Skip to main content

Core expectations

Core expectations is 1 of the 4 sections of the Privacy Maturity Assessment Framework (PMAF). There are 5 elements to assess.

Core expectations

1. Take a people-centred approach

Take a people-centred approach to privacy that is respectful of those the information is about and provides the public with effective services.

Guidance note

A people-centred approach is one that seeks to understand, invite and act on the perspectives and interests of the people that the personal information is about when planning and undertaking activities and actions to collect, use, or share their personal information.

Based on extensive engagement across the social sector, the principles of the Data Protection and Use Policy focus on how to develop a way of working that respects people, their personal information and their stories.

Key features of such an approach are inclusion and participation in the development of new ideas, making it easy to understand what’s happening and making it easy for people to access and request correction to their information.

Data Protection and Use Policy

Criteria 1: Having a people-centred privacy programme

Informal

Privacy policies and practices are compliance-centric and risk-centric with limited focus on the impact of decisions about use of personal information on the people that the information is about.

Basic

Privacy policies and practices include recommendations to consider the views of the people that the information is about. The privacy programme has no specific focus on instilling a people-centred perspective.

Managed

The Data Protection and Use Policys principles are appropriately integrated with privacy policies and practices, and the privacy programme focuses on change initiatives to embed a people-centred approach.

Criteria 2: Connecting with service users

Informal

Individual initiatives infrequently connect with service users to test new ideas with them about collection or use of their personal information.

Basic

Individual initiatives connect with service users or their representatives to include their views in decision-making processes about collection and use of their personal information. There is little guidance for initiatives about when and how to go about it.

Managed

There are established processes and easy-to-use methods for connecting with service users or their representatives, when appropriate, to include their views in decision-making processes about collection and use of their personal information.

Criteria 3: Being transparent

Informal

Transparency is limited to general clauses in consent forms or privacy notices/statements used at the initiation of the relationship with service users.

The approach to enabling people to access their information and request correction is ad-hoc or reactive.

Basic

Individual initiatives focus on transparency about why and how people’s information is collected, used, or shared, and what choices they have.

Information about how people can access and request correction of their information is available but is not easy for service users to understand or execute.

Managed

The agency is transparent about:

  • what kinds of personal information it collects and uses
  • why and how it’s used
  • choices people may have and how to access and request correction to their personal information.

This information is presented in easy-to-understand ways.

2. Build and maintain a privacy culture

Build and maintain a privacy culture that embodies the public service values of being impartial, accountable, trustworthy, respectful, and responsive.

Guidance note

It’s not always clear or easy to understand how actions taken with personal information can support (or undermine) public service values.

To build and maintain a privacy culture, leaders and managers can help by establishing and informing that understanding, so that people throughout the agency are better placed to appreciate this crucial linkage.

Helping people to appreciate the nature of this connection and motivating them to act on that appreciation can encourage the implementation of privacy practices that express these values.

Criteria 1: Creating a privacy culture

Informal

Leadership has little involvement in the development of a privacy culture.

Basic

Leadership recognises the importance of building a privacy culture and focuses on specific areas of the agency or individual initiatives.

Managed

Leadership delivers consistent and positive messages about how privacy is everyone’s responsibility and how privacy is an enabler of public trust and quality service delivery.

Privacy culture is periodically assessed, possibly as part of a broader organisational culture survey.

Criteria 2: Communicating privacy values and aspirations

Informal

Communication from senior leadership and privacy leaders is ad-hoc or reactive and focuses on specific events and incidents.

Basic

Senior leadership and privacy leaders communicate the agency’s privacy values and aspirations as part of specific initiatives and/or work programme.

Managed

Senior leadership and privacy leaders communicate the agency’s clearly defined privacy values and aspirations in relevant terms throughout the agency on a schedule that is proportionate to the agency’s needs.

Criteria 3: Developing privacy awareness

Informal

Privacy awareness is ad-hoc or reactive to specific events and incidents.

Basic

Privacy awareness is limited and is seen as the responsibility of a few managers and specialists.

Managed

Privacy awareness clearly communicates the agencys values, expectations and behaviours to staff and contractors, and promotes the use of Privacy by Design.

3. Build and maintain privacy capability

Build and maintain privacy capability so that people have the knowledge and skills they need to contribute to good privacy practice.

Guidance note

Privacy training is the foundation for building privacy capability and an effective privacy culture.

Privacy training isn’t about trying to make everyone experts in the letter of the law. It’s to provide staff and managers with the knowledge and tools to adopt and apply the appropriate privacy concepts and principles to their work.

People are more likely to retain the training they’ve been exposed to if it’s relevant to what they see on a daily basis. People change roles or their current role may acquire additional responsibilities, so privacy training is an ongoing activity throughout their career at the agency.

Criteria 1: Conducting privacy training

Informal

Privacy training for staff and contractors is conducted on an ad-hoc basis.

