Effective Privacy Documentation to Empower Your Organization

When privacy threats are on the rise, and identity theft is the fastest-growing crime, your privacy documentation should clearly demonstrate your commitment to information protection. Putting well-designed privacy policies and procedures in place is not just good risk management; it empowers you to create a trusting relationship with your customers, and guides your employees on how to handle information. Here’s a quick summary of what you need to implement:

Corporate Privacy Policy: The Corporate Privacy Policy is the centerpiece of your privacy documentation—the document that should be available to the public and that provides a clear understanding of why you need to collect their personal information, how you safeguard it, and whom you share it with. This policy must clearly and succinctly outline how you comply with privacy best practices. You build rapport with prospective and current customers when you show them how your organization protects information, and when they know what control they have over how their information is used.

Employee Privacy Policy: When you respect your employees' rights and interests, you command their loyalty. Your employee privacy policy sends a clear message that safeguarding employee information is a priority to you. The policy should outline exactly what information you collect, why you need it, and whom you share it with. It should also outline your employees' right to access their personnel file, and how long you retain their information. Equally important, the policy should indicate the limitations on your employees’ privacy rights, e.g., the use of video surveillance and the monitoring of company resources (such as e-mail and Internet activity).

Web Site Privacy Policy: The Web Site Privacy Policy addresses the protection of personal information online and should clearly tell your Web site visitor how the information collected on the site will be used (including any marketing purposes). Compliance with laws in various jurisdictions must be considered, e.g., for a site directed at children under 13, the policy should outline the need for parental consent (due to the United States Children’s Online Privacy Protection Act), and a site with numerous links to other sites should specify that your organization is not responsible for the privacy practices or content of any sites it links to. This policy should also cover technical details such as the use of cookie files and server log files which will inform your user whether data collected is anonymous or whether such logs may be linked to personally identifiable information.

Privacy Breach Response Policy: This policy ensures a consistent approach when privacy is violated. A step-by-step guide helps your organization leap into action, minimize response time, and therefore mitigate the negative impact of the breach. The policy should address the following steps for responding to the breach:

• Breach containment and preliminary assessment;

• Evaluating the risks associated with the breach;

• Determining the cause and extent of the breach;

• Assessing the foreseeable harm from the breach to individuals and the company;

• Notifying individuals who may be potentially harmed and determining when and how to notify them, as well as the content of the notification. Guidance should also be provided on when to contact others such as regulators, police, insurers, or credit card companies; and

• Preventing future breaches. The prevention plan may include a security audit or employee training.

Employee Procedures for Safeguarding Personal Information: Implementing a formal procedure for safeguarding personal information internally guides your employees and contractors on how to manage privacy issues daily. The procedure should address, to name a few safeguards, securing one’s unattended work environment (by activating password-protected screen savers and not leaving confidential information in plain view); access controls; precautions to take when faxing or emailing sensitive information; secure disposal of records, escorting visitors; reporting lost security access cards; and laptop best practices.

Access to Personal Information Procedure: This procedure specifically applies to situations where customers or employees seek access to review their own files. The internal procedure for handling access requests should cover:

• Initiating an access request;

• Authenticating the requestor;

• When access must be provided, when it may be denied, and when part of the record must be released;

• How access should be provided (e.g., in person, couriered, or faxed);

• Fees that can be charged for access; and

• The time frame for responding to an access request.

Information Security Policies: Because security threats have increased exponentially over the past decade, securing systems from internal and external threats has become a priority for many companies. A security policy establishes the importance of security within the organization and should include the endorsement of upper management. The most important criterion of a good security policy is that it is useable. Its many sections can be grouped into three categories:

1. The parameters of the policy, including definitions of information security concepts;

2. A risk assessment to determine what threats exist for systems within an organization. The level of security needed for particular systems to provide the optimum protection should be outlined, using security classifications. Security measures can then be determined, based on these classifications.

3. The actual policies, including security planning and oversight; security education, training and awareness; backups and business continuity plans; physical security; access controls; authentication; network security; encryption; acceptable use policies; auditing and review, and enforcement of the security policies.

A good security policy is so much more than just a listing of rules. It dictates the scope, direction, and priority for security within an organization. Such a policy can mean the difference between a comprehensive security posture and a document that is neither regarded nor implemented with any conviction. A large security budget does not ensure success. What does ensure success is a security policy that is descriptive, disseminated, and enforced within a company.

Privacy Risk Assessment Questionnaire: When introducing a new product or service that involves the collection, use, or disclosure of customer or employee information, privacy should be considered early in the planning stages. Departments should be required to assess the impact of an initiative on privacy. For example: Will additional consent be required? Will information be transferred to another jurisdiction with different data privacy laws/expectations? By requiring a standard set of questions to be answered regarding the management of personal information, risks can be identified early and plans can be put in place to mitigate these risks.

Focus on the 3 Cs

• Clear

• Concise

• Consistent

Your suite of privacy documentation should provide a detailed picture of your organization’s perspective on privacy It is imperative that the adopted policies and procedures be consistent with daily practices. If not, the resulting disconnect will undermine the potential for success. Thus, regular review, at least annually, will ensure that your privacy program is lockstep with the documentation, resulting in greater organizational responsibility while minimizing exposure to privacy risks.

Our goal at PrivaTech Consulting is to empower you with the tools to build a privacy-conscious environment and to do it right! For detailed templates of all the above documentation, order The Privacy Documentation Suite CD-ROM. You can easily customize the samples on the CD-ROM for your organization.