8 information privacy promises your employees need to make today
Locking your employees in a meeting room and not letting them leave until they take an oath of information privacy is probably going a step too far when it comes to protecting customer data.
After all, instead of putting their hand on your organisational Privacy Bible and saying the necessary words, they’re more likely to break for the door, leave the building and job, and never return.
But it’s this kind of promise – in spirit if not reality– that’s critical to safeguarding data privacy.
Why your people need to make privacy a matter of principle
Data privacy is as much about the knowledge and actions of your people as it is about the policies and procedures in place or the frontline technology you have protecting data. Because people count so much, their commitments can make a huge difference to the success of your privacy program.
And success is paramount. Regulators are now active in making sure anyone handling data is looking after it. Under Australia’s Mandatory Data Breach legislation, many organisations need to disclose data breaches involving personal information if they are likely to cause people serious harm.
The Australian Privacy Principles ask that we take reasonable steps to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure. That means ensuring your people are ready and willing to prioritise data privacy at all times.
8 employee promises that could safeguard your data privacy
So back to that oath. While you might not be taking that drastic step any time soon, here are eight promises you should expect your employees to make in principle to ensure your data stays safe.
1. I promise to remain privacy aware
Employees need to be aware of their privacy obligations. Supported by your policies and procedures and guided by your internal training, employees should understand exactly what privacy is, and what they should or shouldn’t be doing to secure it. What is personally identifiable information? What is a data breach – and what are their common causes? What are the acceptable uses of information technology at work, including their BYOD devices? Ensure employees commit to being aware.
2. I promise to understand the inventory
Employees should have a basic understanding of what types of information your organisation holds or could hold and what they would need to do to keep it safe were they to come across it during the course of their employment. For example, what constitutes public information and what should be for internal audiences only? What information is considered to be classified and confidential (if they have the appropriate approvals)? How should they handle these different types of information?
3. I promise to be transparent about privacy
There should be no secrets about how you approach privacy internally and nor should there be in your interactions with customers or suppliers, including your technology vendors. For example, if this means you need to inform a supplier they’ve done the wrong thing by sending you sensitive information via email instead of in an encrypted form and then delete the email, then you are doing your part in educating the supplier and being transparent about your approach to privacy.
4. I promise to share personal data safely
Employees should commit to only sharing information with people and organisations they trust and doing so in a technologically safe manner. For example, employees should know to double (or triple!) check that the destination of the information they are sending to is safe, even if that means confirming by phone, and should send sensitive data via an encrypted service rather than by email, given email is an old technology prone to interception and exploitation by cyber criminals.
5. I promise to respect individual rights
Privacy is the right to be left alone or freedom from interference or intrusion. Information privacy is the right to have some control over how your personal information is collected and used. Employees need to understand this information is like radioactive material – it should be handled according to guidelines while exposure to it is reduced as much as possible. They need to understand the types of harm it could cause, from identity theft, fraud and financial loss to humiliation and bullying.
6. I promise to only send information to safe places
Where personal information resides in the world matters. Not every jurisdiction is as safe as another, and there are many with less stringent legal privacy commitments than Australia or that are more prone to having information exploited for financial gain. Employees need to know that they should only send personally identifiable information either within the safety of Australia’s borders or to places that they know to be safe and legal harbours for local personal information.
7. I promise to keep personal information secure
Security is about safeguarding data whereas privacy is about safeguarding of user identity. Employees should be aware of security measures in use across your organisation, whether it is multi-factor authentication, proper management of password access, what or what not to click on when they receive an email, or the state of the threat landscape, including like phishing and ransomware.
8. I promise to play my part in privacy by default
Privacy should be a default setting embedded into organisational systems and processes from cradle to grave. Employees need to ensure that they are handling sensitive data with security and privacy in mind at all times, and are building good and consistent habits that will help reduce the likelihood of high severity events which could have a catastrophic impact on the organisation as well as the people who are trusting it to do the right thing with their information.