Employee Privacy Training

Privacy training is becoming an essential component of corporate education. In most large organizations, privacy training is already part of the employee curriculum, which is challenging given the amount of training necessary and the value of employee time. For smaller organizations, the challenge might be where to begin developing a privacy policy, let alone a staff training program. This article takes a look at the basics of employee privacy training.

Building Privacy into Company Policy

Appropriate privacy protections can help improve or enhance an organization’s reputation. An organization that recognizes and respects privacy rights is one that values its customers’ trust and loyalty. A comprehensive privacy policy that both customers and employees can understand also helps to prevent organizations from becoming involved in privacy disputes or data breaches.

According to the Office of the Privacy Commissioner of Canada, it’s essential to educate employees about privacy practices as well as policies. Employees must be able to understand their role in implementing privacy policies and be able to communicate them.

“When you train your employees to speak openly with customers about your organization’s reasons for collecting personal information – and its plans for the specific use of that information – you increase trust in your business relationships and help build pride among employees who do business on your behalf.”

Privacy training can take different forms, depending on the size of the organization. In some organizations, this might be a formal training program, while in others refresher courses may be more appropriate. In smaller organizations, privacy training may take place during a face-to-face conversation with a new employee.

Here are some important issues to consider when developing privacy training for your organization:

  • Determine which employees require the most training. Often, employees who interact directly with customers will have the most questions regarding collection and safeguarding of personal information.
  • Keep key employee teams in mind. Remember that different teams or departments will relate differently to customer information. For instance, you might need to have different training workshops for marketing and product-development employees.
  • Incorporate privacy issues into standard training programs. You can consider organizing an official training program around your privacy policy, or create an online/printed guide to the policy to help familiarize employees.
  • Develop a process for updating privacy-policy information. This ensures that you can respond to new issues as they arise and provide ongoing updates to employees.
  • Review customer complaints regularly. This will help you address concerns about your privacy policy and ensure that any gaps are identified and corrected.
  • Let employees know where to go for help. Provide essential information and access to resources or individuals within the organization who will be able to offer further information. This will help both customers and employees understand your privacy practices.
  • Develop a quiz to check employees’ knowledge. This is a simple, yet effective way to keep employees informed of important privacy-policy issues.

A Closer Look: US Federal Contractors

During October 2011, the Department of Defense (DoD), the General Services Administration (GSA) and the National Aeronautics and Space Administration (NASA) proposed that federal contractors be given privacy training to certain employees, or be barred from certain government work. According to the October 14, 2011 proposal:

“An employee who will access government records or records systems or handle personally identifiable information must be given training that addresses the protection of privacy, in accordance with the Privacy Act of 1974, and the handling and safeguarding of personally identifiable information in order for access to such records to be granted or retained.”

The proposal required federal contractors to train their employees at the outset of the contract and at least annually thereafter on the following issues:

  1. Protection of privacy, in accordance with the Privacy Act.
  2. The handling and safeguarding of personally identifiable information (PII).
  3. The authorized and official use of a government system of records.
  4. Restrictions on the use of personally-owned equipment to process, access, or store personally identifiable information.
  5. The prohibition against access by unauthorized users, and unauthorized use by authorized users of PII or a system of records on behalf of the federal government.
  6. Breach notification procedures.
  7. Any agency-specific privacy training requirements specified by the contracting officer.

This privacy training requirement adds a new dimension to an already extensive list of employment-related contractor obligations. It is important for contractors to understand the implications and details of this requirement.

A Closer Look: Private Sector Organizations in Canada

In Canada, private sector privacy legislation requires organizations to design privacy policies that outline how they can collect, use and disclose their customers’ personal information. This doesn’t have to be a complex process.

Here are some key elements that private sector organizations should consider when developing their employee training program:

  • When information is collected from customers, the organization must explain the purpose of collection and obtain customer consent in advance. In certain situations, implied consent might be enough, while in other situations, express consent will be required.
  • Any personal information collected should be protected with appropriate security safeguards. Only collect the information that is actually needed for business operations and limit who can access customer information.
  • Any computer systems that hold personal information should be adequately protected (e.g. passwords, encryption, firewalls).

The Office of the Privacy Commissioner of Canada provides the following checklist for organizations designing a privacy policy and training program:

  • Keep it clear, concise and written in plain language.
  • Review other privacy policies of organizations similar to your own.
  • Collect only the information necessary for your business purposes.
  • Be open about when personal information may be disclosed.
  • Let customers know how long you will keep information.
  • Consider the collection, use and disclosure of employee information separately.
  • Ensure that there is someone at the organization available to answer privacy policy-related questions.


This article takes a look at employee privacy training, which involves developing a strong privacy policy and effective privacy-protecting practices, as well as educating employees on these issues. Privacy training can take different forms, depending on the size of the organization. Training can range from a formal education program, refresher courses, specialized workshops, or one-on-one conversations. This article introduces the basic elements of privacy training programs and brings in two examples of how training programs can be used in organizations.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

  • Workplace privacy concepts (IV.A.a.)
  • Human resources management (IV.A.a.i.)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>