People-centred privacy

Moving from a rules-centric and risk-centric privacy maturity framework to one that also emphasises the importance of people-centred privacy practices is the next step to improve government’s privacy maturity.

A people-centred approach is one that seeks to understand, invite and act on the perspectives and interests of the people that the personal information is about when planning and undertaking activities and actions to collect, use or share their personal information.

Key features of such an approach are inclusion and participation in the development of new ideas, making it easy to understand what’s happening and making it easy for people to access and request correction to their information.

People-centred privacy encourages an approach to data collection that:

• clearly links the personal information collected to the desired outcome
• investigates alternative ways to accomplish the desired outcome that eliminates or reduces the need for personal information.

PMAF 2021 works with the Data Protection and Use Policy (DPUP). Based on extensive engagement, DPUP focuses on how to develop a way of working that respects people, their personal information and their stories.

The GCPO recognises DPUP as endorsed good practice and an integral element of PMAF. Positioning DPUP within PMAF integrates DPUP into the established approach to building government privacy practice within the mandate of the GCPO.

Data Protection and Use Policy (DPUP)

Privacy culture

During the development of PMAF 2021, privacy officers emphasised the importance of having a strong privacy culture.

Developing a privacy culture means that privacy is no longer the domain of experts. Broadening out how an agency approaches privacy means that privacy is everyone’s responsibility.

An important part of a privacy culture involves ongoing interaction and engagement between privacy officers, leadership and business units.

To build and maintain a privacy culture, leaders and managers can help by championing the importance of ‘doing the right thing’ when collecting or using people’s personal information. This means people throughout the agency are better placed to appreciate this crucial linkage. DPUP has a toolkit that contains role-specific resources and empowers people to improve privacy practices in their role.

One often overlooked aspect of privacy culture is recognising the privacy needs of employees and contractors. COVID-19 has highlighted the need for respecting employees’ privacy, especially around health information.

How to use the DPUP toolkit

Privacy by Design and privacy engineering

Privacy by Design and privacy engineering are roadmaps that:

• help agencies make sure they consider and embed privacy elements when starting or updating a project, process or service
• encourage agencies to ensure business units, information management, ICT and other teams work together to incorporate privacy from the beginning.

PMAF 2021 encourages agencies to use Privacy by Design and privacy engineering to ensure they think about what information they need and how they may use it.

DPUP’s good practical advice works with these tools to help agencies consider what they’re doing from a privacy and ethical standpoint.

Privacy by Design

Privacy by Design seeks to raise the bar for privacy by promoting enhanced accountability and user trust. These foundational principles serve as an overarching framework for inserting privacy and data protection early, effectively and credibly into information technologies, organisational processes, networked architectures and entire systems of governance and oversight.

Privacy engineering

If Privacy by Design provides the ‘what’ to do, then privacy engineering provides the ‘how’ to do it. Privacy engineering is the discipline of understanding how to include privacy as a non-functional requirement in systems engineering. What this means is that privacy becomes an integral part of how the system works.

Privacy by Design (PbD)

IAPP — Privacy Engineering: Proactively Embedding Privacy, by Design