Basic

At induction, staff, and sometimes contractors, receive privacy training on the agency’s privacy values, policies, practices and risks.

Managed

At induction and then on a regular basis, staff and contractors receive privacy training on the agency’s privacy values, policies, practices and risks that is relevant to their roles and supports them to be effective and trusted custodians of personal information.

Criteria 2: Monitoring and updating privacy training

Informal

Updates to privacy training content is ad-hoc. 

Basic

Privacy training content is updated periodically.

Managed

Privacy training needs are monitored and training content is reassessed to ensure that it remains fit for purpose.

Criteria 3: Providing additional privacy training

Informal

There is little or no additional training for staff and contractors before they are given access to certain classes of personal information (for example, health information) that may fall under a Privacy Code and/or may require additional privacy knowledge to manage properly.

Basic

Staff may have additional training before they are given access to certain classes of personal information (for example, health information) that may fall under a Privacy Code and/or may require additional privacy knowledge to manage properly. Contractors generally do not have additional training.

Managed

Staff and contractors know how to access appropriate advice that they should understand before they are given access to certain classes of personal information (for example, health information) that may fall under a Privacy Code and/or may require additional privacy knowledge to manage properly.

4. Establish a sense of collective responsibility

Establish a sense of collective accountability in which managers and staff understand their duty to ensure that personal information is collected and used appropriately.

Guidance note

Sometimes privacy is seen as the specialised domain of a particular team.

However, all the following originate outside of privacy teams: designing a new service, product, policy or process, working with third party suppliers and providers, general custodianship of information and information systems, and using personal information to inform new actions.

This expectation is about weaving a coherent and explicit understanding of that distributed network of activities and accountabilities, so good privacy practices can be a regular and normal feature of how the agency does its work.

Criteria 1: Implementing privacy practices

Informal

Adoption of privacy policies and practices by functional areas that collect or make use of personal information (for example, procurement, service design, contracting and funding, analysis and research, etc) is ad-hoc, and tends to rely on the privacy officer/team involving themselves directly.

Basic

Some functional areas that collect or make use of personal information (for example, procurement, service design, contracting and funding, analysis and research, etc) may reference, or integrate with, privacy policies and practices.

Managed

Functional areas that collect or make use of peoples personal information (for example, procurement, service design, contracting and funding, analysis and research, etc) include recognised good practice advice (for example, DPUP) in their core processes.

Criteria 2: Linking privacy to organisational values

Informal

There is no link between organisational value frameworks, such as mission statements, and the importance of public trust in the use of personal information.

Basic

Organisational value frameworks, such as mission statements, include a focus on public trust, but the connection with respectful and transparent practice in the collection and use of personal information is not clear.

Managed

Organisational value frameworks, such as mission statements, draw a direct line between delivering quality service and exercising a collective focus on respectful and transparent practices in the use of personal information.

Criteria 3: Including privacy in employment

Informal

Letters of employment and job descriptions do not reference privacy obligations and responsibilities.

There is no clear link made between privacy capability and its role in developing and retaining public trust.

Basic

Some letters of employment and job descriptions reference privacy obligations and responsibilities.

There may be a link made between privacy capability and its role in developing and retaining public trust.

Managed

Letters of employment and job descriptions reference privacy obligations and responsibilities to develop and retain public trust in the collection and use of personal information.

5. Be a capable Treaty partner

Be a capable Treaty partner by supporting the Crown to fulfil its stewardship responsibility and strengthen Crown’s relationships with Māori.

Guildance note

The Public Service Act 2020 highlights the responsibility of agencies to support the Crown in its Treaty obligations, and to develop and maintain its capability to engage with Māori and understand Māori perspectives.

Decisions to collect and use personal information can often involve material interests for Māori. This is increasingly so with the growth in interest and activities to use data, often originating from personal information, to improve how an agency thinks about and acts on public service imperatives.

This expectation highlights the importance of considering these factors and developing enabling privacy practices such as advice as provided by Te Arawhiti and Statistics NZ:

Criteria 1: Identifying Māori privacy interests

Informal

There is little awareness of the need to identify Māori interests when designing or updating a service or process that involves the collection, use or sharing of personal information.

Basic

When designing or updating a service or process that involves the collection, use or sharing of personal information, individual initiatives develop their own practices to identify Māori interests.

Managed

When designing or updating a service or process that involves the collection, use or sharing of personal information, the agency has policies and practices that can identify relevant Māori interests.

Criteria 2: Partnering with Māori

Informal

The agency’s identification of and response to Māori privacy interests is ad-hoc or reactive.

Basic

When Māori privacy interests have been identified, individual initiatives define their own approach for understanding and responding to those interests.

Managed

When Māori privacy interests have been identified a partnership approach is used and provides for personal information to be interpreted with reference to Māori priorities, values and worldviews.

Utility links and page information

Did you find what you are looking for?

Your feedback will help us improve this website.

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Page last updated: