Skip to main content

Privacy domains

Privacy domains is 1 of 4 sections of the Privacy Maturity Assessment Framework (PMAF). There are 6 elements to assess.

Before you start

It’s helpful to read:

To complete your agency’s self-assessment, download and use the 2 forms.

PMAF self-assessment forms

1. Require a clear understanding of the purpose

Require a clear understanding of the purpose and necessity of the collection, use or sharing of personal information.

Guidance note

The Data Protection and Use Policy’s (DPUP's) Principles and Guidelines align strongly with good privacy practices. Agencies can adapt them for their context and the amount and type of personal information they collect and use.

If your agency’s privacy policies and practices align with DPUP Principles and Guidelines, then you do not need to update them at this time to achieve ‘managed’.

However, if your agency plans to:

  • rewrite their privacy policies, they should reference DPUP’s Principles and Guidelines
  • develop or review their policies, services or programmes, they should consider using the DPUP toolkit to help guide this work.

Data Protection and Use Policy (DPUP)

DPUP toolkit

Criteria 1: Defining the purpose

Criteria 2: Identifying choices

Criteria 3: Reducing personal information

2. Ensure the use and storage of personal information

Ensure the use and storage of personal information protects against inappropriate access, use and modification, while also ensuring effective and efficient support for its intended use.

Guidance note

Privacy by Design is a design methodology that includes privacy as an essential priority of any product, service, system or process. Privacy is embedded throughout the product or service life cycle from design to disposal.

To implement and embed Privacy by Design, an agency’s privacy officer or team needs to work closely with the agency’s teams that develop and implement technology, whether hardware, software or web, that interacts with personal information.

‘ICT and digital teams’ is the term that is used to indicate the variety of teams that could be included. This is the process of engineering privacy into the agency’s systems which is the reason for the term ‘privacy engineering’.

Privacy by Design (PbD)

Criteria 1: Implementing Privacy by Design

Criteria 2: Implementing privacy engineering

Criteria 3: Responding to high public interest

3. Make it easy for people to access

Make it easy for people to access and request correction to their information.

Guidance note

People may not understand what rights they have to see the personal information that has been collected about them, to ask for that information to be corrected or to express a preference as to how they’d like to access their information.

Ensuring that people understand these rights helps build public trust and confidence. Lack of this understanding may deter people from providing their personal information and receiving a service they need.

For people to act on these rights, the process to do so needs to be easy to understand and use. For an agency to respond to these requests, their systems and processes need to be able to support responding within the legislative timeframe.

When considering this element, remember that people requesting access to their information can include customers, clients, employees and anyone else whose personal information your agency holds, uses and manages.

Access to Information Guideline

Criteria 1: Having a process

Criteria 2: Monitoring the process

Criteria 3: Reviewing the process

4. Understand and assess privacy risks

Understand and assess privacy risks and manage commensurately.

Guidance note

An agency’s work to develop, implement and improve its privacy practices is best informed by a suitable understanding of its risk position, which in turn is dependent on a suitable understanding of the types of personal information it holds, why it’s collected, and how it’s used and shared.

This understanding needs to be based on a holistic picture of the agency’s holdings and activities, not only about specific projects and programmes of work.

Completing a data inventory or stocktake can be an important component of an effective privacy risk assessment. A data inventory or stocktake provides an agency with a comprehensive view of the personal information that the agency handles.

As privacy objectives are delivered and/or as the agency’s personal information holdings and activities change, updating and maintaining their privacy risk profile will help them consider what further actions need to be taken to improve privacy practices.

While an agency privacy risk assessment provides a snapshot of its current privacy risks as an organisation, a project privacy risk assessment — frequently known as a Privacy Impact Assessment (PIA) — considers the risks associated with a specific process, product or service.

Criteria 1: Knowing agency risks

Criteria 2: Managing agency risks

Criteria 3: Managing project risks

5. Reduce the impact of privacy breaches

Reduce the impact of privacy breaches and incidents through good privacy practices.

Guidance note

Managing privacy breaches begins with the 4 key steps of contain, assess, notify and prevent.

The effectiveness of these steps can be improved by:

  • having clear roles and responsibilities in the incident management plan
  • regularly testing the plan
  • integrating the plan into business continuity plans.

Conducting table top exercises (a simulated privacy breach) to test and validate the plan’s activities will ensure that the plan will work as intended and familiarise the team with their role and responsibilities.

The impact of breaches can be reduced by having practices that reduce the collection and retention of personal information.

Criteria 1: Having a privacy incident register

Criteria 2: Minimising collection of personal information

Criteria 3: Retaining personal information

6. Enable personal information use, reuse and sharing

Enable personal information use, reuse and sharing to support a unified public service that provides the public with effective services.

Guidance note

The Privacy Act details when and how personal information can be shared with others. While this does not apply to non-personal information, it is good privacy practice to be respectful, trusted and transparent when using or sharing non-personal information.

Criteria 1: Having policies for sharing personal information

Criteria 2: Understanding the use of non-personal information

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated