other business units for review
• hold workshops with other business units to either complete the self-assessment or collate the results afterwards.

Using comments effectively

To help agencies track their privacy maturity and progress, they can make targeted comments on each criterion.

Agencies have the option to make 4 different types of comments for each element:

• Context: where agencies can make overarching comments and give explanations
• Achievement: where agencies can note their achievements
• Future focus: where agencies can note what elements or criterion will be their focus for 1-year and/or 3-year plans
• Challenge: where agencies can note that this element and/or criterion is a particular challenge and why.

After self-assessments are completed

How agencies use their self-assessment results is up to them. Agencies can:

• use the results to plan their privacy strategy
• use PMAF to analyse and improve their privacy practices
• gain buy-in from senior leadership for the agency's privacy strategy and work programme.