Skip to main content

Learn about the PMAF

The Government Chief Privacy Officer has developed the Privacy Maturity Assessment Framework (PMAF) to help agencies assess their privacy capability and maturity.

The Government Chief Privacy Officer (GCPO) leads an all-of-government approach to privacy to raise public sector privacy maturity and capability. The connection between good privacy practice, public trust and the quality of the services government delivers is critical to ensure that public services are trusted and accessible by those who need them. 

The GCPO developed the Privacy Maturity Assessment Framework (PMAF) to help agencies understand their current level of privacy capability, assess their maturity in managing personal information, and identify where they can improve. 

The PMAF also asks agencies to think about the legitimate interests that communities have in data they consider ‘personal’ in a broader sense, often because it is derived from their personal information. 

PMAF and self-assessments

Agencies that fall under the GCPO mandate use the PMAF to complete self-assessments that are submitted to the GCPO annually. These self-assessments enable agencies to focus on how to grow their privacy capability and maturity by reflecting on how they think about and manage the personal information that they are entrusted with.  

The GCPO uses the aggregated data from the self-assessments to report on the privacy capability and maturity of the public sector. 

The GCPO supports agencies using the PMAF by providing advice on how to use the PMAF and do its self-assessment. 

To complete its self-assessment, an agency will assess itself against the criteria for each element. An agency will have a maturity level for each of the 4 sections of the PMAF based on the maturity level for each element in the section. 

PMAF focus 

The PMAF is about measuring privacy capability and maturity.

Improving privacy capability and maturity will help agencies better meet their legal obligations under the Privacy Act 2020.

The PMAF focuses on: 

  • establishing privacy as a core part of high-quality public service delivery whose values are respect, inclusion and transparency 
  • including the values, behaviours and practices that encourage a people-centred approach to privacy to complement established risk-informed practices 
  • integrating other good practice advice aimed at making it easier to understand what ‘doing the right thing’ looks like, such as the Data Protection and Use Policy, and aligning with complementary domains such as information security and information management
  • encouraging an approach that clearly links the personal information collected to the desired outcome(s) 
  • partnering with Māori to understand and respond to their interests in the collection and use of personal information about Māori, and to provide for such information to be interpreted with reference to Māori priorities, values and worldviews. 

PMAF structure 

Diagram 1. Privacy Maturity Assessment Framework (PMAF)

Detailed description of diagram

The Privacy Maturity Assessment Framework (PMAF) is made up of 4 sections. These are core expectations; leadership; planning, policies and practice; and privacy domains.

There are 4 levels of privacy maturity: informal, basic, managed and enhanced.

The managed maturity level is usually the appropriate maturity level for an agency to achieve and sustain.

PMAF sections

The PMAF is made up of 4 sections in which agencies assess their privacy capability and maturity. Each section is made up of elements and each element has 1 to 3 criteria:  

  • Core expectations (5 elements) 
  • Leadership (3 elements) 
  • Planning, policies and practice (2 elements) 
  • Privacy domains (6 elements) 

PMAF maturity levels

The PMAF has 4 maturity levels:  informal, basic, managed and enhanced.

The managed maturity level is usually the appropriate maturity level for an agency to achieve and sustain. 

Maturity level: Informal

Informal maturity level indicates that: 

  • the agency’s approach to privacy is unstructured 
  • privacy is generally seen as a compliance exercise 
  • planning and implementing the agency’s privacy work programme and other privacy activities needs to be developed. 

Maturity level: Basic

Basic maturity level indicates that: 

  • an agency-wide approach to privacy is developing 
  • good privacy practices are siloed, happening at the individual initiative and team level rather than at the agency-wide level 
  • planning and implementing the agency’s privacy work programme and other privacy activities is more tactical and often occurs at the individual initiative and team level rather than at the agency-wide level. 

Maturity level: Managed

Managed maturity level indicates that: 

  • the agency’s approach to privacy is comprehensive and commensurate with its need 
  • good privacy practices are part of the agency’s privacy culture 
  • planning and implementing the agency’s privacy work programme and other privacy activities are strategic and appropriately resourced. 

Maturity level: Enhanced

The managed maturity level is usually the appropriate maturity level for an agency to achieve and sustain. However an agency may determine that it needs to adopt and implement enhanced privacy measures for certain elements of the framework based on its assessment of a variety of factors.  

Some factors to consider would be about the personal information the agency collects, uses and shares:

  • scale or volume of the personal information: if a privacy incident occurs, the volume of people affected may be large
  • nature or class of personal information: if a privacy incident occurs, the potential or actual harm to people affected may be significant
  • in-depth personal information about an individual(s): if a privacy incident occurs, the potential or actual harm to the individual(s) affected may be significant
  • volume of inter-agency transfer of personal information: if an agency, as part of its regular operations, shares or receives a significant volume of personal information with/from other agencies, the challenges of managing and protecting personal information may be greater
  • volume of cross-border transfer of personal information: if the agency has offices, staff and/or third party suppliers around the world, the challenges of managing and protecting personal information may be greater.

Other factors to consider would be about what the agency would like to achieve through its collection, use and sharing of personal information:

  • to more richly demonstrate trustworthiness to stakeholders and clients/customers, especially a group of people or a community has lower level of trust in government’s collection and use of their personal information by enhancing core expectation 1 (take a people-centred approach)
  • to be able to more confidently support opportunities to use personal information to improve outcomes by enhancing core expectation 3 (build and maintain privacy capability) and privacy domain 6 (enable personal information use, reuse and sharing)
  • to do information sharing with a number of other agencies, NGOs, iwi and third party suppliers when required or asked to do so to meet government objectives by enhancing privacy domain 6 (enable personal information use, reuse and sharing) and planning, policies and practice 2 (competent practice)
  • to support business plans to utilise new or emergent technologies (for example, artificial intelligence, facial recognition software) by enhancing privacy domain 2 (ensure the use and storage)
  • to develop high-quality privacy practices that can be shared with other agencies and raise system capability and maturity.

The agency will decide what enhanced privacy measures it will adopt and implement depending on the situation being addressed. Some possible measures could be:

  • embedding Privacy by Design by having the privacy team as part of project teams that meet the agency’s criteria for enhanced
  • developing internal capability to do complex Privacy Impact Assessments which gives the agency greater connection to the design and implementation of a project or initiative
  • establishing data information governance group for personal information that may require enhanced privacy measures
  • establishing escalation procedures (which are tested regularly) that documents clearly how and to whom staff, contractors and third party suppliers should raise privacy questions. building expertise in privacy team and key staff through certifications, extra training, etc.
  • building greater privacy expertise among staff, contractors and third party suppliers
  • developing the ability to rapidly address any increased need for privacy expertise through a responsive delivery of pre-packaged training materials
  • assessing proactively and periodically clients’/customers’ understanding and perceptions of the transparency and trustworthiness of the agency’s privacy practices.

Utility links and page information

Did you find what you are looking for?

Your feedback will help us improve this website.

Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Page last updated: