With privacy threats on the rise, and identity theft being the fastest-growing crime, your organization's privacy documentation should clearly demonstrate a commitment to information protection. Putting well-designed privacy policies and procedures in place is not just good risk management; it empowers an organization to create a trusting relationship with its customers, and guides employees on how to handle information. Good privacy makes good business sense and can distinguish an organization from its competitors. If your organization handles personal information, here is a quick summary of what needs to be reviewed by corporate counsel and implemented:
Corporate Privacy Policy
The Corporate Privacy Policy is the centerpiece of your privacy documentation - the document that should be available to the public and that provides a clear understanding of why you need to collect their personal information, how you safeguard it, and whom you share it with. This policy must clearly and succinctly outline how you comply with privacy best practices. You build rapport with prospective and current customers when you show them how your organization protects information, and when they know what control they have over how their information is used.
Employee Privacy Policy
When you respect your employees' rights and interests, you command their loyalty. Your employee privacy policy sends a clear message that safeguarding employee information is a priority to you. The policy should outline exactly what information you collect, why you need it, and whom you share it with. It should also outline your employees' right to access their personnel file, and how long you retain their information. Equally important, the policy should indicate the limitations on your employees' privacy rights, e.g., the use of video surveillance and the monitoring of company resources (such as e-mail and Internet activity).
Web Site Privacy Policy
The Web Site Privacy Policy addresses the protection of personal information online and should clearly tell your Web site visitor how the information collected on the site will be used (including any marketing purposes). Compliance with laws in various jurisdictions must be considered, e.g., for a site directed at children under 13, the policy should outline the need for parental consent (due to the United States Children's Online Privacy Protection Act) , and a site with numerous links to other sites should specify that your organization is not responsible for the privacy practices or content of any sites it links to. This policy should also cover technical details such as the use of cookie files and server log files which will inform your user whether data collected is anonymous or whether such logs may be linked to personally identifiable information.
Privacy Breach Response Policy
This policy ensures a consistent approach when privacy is violated. A step-by-step guide helps your organization leap into action, minimize response time, and therefore mitigate the negative impact of the breach. The policy should address the following steps for responding to the breach:
Breach containment and preliminary assessment;
Evaluating the risks associated with the breach;
Determining the cause and extent of the breach;
Assessing the foreseeable harm from the breach to individuals and the company;
Notifying individuals who may be potentially harmed and determining when and how to notify them, as well as the content of the notification. Guidance should also be provided on when to contact others such as regulators, police, insurers, or credit card companies; and
Preventing future breaches. The prevention plan may include a security audit or employee training.
Employee Procedures For Safeguarding Personal Information
Implementing a formal procedure for safeguarding personal information internally guides your employees and contractors on how to manage privacy issues daily. The procedure should address, to name a few safeguards, securing one's unattended work environment (by activating password-protected screen savers and not leaving confidential information in plain view); access controls; precautions to take when faxing or emailing sensitive information; secure disposal of records, escorting visitors; reporting lost security access cards; and laptop best practices.
Information Security Policies
Because security threats have increased exponentially over the past decade, securing systems from internal and external threats has become a priority for many companies. A security policy establishes the importance of security within the organization and should include the endorsement of upper management. The most important criterion of a good security policy is that it is useable. Its many sections can be grouped into three categories:
1. The parameters of the policy, including definitions of information security concepts;
2. A risk assessment to determine what threats exist for systems within an organization. The level of security needed for particular systems to provide the optimum protection should be outlined, using security classifications. Security measures can then be determined, based on these classifications.
3. The actual policies, including security planning and oversight; security education, training and awareness; backups and business continuity plans; physical security; access controls; authentication; network security; encryption; acceptable use policies; auditing and review, and enforcement of the security policies.
A good security policy is so much more than just a listing of rules. It dictates the scope, direction, and priority for security within an organization. Such a policy can mean the difference between a comprehensive security posture and a document that is neither regarded nor implemented with any conviction. A large security budget does not ensure success. What does ensure success is a security policy that is descriptive, disseminated, and enforced within a company.
Privacy Risk Assessment Questionnaire
When introducing a new product or service that involves the collection, use, or disclosure of customer or employee information, privacy should be considered early in the planning stages. Departments should be required to assess the impact of an initiative on privacy. For example: Will additional consent be required? Will information be transferred to another jurisdiction with different data privacy laws/expectations? By requiring a standard set of questions to be answered regarding the management of personal information, risks can be identified early and plans can be put in place to mitigate these risks.
Awareness Is Critical
It is imperative that the adopted policies and procedures be consistent with daily practices, and reviewed at least annually. If not, the potential disconnect will undermine your privacy program.
To minimize exposure to privacy risks, it is critical that privacy and information security commitments are accompanied by training and awareness initiatives. Sound policies and procedures are meaningless if they are not well known and understood by every employee. Rather than pushing down "company rules," training initiatives that are focused on why privacy is important and the risks involved in getting it wrong encourage greater care when handling personal information. When employees are regularly reminded of the relevance of privacy protection in their work, organizational responsibility is strengthened.
Our goal at PrivaTech Consulting is to empower organizations with tools to build a privacy-conscious environment and reduce privacy risks.
For detailed templates of all the above documentation and more, visit
www.privacyCD.com. You can easily customize the samples on the CD-ROM for your organization.
PRINT
Published Version 