Skip to main content

Leadership

Leadership is 1 of 4 sections of the Privacy Maturity Assessment Framework (PMAF). There are 3 elements to assess.

Leadership

1. Effective oversight

Effective oversight for privacy practice through effective governance.

Guidance note

The success of an agency’s activities to build a privacy culture, develop privacy capability and implement its privacy programme requires governance and oversight by the senior leadership/executive team.

Ensuring that the privacy officer provides regular updates and is able to discuss the agency’s various privacy activities with the senior leadership/executive team, increases the likelihood of a successful, appropriate and efficient implementation of these activities.

An agency will have existing oversight structures and practices, and these will be the natural starting point for designing and implementing effective oversight of privacy activities and the monitoring processes that support and enable effective oversight.

Criteria 1: Privacy reporting

Informal

Senior leadership/executive team has little awareness of, or pays little attention to, privacy and its management.

Basic

Privacy officer engages with the senior leadership/executive team, governance board and/or committees  when there are specific issues and events that need to be addressed.

Managed

The privacy officer has regular updates and discussions with the senior leadership/executive team, governance board and/or committees on the agency’s privacy culture and values, privacy strategy and programme, and privacy issues and risks.

Criteria 2: Privacy and risk management

Informal

People have an idea of who is responsible for aspects of privacy. Day-to-day functional leadership responsibilities have not been clearly assigned and privacy is not integrated into the agency’s risk management structure.

Basic

A senior leader has been assigned responsibility for functional oversight for privacy, though privacy is not integrated into the agency’s risk management structure.

Managed

Functional oversight for privacy and its work programme is integrated into the risk management organisational structure and includes monitoring compliance.

2. Delivery of objectives

Delivery of objectives through management structure, roles and responsibilities, and the capacity to achieve these objectives.

Guidance note

The working structure of people, teams and accountabilities are what a privacy officer/team rely on to get suitable visibility into the progression of the privacy work programme to achieve the agency’s privacy objectives.

With this visibility, privacy advice, support and direction can be provided as needed.

Project teams, new initiatives, planners and resource managers need to understand what and how they contribute to these objectives and know that these objectives are linked to organisational priorities.

For senior leadership/executive team to have confidence that privacy objectives will be met, having the right resourcing, both in number and capability, is essential.

Criteria 1: Responsibility and accountability

Informal

Responsibility and accountability for the implementation of the privacy strategy and work programme are unclear or absent.

Basic

The responsibility and accountability for the implementation of the privacy strategy and work programme is seen as the sole responsibility of the privacy officer/team and is not suitably distributed throughout the agency to ensure their implementation and the application of Privacy by Design principles.

Managed

Formal line management and governance includes responsibility and accountability for implementation of the privacy strategy and work programme. These responsiblities are suitably distributed throughout the agency to ensure their implementation and the application of Privacy by Design principles.

Criteria 2: Resourcing

Informal

Resourcing for privacy staff and activities is ad-hoc and not commensurate with the agency’s privacy profile and privacy work programme.

Basic

Resourcing for privacy staff and activities is planned at the individual initiative level.

Managed

Resourcing for privacy staff and activities is considered at a strategic level within the agency and is commensurate with the agency’s privacy profile and privacy work programme.

Criteria 3: Oversight and visibility

Informal

Privacy activities are ad-hoc or reactive.

Basic

Because privacy objectives are planned at the individual initiative level, the privacy officer/team is not able to have sufficient visibility and oversight of the initiatives that need to deliver privacy objectives.

Managed

The privacy officer/team oversees the privacy work programme, maintains central oversight of privacy initiatives and activities on an agency-wide basis, communicates regularly with other related functions (for example, information management, security, risk management), and has clear alignment (where applicable) with their work programmes.

3. Confidence in organisational progress

Confidence in organisational progress through appropriate monitoring and assurance practices.

Guidance note

The integration of monitoring and assurance practices with the conduct of privacy activities is a key element of good practice for the same reasons that monitoring and assurance are used in any other areas of an agency’s business.

Criteria 1: Privacy and assurance

Informal

The agency adopts and implements the first of the 3 lines of defence:

  • First line: Business processes are designed to mitigate residual privacy risk to within the agency’s risk tolerance.
Basic

The agency adopts and implements 2 of the 3 lines of defence:

  • First line: Business processes are designed to mitigate residual privacy risk to within the agency’s risk tolerance.
  • Second line: Privacy and risk activities are integrated with the wider system of internal controls as part of the agency’s assurance framework.
Managed

Privacy and assurance staff work together to adopt and implement the 3 lines of defence for privacy, as appropriate:

  • First line: Business processes are designed to mitigate residual privacy risk to within the agency’s risk tolerance.
  • Second line: Privacy and risk activities are integrated with the wider system of internal controls as part of the agency’s assurance framework.
  • Third line: Internal audits or other equivalent independent assurance practices evaluate and improve the agency’s privacy risk management, control and governance processes.

Utility links and page information

Did you find what you are looking for?

Your feedback will help us improve this website.

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Page last updated: