Skip to main content

Privacy domains

Privacy domains is 1 of 4 sections of the Privacy Maturity Assessment Framework (PMAF). There are 6 elements to assess.

Privacy domains

1. Require a clear understanding of the purpose

Require a clear understanding of the purpose and necessity of the collection, use and sharing of personal information.

Guidance note

Clarity of purpose is vital to determining whether an agency needs to collect personal information and, if so, what personal information is needed to meet the purpose.

It’s also vital to determine whether the ways in which an agency intends to use and share the information are lawful, appropriate and supports public service values.

Clarity of purpose is the anchor for many other things, such as consent forms, privacy statements, privacy impact assessments, and more.

Criteria 1: Defining the purpose

Informal

The agency’s advice on defining the purpose for the collection, use, or sharing of personal information is ad-hoc or reactive.

Basic

The agency’s guidance on defining the purpose for the collection, use, or sharing of personal information is compliance-focused and risk-focused.

Managed

The agency has appropriately integrated the Data Protection and Use Policy’s Purpose Matters’ guideline to accurately define purposes for collection, use, or sharing of personal information for projects and business processes.

Criteria 2: Identifying choices

Informal

It’s unusual to offer any choices to service users, and if it is done, it’s ad-hoc or reactive.

Basic

Steps to identify practical choices that service users may be given regarding the collection or use of their personal information are taken by individual initiatives.

Managed

When purposes have been suitably well-defined, additional processes are explicitly applied to identify when and how choices may be offered or accommodated, in line with both the Data Protection and Use Policy’s Purpose Matters’ and Transparency and Choice’ guidelines.

Criteria 3: Reducing personal information

Informal

Any steps to reduce or eliminate the need for collection or use of personal information are applied on an ad-hoc or reactive basis.

Basic

Steps to reduce or eliminate the need for the collection or use of personal information are taken by individual initiatives. Existing practice is rarely re-examined. It’s generally assumed that if information is being collected, it’s still reasonable to collect it.

Managed

When creating or updating a service or process, consideration is given to eliminating or reducing the need for personal information by ensuring that its collection, use and sharing are needed to accomplish the stated outcomes. Existing practice is not used as a justification for continued collection and use.

2. Ensure the use and storage of personal information

Ensure the use and storage of personal information protects against inappropriate access, use, and modification, whilst also ensuring effective and efficient support for its intended use.

Guidance note

Privacy by Design foundational principles serve as an overarching framework for inserting privacy and data protection early, effectively and credibly into information technologies, organisational processes, networked architectures and entire systems of governance and oversight. Privacy by Design seeks to raise the bar for privacy by promoting enhanced accountability and user trust.

If Privacy by Design provides the what’ to do, then privacy engineering provides the how’ to do it. Privacy engineering is the discipline of understanding how to include privacy as a non-functional requirement in systems engineering. While privacy may also appear as a functional requirement of a given system, for most systems privacy is ancillary to the primary purpose of the system.

IAPP — Privacy Engineering: Proactively Embedding Privacy, by Design

Criteria 1: Implementing Privacy by Design

Informal

Privacy, ICT, information management and other responsible teams work in silos when building and updating processes, products and services.

Basic

Privacy, ICT, information management and other responsible teams have limited engagement when building and updating processes, products and services.

Managed

Privacy, ICT, information management and other responsible teams work together to incorporate Privacy by Design methodology and principles when building and updating processes, products and services.

Criteria 2: Implementing privacy engineering

Informal

Privacy and ICT staff have no knowledge and understanding of using privacy engineering to address privacy considerations.

Basic

Privacy and/or ICT staff may have some knowledge and understanding of using privacy engineering to address privacy considerations. When building and updating processes, products and services, individual initiatives have privacy and ICT staff work together to incorporate the privacy engineering objectives of predictability, manageability and dissociability by using privacy design strategies (for example, minimise, hide, separate, aggregate, inform, control, enforce and demonstrate).

