On an ongoing basis, data stewards within the organization, principally IT, are responsible for keeping corporate data secure and private.
Collectively, information privacy policies are important to IT, compliance officers, and others in the business because if customers/clients inform the company that they do not want their personal information collected or shared, companies must abide by these decisions; data on these individuals can't be sold or distributed to others.
In organizations where customer/client data is extremely sensitive, such as in insurance, financial services, and healthcare, workers must practice privacy protections so that information is not inadvertently shared.
How to use these policy guidelines
Who should be involved
- The data steward of corporate information
- The administrative arm of the company that ensures that the company is current and compliant with privacy regulatory guidelines
- Legal staff, which is current on legislated law and on recent privacy case law and should always provide input into and perform due diligence on privacy drafts or revisions before they are enacted
- Third-party business partners that might want to use your customer information for marketing or research but must understand the limits of the information you can give them
- Adjunct staff business functions/contractors who need to access sensitive information because it directly affects their ability to do their jobs (e.g., a "guest" surgeon requires access to a patient's medical history in preparing for a delicate operation).
- Commitments to customers/stakeholders
- How customer information is collected and used
- How customer information is shared
- How customer account activity is tracked
- How customer information is provided to third parties
- Data protection and security
- Opt-in or opt-out choices that customers can make with respect to their information
- Customer privacy rights
- Company contact information for customers with questions about privacy
- Login information
- Privacy compliance
- Employee privacy practices
- Data retention
- These elements can be grouped into two general categories:
- Communications and marketing
- Legal, compliance, and IT.
Communications and marketing
Commitments to customers/stakeholders
How customer information is collected and used
How customer information is shared
Opt-in or opt-out choices that customers can make with respect to their information
Customer privacy rights
Customers should be informed of their privacy rights under law. For example, they might have a right to request information concerning whether the company has disclosed personal information to any third parties, and to which third parties, for marketing purposes or whether the company has sold any of their personal information without their consent.
Company contact information for customers with questions about privacy
Legal, compliance, and IT
How customer account activity is tracked
How customer information is provided to third parties
Internally, legal, compliance, and IT should develop policies and standards that govern how customer information will be provided to third parties and what privacy protections will be implemented. In co-marketing efforts where the customer is informed and can opt out of sharing personal information, the company might share direct customer information and contact information with business partners. In other cases, such as data analytics information offered for sale, the company might be required to anonymize individual customer contacts and information so that data can't be traced back to individuals.
Data protection and security
Security measures, secure storage, and protection of data for purposes of privacy should be defined as a policy and as procedures that are activated in IT, which is the custodian of the data. IT practices should adhere to guidance and standards that are issued from both legal and compliance sources.
As part of its network management, IT maintains server logs that automatically collect and store details of how users used company online services; their telephone and/or IP addresses, time of contact, duration of contact, etc.; the browser type used and the times and dates of their service requests; and information gathered by cookies on the website. From a privacy standpoint, IT, legal, and compliance should define how this information is to be used internally, how it is to be protected to guarantee the privacy and security of individuals using the company website, and under which circumstances it will be permissible to share this information.
Employee privacy practices
For companies in highly sensitive customer information industries (healthcare, finance, insurance, etc.), employees may often be required to interact with customers online, by telephone, or in person. During these times, sensitive information can be shared. Guided by the recommendations of its legal and compliance departments, the company should have a set of written policies that govern how employees are to treat customers and their private information, accompanied by training of all employees who are in customer-facing functions and/or come in contact with sensitive information. Similar privacy policies and procedures should be enacted for IT personnel who are tasked with managing and accessing private customer information. As part of this process, IT should maintain extensive logs that track employee, IT, and business partner access to customer information.
Companies should develop policies and procedures that minimally assure annual audits of information security and privacy of customer and other information critical to the enterprise, with audit cycles addressing and documenting any changes to existing information privacy practices.
IT, together with business user areas, compliance, and legal, should annually review data retention policies, making and documenting revisions as needed. Data retention specifically addresses how long sensitive customer history will be maintained in corporate data stores.
Policy development and execution
Audit cycles and regulatory compliance
Companies should check with their legal counsel, regulators, and auditors to determine what needs to be audited in areas of information privacy. In some cases, companies might also have internal audit procedures that their own audit and compliance teams perform. As part of the audit and compliance process, companies should take steps to ensure that their privacy policies are kept up to date with the latest regulatory and compliance rules and that policy updates are issued on a timely basis to customers, business partners, and other stakeholders.
Policy updates and approvals
Policy signoffs by employees
As part of the new employee orientation process, employees being placed into positions that involve privacy issues should be required to receive training, read policies, and sign off that they have read all policies concerning privacy before they begin their assignments. A record of all employee signoffs should be maintained.
Violations and penalties
Violations of privacy policies can result in serious consequences for employees and for the company. For this reason, employees should be informed that violation of privacy policies can result in disciplinary action leading up to and including termination of employment and civil and/or criminal prosecution under federal and/or state laws. Employees assuming responsibilities that involve the protection of private information should be required to read and sign off on the corporate statement on violations and penalties before they begin their assignments. The company should maintain a record of these signed employee acknowledgements that the violation/penalties memorandum has been read and understood.