Building Privacy into Company Policy
According to the Office of the Privacy Commissioner of Canada, it’s essential to educate employees about privacy practices as well as policies. Employees must be able to understand their role in implementing privacy policies and be able to communicate them.
“When you train your employees to speak openly with customers about your organization’s reasons for collecting personal information – and its plans for the specific use of that information – you increase trust in your business relationships and help build pride among employees who do business on your behalf.”
Privacy training can take different forms, depending on the size of the organization. In some organizations, this might be a formal training program, while in others refresher courses may be more appropriate. In smaller organizations, privacy training may take place during a face-to-face conversation with a new employee.
Here are some important issues to consider when developing privacy training for your organization:
- Determine which employees require the most training. Often, employees who interact directly with customers will have the most questions regarding collection and safeguarding of personal information.
- Keep key employee teams in mind. Remember that different teams or departments will relate differently to customer information. For instance, you might need to have different training workshops for marketing and product-development employees.
- Develop a process for updating privacy-policy information. This ensures that you can respond to new issues as they arise and provide ongoing updates to employees.
- Let employees know where to go for help. Provide essential information and access to resources or individuals within the organization who will be able to offer further information. This will help both customers and employees understand your privacy practices.
- Develop a quiz to check employees’ knowledge. This is a simple, yet effective way to keep employees informed of important privacy-policy issues.
A Closer Look: US Federal Contractors
During October 2011, the Department of Defense (DoD), the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA) proposed that federal contractors be given privacy training to certain employees, or be barred from certain government work. According to the October 14, 2011 proposal:
“An employee who will access government records or records systems or handle personally identifiable information must be given training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of personally identifiable information in order for access to such records to be granted or retained.”
The proposal required federal contractors to train their employees at the outset of the contract and at least annually thereafter on the following issues:
- Protection of privacy, in accordance with the Privacy Act.
- The handling and safeguarding of personally identifiable information (PII).
- The authorized and official use of a government system of records.
- Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information.
- The prohibition against access by unauthorized users, and unauthorized use by authorized users of PII or a system of records on behalf of the federal government.
- Breach notification procedures.
- Any agency-specific privacy training requirements specified by the contracting officer.
This privacy training requirement adds a new dimension to an already extensive list of employment-related contractor obligations. It is important for contractors to understand the implications and details of this requirement.
A Closer Look: Private Sector Organizations in Canada
In Canada, private sector privacy legislation requires organizations to design privacy policies that outline how they can collect, use and disclose their customers’ personal information. This doesn’t have to be a complex process.
Here are some key elements that private sector organizations should consider when developing their employee training program:
- When information is collected from customers, the organization must explain the purpose of collection and obtain customer consent in advance. In certain situations, implied consent might be enough, while in other situations, express consent will be required.
- Any personal information collected should be protected with appropriate security safeguards. Only collect the information that is actually needed for business operations and limit who can access customer information.
- Any computer systems that hold personal information should be adequately protected (e.g. passwords, encryption, firewalls).
- Keep it clear, concise and written in plain language.
- Review other privacy policies of organizations similar to your own.
- Collect only the information necessary for your business purposes.
- Be open about when personal information may be disclosed.
- Let customers know how long you will keep information.
- Consider the collection, use and disclosure of employee information separately.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam, a privacy professional should be comfortable with topics related to this post, including:
- Workplace privacy concepts (IV.A.a.)
- Human resources management (IV.A.a.i.)