Managed

When building and updating processes, products and services, privacy and ICT staff work together to incorporate the privacy engineering objectives of predictability, manageability and dissociability by using privacy design strategies (for example, minimise, hide, separate, aggregate, inform, control, enforce and demonstrate).

3. Make it easy for people to access 

Make it easy for people to access and request correction to their information.

Guidance note

People may not understand what rights they have to see the personal information that has been collected about them, to ask for that information to be corrected, or to express a preference as to how they’d like to access their information.

Ensuring that people understand these rights helps build public trust and confidence. Lack of this understanding may deter people from providing their personal information and receiving a service they need.

For people to act on these rights, the process to do so needs to be easy to understand and use. For an agency to respond to these requests, their systems and processes need to be able to support responding within the legislative timeframe.

Criteria 1: Having a process

Informal

The approach to responding to access requests is ad-hoc or reactive, and it’s not easy for clients to find or understand how to do this.

Basic

Customers and clients can find a process to make an access request, but it’s not clear if they find it easy to use.

Managed

Customers and clients can easily find and understand the process to make an access request.

Criteria 2: Monitoring the process

Informal

Access request responses are done on an ad-hoc basis with no systematic monitoring.

Basic

The agency has an access request process. The requesters and the agency have little visibility of whether the access requests responses are meeting the legislative requirements.

Managed

The agency has a customer-centred access request process that incorporates the Data Protection and Use Policy’s ‘Access to Information’ guideline.

The agency monitors and ensures that access request responses meet the legislative requirements and supports the agency’s reputation as an effective and trusted custodian of New Zealanders’ personal information.

Data Protection and Use Policy — Access to Information Guideline

Criteria 3: Reviewing the process

Informal

Actions to improve the process for responding to access requests are ad-hoc or reactive.

Basic

Consideration of easy access and collation of personal information to enable timely responses to access requests rests with individual initiatives.

Managed

Information management and ICT system reviews explicitly include consideration of easy access and collation of personal information to enable timely responses to access requests.

4. Understand and assess privacy risks

Understand and assess privacy risks and manage commensurately.

Guidance note

An agency’s work to develop, implement, and improve its privacy practices is best informed by a suitable understanding of its risk position, which in turn is dependent on a suitable understanding of the types of personal information it holds, why it’s collected, and how it’s used and shared.

This understanding needs to be based on a holistic picture of the agency’s holdings and activities, not only about specific projects and programmes of work.

As privacy objectives are delivered and/or as the agency’s holdings and activities change, updating and maintaining both the macro and micro risk pictures helps to draw a better line of sight between further actions taken to improve privacy practices.

Criteria 1: Knowing the agency’s risks

Informal

Privacy risks are not assessed or are assessed for specific events and incidents.

Basic

Privacy risks are assessed based on little understanding and knowledge of personal information holdings and the collection, uses, sharing activities, and storage of personal information.

Managed

Privacy risks are assessed based on an understanding and knowledge of personal information holdings, focusing on collection, uses, sharing activities, and storage.

Criteria 2: Managing agency’s risks

Informal

Agency privacy risk assessments, which provide a snapshot of an agency’s current privacy risks, are not done.

Basic

Agency privacy risk assessments, which provide a snapshot of an agency’s current privacy risks, are siloed within the privacy team and are not part of the agency’s overall risk assessment.

Managed

Agency privacy risk assessments, which provide a snapshot of an agency’s current privacy risks and how it will manage them as an organisation, are part of the agency’s overall risk assessment, and are conducted and reviewed periodically.

Criteria 3: Managing project risks

Informal

Project risk assessments, which are done to assess the privacy risk of new or updated processes, products or services, are done occasionally or not at all. The privacy team has little or no visibility of project privacy risks.

Basic

Project risk assessments are done to assess the privacy risk of new or updated processes, products or services. Oversight by the privacy team and lines of ownership and accountability are not clear.

