Skip to main content

Privacy self-assessment reports

The analysis of privacy self-assessments forms the basis for understanding privacy maturity in the public sector and for prioritising areas for improvement.

How privacy maturity is assessed

Government organisations that are covered by the Government Chief Privacy Officer (GCPO) mandate are asked to complete an annual privacy maturity self-assessment using the Privacy Maturity Assessment Framework (PMAF).

The privacy maturity self-assessment needs to be completed and returned to the GCPO for analysis by 30 June each year.

PMAF and self-assessments

New baseline

In 2021, the PMAF was updated to ensure that modern privacy programme management and best practices are represented.

This meant that the 2022 Privacy maturity self-assessment results represent a new baseline for organisations reporting against the framework.

Three levels of privacy maturity

The privacy maturity self-assessment has 3 levels of privacy maturity that help organisations to identify where they are at.


An organisation’s approach to privacy is unstructured and privacy is generally seen as compliance only. There is a need to better plan and implement the organisation’s privacy activities.


An organisation-wide approach to privacy is developing. Good practice occurs in siloes but not at the wider organisational level. Any privacy work programme is driven by individual activities rather than being more embedded in organisation-wide practice.


An organisation’s approach to privacy is reasonably comprehensive and good privacy practice is part of the organisation’s culture. Planning and implementing the organisation’s privacy activities are strategic and appropriately resourced.

Comments from agencies about their privacy maturity

Agencies support their maturity assessment by providing comments of their achievements, challenges and areas of future focus. The GCPO uses these to develop insights into the current state of privacy maturity in the public service, including target areas for development.

How PMAF reports help organisations

The GCPO sends individual reports to the chief executive and privacy team of each organisation that completed the privacy maturity self-assessment.

These reports help government organisations to:

  • understand their current level of privacy maturity in managing personal information respectfully and safely
  • see how they compare with other organisations across the PMAF
  • identify areas where they can improve.

How PMAF self-assessments help the GCPO

The GCPO uses organisations’ PMAF self-assessments to:

  • prepare an annual briefing to the Minister for the Digital Economy and Communications about the state of privacy maturity in the public service
  • inform the GCPO’s own work programme.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated