Planning, policies and practice
Planning, policies and practice is 1 of 4 sections of the Privacy Maturity Assessment Framework (PMAF). There are 2 elements to assess.
Before you start
It’s helpful to read:
To complete your agency’s self-assessment, download and use the 2 forms.
1. Strategy and planning
Formulate a privacy strategy, a roadmap to bring it to life and a work programme to achieve it.
An agency’s privacy strategy, privacy roadmap and privacy work programme should be short, functional, living documents that are appropriate to the agency’s context and the amount and type of personal information they collect and use.
Note: These documents do not have to be called privacy strategy, privacy roadmap or privacy work programme, or be separate documents. The important thing is to record what your agency plans to do to improve privacy maturity, how it will achieve that and how it will measure progress against these plans.
These planning documents should be easy to understand, engage with and communicate:
- where the agency is headed with privacy
- why these are the objectives
- the agency’s intentions to deliver them.
The privacy strategy sets coherent goals for where the agency wishes to get to with its privacy practices.
These goals will work well if they are coupled with objectives that are targeted and make sense in the context of the agency’s overall privacy stance and risk profile rather than being generic or overly broad.
A privacy strategy should:
- be aligned with the agency’s organisational strategy
- ensure compliance with all applicable laws (including, at a minimum, the Privacy Act)
- state privacy goals to promote a privacy culture and improve privacy practices within the agency
- be owned by a member of the senior leadership team
- state a time horizon, for example, a 2-year plan
- identify key stakeholders.
If the strategy is an expression of the goals, then the roadmap describes the privacy objectives, how to travel between the current state and the future state, and the stakeholders who are expected to understand and support the roadmap.
A privacy roadmap should include the key areas of activity to be undertaken to achieve the strategy’s future state and:
- the accountabilities and resourcing to deliver them
- their dependencies
- their timing and duration.
Privacy work programme
An agency’s privacy work programme describes in simple terms how the objectives and activities will be achieved. A privacy work programme should describe:
- the details of the activities described in the roadmap
- a schedule of activities
- roles and responsibilities
- how progress will be monitored.
Criteria 1: Planning
Privacy planning is ad hoc or reactive to specific events and incidents.
Privacy planning is seen as the domain of the privacy officer or team with little or no connection to the rest of the organisation.
- includes all areas of the agency
- comprehensively addresses the collection, use, storage and security of personal information, and
- is flexible to accommodate changes either in the wider business environment or as the result of assurance activity.
Criteria 2: Planning documents
The agency does not have privacy planning documents (for example, strategy, roadmap and work programme).
The agency has privacy planning documents (for example, strategy, roadmap and work programme) that are reviewed regularly.
Privacy planning documents (for example, a strategy, roadmap and work programme) are:
- easy to understand
- communicated to those with relevant responsibilities, and
- reviewed regularly to ensure that they remain relevant and aligned with the agency’s organisational and system context (nature, scale and risk).
Criteria 3: Reporting
Reporting is ad hoc and is about specific events and incidents.
Progress towards their privacy strategy, roadmap and work programme is reported to senior leadership and relevant governance bodies on an initiative basis.
Progress towards their privacy strategy, roadmap and work programme is tracked and reported regularly to senior leadership and relevant governance bodies.
2. Competent practice
Have policies to equip managers and staff to play their part in achieving the core expectations.
People can work with personal information with greater confidence if they know what to do, when to do it and who to contact for support and advice.
Project teams, policy teams, service designers and others can use privacy policies and related documents to help them think about their activities and tasks that involve personal information in the context of the work carried out by those various teams.
Privacy policies and related documents also need to include and extend to contractors, partners and suppliers who may be involved in working with personal information. Their needs and requirements may be different than those of internal staff.
Anyone who is expected to contribute towards good privacy practices should also be confident that, having understood the expectation, they know what to do by being able to access practical, documented descriptions of what actions they need to take.
The Data Protection and Use Policy (DPUP) has guidance to help agencies when drafting policies and related documents.
Procurement contracts can include privacy as a condition, for instance sending information to be used overseas requires special model contractual clauses.
Criteria 1: Policies
Privacy policies and related documents are insufficient to meet the agency’s privacy needs, are communicated in an ad hoc or reactive basis and are not regularly reviewed.
Privacy policies and related documents meet the agency’s privacy needs.
They are used by individual initiatives or within a subset of core business processes (such as procurement, policy or service design, frontline operations and management, analysis and research) but are not explicitly aligned to agency needs.
Privacy policies and related documents are easy to understand, communicated and accessible throughout the agency, and reviewed regularly to ensure that they remain relevant and aligned with the agency’s needs.
Criteria 2: Procurement contracts
The inclusion of privacy policies in procurement contracts is ad hoc or reactive.
The agency’s procurement contracts sometimes include terms and conditions relating to privacy policies and practices, but this happens at the individual initiative level and is not a standard practice.
The agency’s procurement contracts include standard terms and conditions relating to privacy, and privacy policies and related documents include advice on external suppliers and personal information.