2022 PMAF self-assessments

There were 45 organisations asked to complete a PMAF self-assessment. Of these, 44 organisations provided a response, which is the highest rate of return ever achieved.

For the list of organisations asked to complete the 2022 PMAF self-assessment, see Appendix A3.

Levels of privacy maturity in the results

The self-assessment covered the following 4 sections in the PMAF:

• Core expectations
• Leadership
• Planning, policies and practice
• Privacy domains.

The results across the 4 sections in the PMAF are broken down in Figure 1.

The majority of agencies reported their privacy maturity for the 4 sections of the PMAF as Foundational, with some agencies describing they were partially or fully Managed.

Only 5% of all the criteria were self-assessed as Informal. This is an encouraging result.

Detailed description of figure

This image shows the 4 sections of the PMAF as graphs. Each section’s graph shows the percentage of agencies that are at each level of privacy maturity.

For Core Expectations, 9% of agencies are at Informal, 61% at Foundational and 30% are at Managed.

For Leadership, 2% are at Informal, 68% at Foundational and 30% are at Managed.

For Planning, Policies & Practice, 7% are at Informal, 50% at Foundational and 43% at are Managed.

For Privacy Domains, 4% are at Informal, 60% at Foundational and 36% are at Managed.

View larger image (PNG 15KB)

New criteria for high-risk ways of using personal information

In the 2022 Privacy maturity self-assessment, government organisations were asked whether they have suitable and relevant privacy policies and practices for high-risk ways of using personal information that may attract specific public interest — examples include:

• biometrics and the impact those technologies have on privacy
• social media monitoring
• safety cameras identifying mobile phone use by drivers.

2022 results for high-risk ways of using personal information

Of the 44 organisations that responded to this question:

• 19 (43%) reported they were at a Managed level
• 16 (37%) reported they were at a Foundational level
• 9 (20%) reported they were at an Informal level.

There were 8 of the 44 agencies that mentioned initiatives that are relevant to high-risk ways of using personal information that may attract specific public interest, including the:

• New Zealand Traveller Declaration — New Zealand Customs Service
• High-wealth individuals research project — Inland Revenue
• Data Science Review Board — Ministry of Business, Innovation and Employment
• Automated Decision-making Standard (PDF 110KB) — Ministry of Social Development
• Emerging Technology Framework and Working Group — New Zealand Police

There were 15 of the 44 agencies that provided no comment relating to this criterion.

A further 10 agencies explicitly stated that they do not engage in activities using personal information that would gather high public interest, such as biometrics.

Development of guidance for high-risk ways of using personal information

As guidance is developed on high-risk ways of using personal information that attract high levels of public interest, privacy maturity in this area is expected to improve. An example is the work that the Office of the Privacy Commissioner is doing on biometrics regulation, including looking into developing a code of practice.

2022 key messages from the GCPO

Following analysis of the PMAF self-assessment responses, the GCPO has highlighted 4 main areas that are key levers for system maturity improvements over the coming year: resourcing, governance, Treaty partnership and training.

Resourcing

Resource privacy capability adequately to avoid preventable privacy risks and to build maturity over time. This includes not only resourcing specialist privacy teams, but building capability in other relevant areas, such as service design, IT, and information management. This would mean that the privacy basics are covered without the need for privacy team intervention at every stage.

Governance

Make sure privacy issues are visible at the governance level, that governance groups have the information they need, and that leaders actively promote privacy messages.

Treaty partnership

Government organisations are taking a variety of steps to be better Treaty partners in the ways they handle personal information — for example, taking into account Māori data sovereignty and te ao Māori perspectives on privacy.

Training

Many government organisations have done good work in developing privacy training. Further steps that organisations can take include making sure that training:

• is compulsory for all staff
• extends beyond induction and is relevant and engaging
• is required before being given access to core personal information systems.

2022 PMAF results and GCPO’s work programme

Insights from the PMAF self-assessments have informed aspects of the GCPO’s 2023 work programme.

Privacy micro-credential

The GCPO is developing a micro-credential on privacy foundational skills with Kāpuhipuhi Wellington Uni-Professional.

The aim of the micro-credential is to upskill staff and to train new privacy advisers to help address the critical skills shortage in the labour market.

The first micro-credential course will be available in May 2023.

Growing the privacy profession

In early 2023, the GCPO will start looking into developing additional training or guidance for new and existing privacy professionals. One example that’s being considered is working with the International Association of Privacy Professionals, the premier global privacy organisation, to develop materials relevant to New Zealand.

Share resources

The GCPO is starting to work with government organisations that have higher levels of privacy maturity to share the core resources that they’ve developed, such as:

• policies
• strategies
• roadmap formats
• training modules
• basic reporting metrics.

The intent is to create a toolkit of re-usable, editable resources.

This will reduce the need for agency privacy officers to build their own resources from scratch. It should particularly benefit small government organisations that do not have full-time privacy officers or teams.

By the end of June 2023, the GCPO aims to identify a home for such resources and have some key materials included in the toolkit.

In the meantime, the GCPO is actively connecting government organisations that are looking for resources on specific topics with others in the sector who can share their resources. Sharing training modules is one example that provides immediate benefit.

Support and advice

While the GCPO will continue to provide support and advice to all government organisations, it will concentrate on helping organisations that are struggling with their privacy maturity to develop practical solutions.

Collaboration with Māori

The GCPO will continue to work with the Office of the Privacy Commissioner, system leaders and others who are leading discussions about privacy on:

• Treaty partnerships
• Māori data sovereignty
• te ao Māori perspectives.

Looking ahead

Over time, increasing numbers of organisations will reach ‘Managed’ for their privacy maturity profile, but this is not likely to be across all sections of the framework.

Longer-term investment in privacy resources and capability will be needed to ensure that progress continues. The time and steps that organisations take to improve privacy maturity will be different, depending on the:

• scope of the organisation’s work
• organisation’s competing priorities
• existing state of the organisation’s assets
• level of risk associated with the information that the organisation holds.

2022 briefing to the minister

Read the GCPO 2022 briefing about the state of privacy maturity in the public service to the Digital Economy and Communications Minister and to Cabinet.

GCPO report on privacy maturity in the public service 2022 (PDF 462KB)