Assessing the PMAF elements

To complete a privacy maturity self-assessment, an agency will use the Privacy Maturity Assessment Framework (PMAF).

PMAF covers 4 sections:

• Core expectations: how privacy is conducted within the public service
• Leadership: how leadership champions privacy maturity
• Planning, policies and practice: how strategy and planning progress privacy maturity
• Privacy domains: what is essential to privacy maturity.

Each section has 2 to 6 elements to assess, and each element has 1 to 3 criteria to meet. How an agency assesses itself against each criterion depends on its size, purpose and legislative requirements.

• Core expectations
• Leadership
• Planning, policies and practices
• Privacy domains

Understanding that maturity is contextual

Agencies within the GCPO mandate vary in size, purpose and legislative requirements. Large agencies with a diverse range of businesses will approach their self-assessment in a different way to smaller, less diverse agencies.

It is important to understand that how an agency assesses its maturity levels should be contextual. This means an agency takes into consideration what’s appropriate for its size, purpose and legislative requirements.

For example, the only personal information an agency collects may be human resources-related personal information. This means that their assessment of their privacy practice would be applied to the personal information they collect about their employees. The breadth and depth of what they need to be ‘managed’ is different to an agency that has many service users and collects sensitive data.

Similarly, when looking at the Data Protection and Use Policy (DPUP) Principles and Guidelines, an agency with regulatory or enforcement powers would need to interpret those in a way that’s appropriate for their context.

DPUP relates to the respectful, trusted and transparent collection and use of information. Some agencies may not be sure if DPUP is applicable for their context. However, if your agency collects, uses or manages information from customers, clients or employees, for example, then a DPUP-centred approach will apply.

Data Protection and Use Policy (DPUP)

Steps to completing and submitting a self-assessment

Generally, the work to complete and submit a PMAF self-assessment is led by the privacy officer or privacy team, who must:

1. complete the self-assessment
2. secure Chief Executive approval and sign off
3. submit the self-assessment to GCPO.

Who to involve when completing a self-assessment

Although there is no one right way to complete a self-assessment, privacy officers or teams may find it useful to consult with the various business units on their privacy practices, achievements and challenges.

Business units may include:

• ICT, security and information management
• legal, funding, contracting and partnership
• service and programme design and implementation
• analysis, research and evaluation
• policy development
• human resources
• Māori engagement.

Depending on the size of an agency, privacy officers or privacy teams might:

• request information from other business units, then collate the replies
• do the self-assessment themselves and send it to other business units for review
• hold workshops with other business units to either complete the self-assessment or collate the results afterwards.

GCPO privacy consultants are available to support privacy officers or teams in completing their self-assessments. The consultants can attend workshops, discussions or meetings with other business units to provide advice about the PMAF elements and criteria. Contact your privacy consultant or email gcpo@dia.govt.nz for more information.

Using comments effectively

To help agencies track their privacy maturity and progress, they can make targeted comments on each criterion.

These are not mandatory, but they are recommended. This allows the GCPO to develop richer system insights.

Agencies have the option to make 4 different types of comments for each element:

• Context: where agencies can make overarching comments and give explanations
• Achievement: where agencies can note their achievements
• Future focus: where agencies can note what elements or criterion will be their focus for 1-year and/or 3-year plans
• Challenge: where agencies can note that this element and/or criterion is a particular challenge and why.

After self-assessments are submitted

Once the GCPO receives a self-assessment, it confirms receipt by email. The GCPO uses the self-assessments to produce agency reports and a system insight report. The GCPO sends each agency a report of its self-assessment results. It is up to agencies if they want to release their results.

The system insight report does not disclose individual agency results, only aggregated results are used. The GCPO uses this report to understand privacy maturity in the system across the New Zealand public service and to decide how privacy maturity can be improved. This report is presented to the Digital Economy and Communications Minister and to Cabinet after the Minister's review.

How agencies use their self-assessment results is up to them. Agencies can:

• use the results to plan their privacy strategy
• use PMAF to analyse and improve their privacy practices
• gain buy-in from senior leadership for the agency's privacy strategy and work programme.

Available support

The GCPO can support agencies in a variety of ways, including:

• providing online guidance
• answering questions
• meeting face-to-face.

Contact your privacy consultant or email gcpo@dia.govt.nz for support.