Skip to main content

Planning, policies and practice

Planning, policies and practice is 1 of 4 sections of the Privacy Maturity Assessment Framework (PMAF). There are 2 elements to assess.

Planning, policies and practice

1. Strategy and planning

Formulate a privacy approach, a strategy for achieving it and a roadmap to bring it to life.

Guidance note

An agency’s privacy approach describes in simple terms ‘how privacy gets done’. It’s a high-level description of roles and responsibilities, core business processes that ‘do the doing’ and the owners of those processes, and an outline of how the approach is governed and monitored.

The privacy strategy sets coherent objectives for where the agency wishes to get to with its privacy practices, and describes the key areas of activity that will achieve these objectives.

These objectives will work well if they are targeted and make sense in the context of the agency’s overall privacy stance and risk profile rather than being generic or overly broad.

The strategy would specify its time horizon, scheduled updates, and the audiences who are expected to understand and support the subsequent roadmap of activities.

If the strategy is an expression of the objectives, then the roadmap describes how to travel between the current state and the future state.

A roadmap would include what set of activities to be undertaken; their dependency, timing and duration; and accountabilities and resourcing to deliver the strategy’s objectives.

These planning documents ‘carry the message’ to others about where the agency is headed with privacy, why those are the objectives, and its intentions to deliver them. Making these documents easy to understand and engage with will allow the teams who contribute to those activities to achieve the agency’s privacy objectives.  

Criteria 1: Planning

Informal

Privacy planning is ad-hoc or reactive to specific events and incidents.

Basic

Privacy planning is seen as the domain of the privacy officer/team with little or no connection to the rest of the organisation.

Managed

Privacy planning includes all areas of the agency, comprehensively addresses the collection, use, storage and security of personal information, and is flexible to accommodate changes either in the wider business environment or the result of assurance activity.

Criteria 2: Planning documents

Informal

The agency does not have privacy planning documents (for example, strategy, roadmap and work programme).

Basic

The agency has privacy planning documents (for example, strategy, roadmap and work programme) which are reviewed regularly.

Managed

Privacy planning documents (for example, strategy, roadmap and work programme) are easy to understand, communicated to those with relevant responsibilities, and reviewed regularly to ensure that they remain relevant and aligned with the agency’s organisational and system context (nature, scale and risk).

Criteria 3: Reporting

Informal

Reporting is ad-hoc and is about specific events and incidents.

Basic

Progress towards privacy strategy, roadmap and work programme is reported to senior leadership and relevant governance bodies on an initiative basis.

Managed

Progress towards privacy strategy, roadmap and work programme is tracked and reported regularly to senior leadership and relevant governance bodies.

2. Competent practice

Have policies to equip managers and staff to play their part in achieving the core expectations.

Guidance note

People can work with personal information with greater confidence if they know what do to, when to do it and who to contact for support and advice.

Project teams, policy teams, service designers and others can use privacy policies to help them think about their activities and tasks that involve personal information in the context of the work carried out by those various teams.

Privacy policies also need to include and extend to contractors, partners and suppliers who may be involved in working with personal information. Their needs and requirements may be different than those of internal staff.

Anyone who is expected to contribute towards good privacy practices should also be confident that, having understood the expectation, they can readily equip themselves to act on it through access to practical, documented descriptions of what contribution they need to make.

Criteria 1: Policies

Informal

Privacy policies are insufficient to meet the agency’s privacy needs, are communicated on an ad-hoc or reactive basis and are not regularly reviewed.

Basic

Privacy policies meet the agency’s privacy needs.

They are used by individual initiatives or within a subset of core business processes (such as procurement, policy/service design, front-line operations and management, analysis and research) but are not explicitly aligned to agency needs, accounting for nature, scale, and risk.

Managed

Privacy policies are easy to understand, communicated and accessible throughout the agency, and reviewed regularly to ensure that they remain relevant and aligned with the agency’s needs — accounting for nature, scale and risk.

Criteria 2: Contracts

Informal

The inclusion of privacy policies in procurement contracts is ad-hoc or reactive.

Basic

The agency’s procurement contracts sometimes include terms and conditions relating to privacy policies and practices, but this happens at the individual initiative level and is not a standard practice.

Managed

The agency’s procurement contracts include standard terms and conditions relating to privacy, and privacy policies include advice on external suppliers and personal information.

Utility links and page information

Did you find what you are looking for?

Your feedback will help us improve this website.

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Page last updated: