Core expectations is 1 of the 4 sections of the Privacy Maturity Assessment Framework (PMAF). There are 5 elements to assess.
Before you start
It’s helpful to read:
To complete your agency’s self-assessment, download and use these 2 documents:
1. Take a people-centred approach
Take a people-centred approach to privacy that is respectful of those the information is about and provides the public with effective services.
A people-centred approach is one that seeks to understand, invite and act on the perspectives and interests of the people that the personal information is about when planning and undertaking activities and actions to collect, use or share their personal information.
Based on extensive engagement across the social sector, the Principles of the Data Protection and Use Policy (DPUP) focus on how to develop a way of working that respects people, their personal information and their stories. Key features of such an approach are:
- inclusion and participation in the development of new ideas
- making it easy to understand what’s happening
- making it easy for people to access and request corrections to their information.
While DPUP was developed for the social sector, it can be used by any agency in any sector. DPUP’s Principles and Guidelines align strongly with good privacy practices. Agencies can adapt them for their context and the amount and type of personal information they collect and use.
The definition of social sector used by the Social Wellbeing Agency and DPUP includes these government agencies: Ministry of Social Development, Te Puni Kōkiri, Ministry of Education, Ministry of Health, Ministry of Housing and Urban Development, Kāinga Ora, New Zealand Police, Ministry of Justice, Accident Compensation Corporation, Oranga Tamariki — Ministry for Children, Department of Corrections, Ministry of Business, Innovation and Employment, Inland Revenue, Department of Internal Affairs, Tertiary Education Commission, New Zealand Qualifications Authority, and the Social Wellbeing Agency.
Criteria 1: Having a people-centred privacy programme
If your agency’s privacy policies and practices align with DPUP Principles and Guidelines, then you do not need to update them at this time to achieve ‘managed’.
However, if your agency plans to:
- revise their privacy policies, they should reference DPUP’s Principles and Guidelines
- develop or review their policies, services or programmes, they should consider using the DPUP toolkit to help guide this work.
Privacy policies and practices are compliance-centric and risk-centric with limited focus on the impact of decisions about use of personal information on the people that the information is about.
Privacy policies and practices include recommendations to consider the views of the people that the information is about. The privacy programme has no specific focus on instilling a people-centred perspective.
Privacy policies and practices are appropriately aligned with DPUP’s Principles and Guidelines. The privacy programme focuses on change initiatives to embed a people-centred approach.
Criteria 2: Connecting with service users
DPUP’s Transparency and Choice Guideline can provide useful advice about how to connect with service users and the importance of offering choices when appropriate.
When considering this criterion, remember that service users can include customers, clients, employees and anyone else whose personal information your agency holds, uses and manages. For example, if your agency primarily develops policy, it can determine what is collected from service users in the process of delivering policies, programmes and services.
Sometimes there may be good reasons for not connecting with service users about collecting their personal information, for example, if it would undermine the purpose of the collection, or it’s just not possible to do so.
If your agency does connect with service users and offers choices when appropriate, then ‘managed’ would be a suitable maturity level.
Individual initiatives infrequently connect with service users to test new ideas with them about collection or use of their personal information.
Individual initiatives connect with service users or their representatives to include their views in decision-making processes about collection and use of their personal information. There is little guidance for initiatives about when and how to go about it.
There are established processes and easy-to-use methods for connecting with service users or their representatives, when appropriate, to include their views in decision-making processes about collection and use of their personal information.
Criteria 3: Being transparent
Privacy statements or notices are a common way of informing people of their choices. The Office of the Privacy Commissioner has a tool for building privacy statements.
DPUP’s Transparency and Choice Guideline can provide useful advice about the importance of helping people to understand what’s happening with their information and what choices they have.
- NZ Government Web Standards
- Office of the Privacy Commissioner — Privacy statement generator
- Transparency and Choice Guideline
Transparency is limited to general clauses in consent forms or privacy notices or statements used at the start of the relationship with service users.
The approach to enabling people to access their information and request correction is ad hoc or reactive.
Individual initiatives focus on transparency about why and how people’s information is collected, used or shared, and what choices they have.
Information about how people can access and request correction of their information is available but is not easy for service users to understand or execute.
The agency is transparent about:
- what kinds of personal information it collects and uses
- why and how it’s used
- choices people may have and how to access and request correction to their personal information.
This information is presented in easy-to-understand ways.
2. Build and maintain a privacy culture
Build and maintain a privacy culture that embodies the public service values of being impartial, accountable, trustworthy, respectful and responsive.
The Public Service Act 2020 supports developing a robust privacy culture, noting the fundamental characteristic of the public service is acting with a spirit of service to the community. The Act’s values describe the necessary behaviours for public servants to maintain integrity, which promotes trust and confidence in the public service.
It’s not always clear or easy to understand how actions taken with personal information can support (or undermine) public service values.
To build and maintain a privacy culture, leaders and managers can help by establishing and informing this understanding, so that people throughout the agency recognise this important connection between collecting and using personal information and public service values.
Privacy training and awareness are key to building and maintaining a privacy culture. Privacy awareness reinforces training through reminders. Awareness activities may include:
- booklets and flyers
- campaigns (for example, Privacy Week).
Criteria 1: Creating a privacy culture
Leadership has little involvement in the development of a privacy culture.
Leadership recognises the importance of building a privacy culture and focuses on specific areas of the agency or individual initiatives.
Leadership delivers consistent and positive messages about how privacy is everyone’s responsibility and how privacy is an enabler of public trust and quality service delivery.
Privacy culture is periodically assessed, possibly as part of a broader organisational culture survey.
Criteria 2: Communicating privacy values and aspirations
Communication from senior leadership and privacy leaders is ad hoc or reactive and focuses on specific events and incidents.
Senior leadership and privacy leaders communicate the agency’s privacy values and aspirations as part of specific initiatives and/or work programmes.
Senior leadership and privacy leaders communicate the agency’s clearly defined privacy values and aspirations in relevant terms throughout the agency on a schedule that is proportionate to the agency’s needs.
Criteria 3: Developing privacy awareness
Privacy awareness is ad hoc or reactive to specific events and incidents.
Privacy awareness is limited and is seen as the responsibility of a few managers and specialists.
Privacy awareness clearly communicates the agency’s values, expectations and behaviours to staff and contractors.
3. Build and maintain privacy capability
Build and maintain privacy capability so that people have the knowledge and skills they need to contribute to good privacy practice.
Privacy training is the foundation for building privacy capability and an effective privacy culture.
Privacy training is not about trying to make everyone experts in the legislation. It’s to provide staff and managers with the knowledge and tools to adopt and apply appropriate privacy concepts and principles to their work.
People are more likely to retain and use training if it’s relevant to what they see on a daily basis. People change roles or their current role may acquire additional responsibilities, so privacy training is an ongoing activity throughout their career at the agency.
For agencies that collect a lot of personal information about many clients, effective privacy training would also address employees’ understanding of what they can and cannot do with clients’ personal information. For example, training should include an explanation of why employees must not:
- browse clients’ records when they have no legitimate need to
- post client information on social media, in either open or closed groups.
Criteria 1: Conducting privacy training
Privacy training for staff and contractors is conducted on an ad hoc basis.
At induction, staff, and sometimes contractors, receive privacy training on the agency’s privacy values, policies, practices and risks.
At induction and then on a regular basis, staff and contractors receive privacy training on the agency’s privacy values, policies, practices and risks that is relevant to their roles and supports them to be effective and trusted custodians of personal information.
Criteria 2: Monitoring and updating privacy training
Updates to privacy training content is ad hoc.
Privacy training content is updated periodically.
Privacy training needs are monitored and training content is reassessed to ensure that it remains fit for purpose.
Criteria 3: Providing additional privacy training
There is little or no additional training for staff and contractors before they are given access to certain classes of personal information (for example, health information) that may fall under a Privacy Code and/or may require additional privacy knowledge to manage properly.
Staff may have additional training before they are given access to certain classes of personal information (for example, health information) that may fall under a Privacy Code and/or may require additional privacy knowledge to manage properly. Contractors generally do not have additional training.
Staff and contractors know how to access appropriate advice that they should understand before they are given access to certain classes of personal information (for example, health information) that may fall under a Privacy Code and/or may require additional privacy knowledge to manage properly.
4. Establish a sense of collective responsibility
Establish a sense of collective accountability in which managers and staff understand their duty to ensure that personal information is collected and used appropriately.
Sometimes privacy is seen as the specialised domain of a particular team.
However, all of the following originate outside of privacy teams:
- general custodianship of information and information systems
- working with third-party suppliers and providers
- designing a new service, product, policy or process
- using personal information to inform new actions.
This expectation is about weaving a coherent and explicit understanding of that distributed network of activities and accountabilities, so good privacy practices can be a regular and normal feature of how the agency does its work.
Criteria 1: Implementing privacy practices
To help agencies embed collective responsibility in various roles, DPUP has role-specific and task-specific tools for:
- frontline workers
- frontline leaders
- people who work in funding, contracting or partnering
- people who develop policies, services or programmes
- people who work in analysis, research or evaluation.
Adoption of privacy policies and practices by functional areas that collect or make use of personal information (for example, procurement, service design, contracting and funding, analysis and research, and so on) is ad hoc, and tends to rely on the privacy officer or team involving themselves directly.
Some functional areas that collect or make use of personal information (for example, procurement, service design, contracting and funding, analysis and research, and so on) may reference, or integrate with, privacy policies and practices.
Functional areas that collect or make use of people’s personal information (for example, procurement, service design, contracting and funding, analysis and research, and so on) include recognised good practice advice (for example, DPUP) in their core processes.
Criteria 2: Linking privacy to organisational values
Organisational values usually talk about providing good service delivery. Having good privacy practices contributes to good service delivery and enhances people’s trust and confidence in the agency. Organisational value frameworks should highlight the importance of privacy to good service delivery.
When considering this criterion, remember that service delivery can affect service users, such as customers, clients, employees and anyone else whose personal information your agency holds, uses and manages. For example, if your agency primarily develops policy, it can determine what is collected from service users in the process of delivering policies, programmes and services.
To help agencies with their organisational value frameworks, DPUP’s Principles and Guidelines provide advice on good privacy practices.
There is no link between organisational value frameworks, such as mission statements, and the importance of public trust in the collection and use of personal information.
Organisational value frameworks, such as mission statements, include a focus on public trust, but the connection with respectful and transparent practice in the collection and use of personal information is not clear.
Organisational value frameworks, such as mission statements, draw a direct line between delivering quality service and exercising a collective focus on respectful and transparent practices in the collection and use of personal information.
Criteria 3: Including privacy in employment
There is no clear link made between privacy capability and its role in developing and retaining public trust (for example, letters of employment and job descriptions do not refer to privacy obligations and responsibilities).
There may be a link made between privacy capability and its role in developing and retaining public trust (for example, some letters of employment and job descriptions refer to privacy obligations and responsibilities).
There is an agency-wide approach to making the link between privacy capability and its role in developing and retaining public trust (for example, letters of employment and job descriptions refer to privacy obligations and responsibilities).
5. Be a capable Treaty partner
Be a capable Treaty partner by supporting the Crown to fulfil its stewardship responsibility and strengthen Crown’s relationships with Māori.
The Public Service Act 2020 highlights the responsibility of agencies to support the Crown in meeting its Treaty obligations, and to develop and maintain the capability of the public service to engage with Māori and understand Māori perspectives.
Agencies making decisions about the use of personal information should consider the Crown’s obligations under the Treaty. This includes the need to engage with Māori about collection, use or sharing of personal information, and to assess the impacts on whānau, hapū and iwi, Māori individuals and Māori data.
Agencies should consider that Māori may have distinct cultural understandings, needs and interests, and experiences that shape their perspectives on privacy and personal information.
When considering developing privacy practices that reference Māori priorities, values and worldviews, agencies can be guided by DPUP’s Principles, Guidelines and related behaviours, which are aligned with te ao Māori values.
Agencies can also consider the advice provided by Te Arawhiti and Stats NZ.
This expectation highlights the importance of considering these factors and developing enabling privacy practices such as advice as provided by Te Arawhiti and Stats NZ:
- Guidelines for engagement with Māori — Te Arawhiti
- Co-designing with Māori — Data.govt.nz
- Ngā Tikanga Paihere: a framework guiding ethical and culturally appropriate data use — Data.govt.nz
Things to consider
Working with Māori in the area of privacy is an evolving space. It is each agency’s responsibility to identify ways to engage with Māori about privacy that are appropriate to its size, purpose and legislative requirements. Consideration of the Māori Data Sovereignty principles of Te Mana Raraunga may also be helpful.
Decisions to collect and use personal information can often involve material interests for Māori. This is increasingly so with the growth in interest and activities that use data, often originating from personal information, to inform public policies and services.
The Privacy Commissioner is required to take account of cultural perspectives on privacy under section 21 of the Privacy Act, and the Commissioner will consider Māori perspectives on privacy when exercising regulatory functions under the Act.
The Office of the Privacy Commissioner has published these examples of specific situations relating to Māori and privacy. These can help agencies consider how they might apply these learnings to their context. Agencies should keep abreast of new developments in this area.
- Biometrics and privacy — Office of the Privacy Commissioner
- Analysis: High Court 2021 review of Ministry decisions about Māori vaccination data — Office of the Privacy Commissioner
- Using the Privacy Act for Māori — Office of the Privacy Commissioner
- Māori Data Sovereignty — Te Mana Raraunga
Criteria 1: Identifying Māori privacy interests
There is little awareness of the need to identify Māori interests when designing or updating a service or process that involves the collection, use or sharing of personal information.
When designing or updating a service or process that involves the collection, use or sharing of personal information, individual initiatives develop their own practices to identify Māori interests.
When designing or updating a service or process that involves the collection, use or sharing of personal information, the agency has policies and practices that can identify relevant Māori interests.
Criteria 2: Partnering with Māori
The agency’s identification of and response to Māori privacy interests is ad hoc or reactive.
When Māori privacy interests have been identified, individual initiatives define their own approach for understanding and responding to those interests.
When Māori privacy interests have been identified a partnership approach is used and provides for personal information to be interpreted with reference to Māori priorities, values and worldviews.