The Government Chief Privacy Officer has developed the Privacy Maturity Assessment Framework (PMAF) to help agencies assess their privacy capability and maturity.
The Government Chief Privacy Officer (GCPO) leads an all-of-government approach to privacy to raise public sector privacy maturity and capability. The connection between good privacy practice, public trust and the quality of the services government delivers is critical to ensure that public services are trusted and accessible by those who need them.
The GCPO developed the Privacy Maturity Assessment Framework (PMAF) to help agencies understand their current level of privacy capability, assess their maturity in managing personal information, and identify where they can improve.
The PMAF also asks agencies to think about the legitimate interests that communities have in data they consider ‘personal’ in a broader sense, often because it is derived from their personal information.
PMAF and self-assessments
Agencies that fall under the GCPO mandate use the PMAF to complete self-assessments that are submitted to the GCPO annually. These self-assessments enable agencies to focus on how to grow their privacy capability and maturity by reflecting on how they think about and manage the personal information that they are entrusted with.
The GCPO uses the aggregated data from the self-assessments to report on the privacy capability and maturity of the public sector.
The GCPO supports agencies using the PMAF by providing advice on how to use the PMAF and do its self-assessment.
To complete its self-assessment, an agency will assess itself against the criteria for each element. An agency will have a maturity level for each of the 4 sections of the PMAF based on the maturity level for each element in the section.
The PMAF is about measuring privacy capability and maturity.
Improving privacy capability and maturity will help agencies better meet their legal obligations under the Privacy Act 2020.
The PMAF focuses on:
establishing privacy as a core part of high-quality public service delivery whose values are respect, inclusion and transparency
including the values, behaviours and practices that encourage a people-centred approach to privacy to complement established risk-informed practices
integrating other good practice advice aimed at making it easier to understand what ‘doing the right thing’ looks like, such as the Data Protection and Use Policy, and aligning with complementary domains such as information security and information management
encouraging an approach that clearly links the personal information collected to the desired outcome(s)
partnering with Māori to understand and respond to their interests in the collection and use of personal information about Māori, and to provide for such information to be interpreted with reference to Māori priorities, values and worldviews.