Managed

Project risk assessments are done to assess the privacy risk of new or updated processes, products or services with the support of and oversight by the privacy team. They cover the whole information life cycle and have clear lines of ownership and accountability.

5. Reduce the impact of privacy breaches

Reduce the impact of privacy breaches and incidents through good privacy practices.

Guidance note

Managing privacy breaches begins with the 4 key steps of contain, assess, notify and prevent.

The effectiveness of these steps can be improved by:

  • having clear roles and responsibilities in the incident management plan
  • regularly testing the plan, and
  • integrating the plan into business continuity plans.

Conducting table top exercises to test and validate the plan’s activities will ensure that the plan will work as intended and familiarise the team with their role and responsibilities.

The impact of breaches can be reduced by having practices that reduce the collection and retention of personal information.

Criteria 1: Having a privacy incident register

Informal

The agency may have a privacy incident register and/or a privacy incident response plan. Neither are reviewed regularly.

Basic

The agency has a privacy incident register and a privacy incident response plan. Learning from privacy incidents and breaches is done by individual initiatives.

Managed

The agency has:

  • a privacy incident register that is used by staff and/or privacy team
  • a tested privacy incident response plan (including partners and third parties) that is integrated into its business continuity planning
  • a process for learning from privacy incidents and breaches.

Criteria 2: Minimising collection of personal information

Informal

Consideration of whether personal information needs to be collected is based solely on compliance and risk assessments.

Basic

Consideration of whether personal information needs to be collected and whether there are alternative ways to accomplish the desired outcome may be done by individual initiatives. Little or no review of the personal information already being collected is done when updating a process, product or service.

Managed

The agency collects only personal information that is clearly linked to the desired outcome and investigates alternative ways to accomplish the desired outcome that eliminates or reduces the need for personal information.

Criteria 3: Retaining personal information

Informal

The retention and destruction of personal information is done on an ad-hoc basis.

Basic

The agency has information policy and practices that include the retention and destruction of personal information.

Managed

The agency has, maintains and promotes information policy and practices that include the retention and destruction of personal information and the destruction of personal information is authorised by the government’s Chief Archivist.

6. Enable personal information use, reuse and sharing

Enable personal information use, reuse and sharing to support a unified public service that provides the public with effective services.

Guidance note

The Privacy Act 2020 and other related legislation have provisions that enable the sharing of personal information to ensure that agencies and people with a legitimate purpose can access information they need.

When building privacy awareness, culture, capability and practices, it's important that a range of teams understand those enabling elements and are supported to act on them so that they can deliver services that meet public expectations.

Even when it’s not practical or possible to share personal information with the group or community from which it came, it remains important to share the value of information and insights that were developed using their personal information in some non-identifiable form. This may include data and data sets, analyses, qualitative or quantitative information, statistics, research, reports or studies.

Criteria 1: Having policies

Informal

Decisions to re-use or share personal information are made operationally and on an ad-hoc or reactive basis.

Basic

Individual initiatives decide whether and how to re-use or share personal information, and this is primarily seen as a risk-based decision.

Managed

Information management and privacy policies include enabling advice on how to appropriately use and share personal information when individuals can be identified.

These policies also refer to relevant external sources (for example, information to support tamariki wellbeing, information sharing under the Family Violence Act 2018).

Criteria 2: Understanding communities’ interest

Informal

Sharing of non-personal information is ad-hoc or reactive.

Basic

Individual initiatives take steps to share non-personal information that is of interest to communities. Privacy and other relevant policies may contain little or no guidance on this topic.

Managed

Privacy and other relevant policies incorporate advice for the appropriate reuse and sharing of non-personal information of interest to communities that does not identify individuals (for example, data and data sets, analysis, qualitative or quantitative information, statistics, research, reports or studies) from:

Utility links and page information

Did you find what you are looking for?

Your feedback will help us improve this website.

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Page last updated: