Skip to main content

Core expectations

Core expectations is 1 of the 4 sections of the Privacy Maturity Assessment Framework (PMAF). There are 5 elements to assess.

Before you start

It’s helpful to read:

To complete your agency’s self-assessment, download and use the 2 forms.

PMAF self-assessment forms

1. Take a people-centred approach

Take a people-centred approach to privacy that is respectful of those the information is about and provides the public with effective services.

Guidance note

A people-centred approach is one that seeks to understand, invite and act on the perspectives and interests of the people that the personal information is about when planning and undertaking activities and actions to collect, use or share their personal information.

Based on extensive engagement across the social sector, the Principles of the Data Protection and Use Policy (DPUP) focus on how to develop a way of working that respects people, their personal information and their stories. Key features of such an approach are:

  • inclusion and participation in the development of new ideas
  • making it easy to understand what’s happening
  • making it easy for people to access and request corrections to their information.

While DPUP was developed for the social sector, it can be used by any agency in any sector. DPUP’s Principles and Guidelines align strongly with good privacy practices. Agencies can adapt them for their context and the amount and type of personal information they collect and use.

The definition of social sector used by the Social Wellbeing Agency and DPUP includes these government agencies: Ministry of Social Development, Te Puni Kōkiri, Ministry of Education, Ministry of Health, Ministry of Housing and Urban Development, Kāinga Ora, New Zealand Police, Ministry of Justice, Accident Compensation Corporation, Oranga Tamariki — Ministry for Children, Department of Corrections, Ministry of Business, Innovation and Employment, Inland Revenue, Department of Internal Affairs, Tertiary Education Commission, New Zealand Qualifications Authority, and the Social Wellbeing Agency.

DPUP terminology

Criteria 1: Having a people-centred privacy programme

Criteria 2: Connecting with service users

Criteria 3: Being transparent

2. Build and maintain a privacy culture

Build and maintain a privacy culture that embodies the public service values of being impartial, accountable, trustworthy, respectful and responsive.

Guidance note

The Public Service Act 2020 supports developing a robust privacy culture, noting the fundamental characteristic of the public service is acting with a spirit of service to the community. The Act’s values describe the necessary behaviours for public servants to maintain integrity, which promotes trust and confidence in the public service.

Public Service Act 2020 reforms — Te Kawa Mataaho Public Service Commission

It’s not always clear or easy to understand how actions taken with personal information can support (or undermine) public service values.

To build and maintain a privacy culture, leaders and managers can help by establishing and informing this understanding, so that people throughout the agency recognise this important connection between collecting and using personal information and public service values.

Privacy training and awareness are key to building and maintaining a privacy culture. Privacy awareness reinforces training through reminders. Awareness activities may include:

  • posters
  • booklets and flyers
  • newsletters
  • campaigns (for example, Privacy Week).

Criteria 1: Creating a privacy culture

Criteria 2: Communicating privacy values and aspirations

Criteria 3: Developing privacy awareness

3. Build and maintain privacy capability

Build and maintain privacy capability so that people have the knowledge and skills they need to contribute to good privacy practice.

Guidance note

Privacy training is the foundation for building privacy capability and an effective privacy culture.

Privacy training is not about trying to make everyone experts in the legislation. It’s to provide staff and managers with the knowledge and tools to adopt and apply appropriate privacy concepts and principles to their work.

People are more likely to retain and use training if it’s relevant to what they see on a daily basis. People change roles or their current role may acquire additional responsibilities, so privacy training is an ongoing activity throughout their career at the agency.

For agencies that collect a lot of personal information about many clients, effective privacy training would also address employees’ understanding of what they can and cannot do with clients’ personal information. For example, training should include an explanation of why employees must not:

  • browse clients’ records when they have no legitimate need to
  • post client information on social media, in either open or closed groups.

Programme activities and resources

Criteria 1: Conducting privacy training

Criteria 2: Monitoring and updating privacy training

Criteria 3: Providing additional privacy training

4. Establish a sense of collective responsibility

Establish a sense of collective accountability in which managers and staff understand their duty to ensure that personal information is collected and used appropriately.

Guidance note

Sometimes privacy is seen as the specialised domain of a particular team.

However, all of the following originate outside of privacy teams:

  • general custodianship of information and information systems
  • working with third-party suppliers and providers
  • designing a new service, product, policy or process
  • using personal information to inform new actions.

This expectation is about weaving a coherent and explicit understanding of that distributed network of activities and accountabilities, so good privacy practices can be a regular and normal feature of how the agency does its work.

Criteria 1: Implementing privacy practices

Criteria 2: Linking privacy to organisational values

Criteria 3: Including privacy in employment

5. Be a capable Treaty partner

Be a capable Treaty partner by supporting the Crown to fulfil its stewardship responsibility and strengthen Crown’s relationships with Māori.

Guildance note

The Public Service Act 2020 highlights the responsibility of agencies to support the Crown in meeting its Treaty obligations, and to develop and maintain the capability of the public service to engage with Māori and understand Māori perspectives.

Agencies making decisions about the use of personal information should consider the Crown’s obligations under the Treaty. This includes the need to engage with Māori about collection, use or sharing of personal information, and to assess the impacts on whānau, hapū and iwi, Māori individuals and Māori data.

Agencies should consider that Māori may have distinct cultural understandings, needs and interests, and experiences that shape their perspectives on privacy and personal information.

When considering developing privacy practices that reference Māori priorities, values and worldviews, agencies can be guided by DPUP’s Principles, Guidelines and related behaviours, which are aligned with te ao Māori values.

Agencies can also consider the advice provided by Te Arawhiti and Stats NZ.

Data Protection and Use Policy (DPUP)

This expectation highlights the importance of considering these factors and developing enabling privacy practices such as advice as provided by Te Arawhiti and Stats NZ:

Things to consider

Working with Māori in the area of privacy is an evolving space. It is each agency’s responsibility to identify ways to engage with Māori about privacy that are appropriate to its size, purpose and legislative requirements. Consideration of the Māori Data Sovereignty principles of Te Mana Raraunga may also be helpful.

Decisions to collect and use personal information can often involve material interests for Māori. This is increasingly so with the growth in interest and activities that use data, often originating from personal information, to inform public policies and services.

The Privacy Commissioner is required to take account of cultural perspectives on privacy under section 21 of the Privacy Act, and the Commissioner will consider Māori perspectives on privacy when exercising regulatory functions under the Act.

The Office of the Privacy Commissioner has published these examples of specific situations relating to Māori and privacy. These can help agencies consider how they might apply these learnings to their context. Agencies should keep abreast of new developments in this area.

Criteria 1: Identifying Māori privacy interests

Criteria 2: Partnering with Māori

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated