What PMAF is
The Privacy Maturity Assessment Framework (PMAF) helps agencies understand their current level of privacy maturity in managing personal information, and identify where they can improve.
The Government Chief Privacy Officer (GCPO) leads an all-of-government approach to privacy to raise public sector privacy maturity and capability. The connection between good privacy practice, public trust and the quality of the services government delivers is critical to ensure that public services are trusted and accessible by those who need them.
Improving privacy capability and maturity will help agencies better meet both their legal obligations under the Privacy Act and raise trust and confidence in the public sector.
PMAF asks agencies to think about the legitimate interests communities have in data they consider personal in a broader sense because the data is derived from their personal information.
PMAF focuses on:
- establishing privacy as a core part of high-quality public service delivery whose values are respect, trust and transparency
- including the values, behaviours and practices that encourage a people-centred approach to privacy to complement established risk-informed practices
- integrating other good practice advice aimed at making it easier to understand what ‘doing the right thing’ looks like, such as the Data Protection and Use Policy (DPUP), and aligning with complementary domains such as information security and information management
- encouraging an approach that clearly links the personal information collected to the desired outcomes
- partnering with Māori to understand and respond to their interests in the collection and use of personal information about Māori, and to provide for such information to be interpreted with reference to Māori priorities, values and worldviews.
PMAF and self-assessments
Agencies under the GCPO mandate use PMAF to complete self-assessments that are submitted to the GCPO annually.
These self-assessments enable agencies to focus on how to grow their privacy capability and maturity by reflecting on how they think about and manage the personal information they are entrusted with.
To complete a self-assessment, an agency assesses itself against the criteria for each element. An agency will have a maturity level for each of the 4 PMAF sections based on the maturity level for each element in the section. The GCPO supports agencies using PMAF by providing advice on how to use PMAF and do their self-assessment.
The GCPO uses the aggregated data from the self-assessments to report on:
- the public sector’s privacy capability and maturity
- how the GCPO can help agencies uplift their privacy maturity and capability.
PMAF is made up of 4 sections that agencies use to assess their privacy capability and maturity:
- Core expectations — how privacy is conducted within the public service
- Leadership — how leadership champions privacy maturity
- Planning, policies and practice — how strategy and planning progress privacy maturity
- Privacy domains — what is essential to privacy maturity.
Each section is made up of elements, and each element has 1 to 3 criteria. Agencies assess their maturity level against each criterion.
PMAF maturity levels
PMAF has 3 maturity levels: informal, foundational and managed.
Agencies should aim to achieve the managed maturity level.
Maturity level: Informal
An informal maturity level indicates that:
- the agency’s approach to privacy is unstructured
- privacy is generally seen as a compliance exercise
- planning and implementing the agency’s privacy work programme and other privacy activities need to be developed.
Maturity level: Foundational
A foundational maturity level indicates that:
- an agency-wide approach to privacy is developing
- good privacy practices are siloed, happening at the individual initiative and team level rather than at the agency-wide level
- planning and implementing the agency’s privacy work programme and other privacy activities mainly occur at the individual initiative and team level rather than at the agency-wide level.
Maturity level: Managed
A managed maturity level indicates that:
- the agency’s approach to privacy is comprehensive and commensurate with its need
- good privacy practices are part of the agency’s privacy culture
- planning and implementing the agency’s privacy work programme and other privacy activities are strategic and appropriately resourced.
After several government agencies had high-profile privacy breaches in 2012, the GCPO was established and PMAF was developed.
In addition, 2 groups, Privacy Leadership Forum and Privacy Working Group, were established. As part of their work, they engaged an external consultant to develop a Privacy Maturity Assessment Framework.
To ensure the framework was effective and met the needs of different agencies, a variety of agencies took part in a pilot and gave input between October 2013 and February 2014.
Following the consultation, the framework was updated. Agencies first used the framework to submit their 2015 privacy self-assessments to the GCPO. That framework was in use until 2020.
Privacy has grown steadily in importance and in meaning since 2015. This, along with environmental influences and agency feedback, meant PMAF needed a refresh to:
- reflect changes in the Privacy Act 2020 and Public Service Act 2020
- accommodate the good practice advice in DPUP
- recognise and link in with other sources of advice that relate to aspects of privacy.
To develop the new framework, privacy officers from 22 agencies took part in 6 stakeholder workshops. Their feedback focused on how PMAF needed to be easy to understand, with a clear rationale and focus on outcomes for people.
Agencies then tested the new PMAF by completing their 2020 self-assessments in May to July 2021. Based on the findings from the test, revisions were made. The 2 major changes were to rework the algorithm and remove the enhanced maturity level. The framework was finalised in November 2021.
To differentiate between the versions, they are referred to as PMAF 2015 and PMAF 2021.
The good privacy practice embedded in PMAF corresponds to the Public Service Commission Code of Conduct, which says the public service must be fair, impartial, responsible and trustworthy.