Under privacy law, a privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer’s or client’s data. Typically, companies share this customer/client data with their third-party business partners. By annually informing customers/clients via mailed notices of company privacy practices concerning the collection and the distribution of customer/client data that is under company management, companies fulfil a legal requirement to protect a customer’s or client’s privacy. For example, here is Google’s privacy policy.
On an ongoing basis, data stewards within the organization, principally IT, are responsible for keeping corporate data secure and private.
Collectively, information privacy policies are important to IT, compliance officers, and others in the business because if customers/clients inform the company that they do not want their personal information collected or shared, companies must abide by these decisions; data on these individuals can’t be sold or distributed to others.
In organizations where customer/client data is extremely sensitive, such as in insurance, financial services, and healthcare, workers must practice privacy protections so that information is not inadvertently shared.
How to use these policy guidelines
How you develop and maintain your privacy policy will vary depending upon your business, your customers, and the industry vertical you are in. The guidelines below are broken into general categories you should take into account in your due diligence as you build your privacy policy. Depending on your business application, the key points within each topic will have different degrees of importance for you. Focus on those guidelines that are directly relevant to your business model as you formulate a policy that meets your company’s circumstances, but be sure to review the other topics so you don’t overlook another relevant area.
Who should be involved
A privacy policy is an internal matter that concerns employee conduct with sensitive information, but it also has significant impact and ramifications for your outside stakeholders, whether they are your board of directors and investors, your third-party business partners, or your customers. Therefore, to thoroughly cover all areas of privacy, an interdisciplinary team should work together in policy development. This team should include:
- IT
- The data steward of corporate information
- Compliance
- The administrative arm of the company that ensures that the company is current and compliant with privacy regulatory guidelines
- Legal staff, which is current on legislated law and on recent privacy case law and should always provide input into and perform due diligence on privacy drafts or revisions before they are enacted
- Third-party business partners who might want to use your customer information for marketing or research but must understand the limits of the information you can give them
- Adjunct staff business functions/contractors who need to access sensitive information because it directly affects their ability to do their jobs (e.g., a ‘guest’ surgeon requires access to a patient’s medical history in preparing for a delicate operation).
Items to cover in a privacy policy
Privacy is an issue that overlaps the legal/compliance, marketing/public relations, and IT functions to a degree where many elements must be addressed by cross-disciplinary teams. The elements that a privacy policy should address include:
- Commitments to customers/stakeholders
- How customer information is collected and used
- How customer information is shared
- How customer account activity is tracked
- How customer information is provided to third parties
- Data protection and security
- Opt-in or opt-out choices that customers can make with respect to their information
- Customer privacy rights
- Company contact information for customers with questions about privacy
- Login information
- Privacy compliance
- Employee privacy practices
- Data retention
- These elements can be grouped into two general categories:
- Communications and marketing
- Legal, compliance, and IT.
Communications and marketing
Commitments to customers/stakeholders
The privacy policy statement that companies issue to their customers should begin with a position statement from the company on how it is going to protect customer information. Many companies use this beginning point of the policy to explain to customers that their data will be encrypted and kept safe and secure — and that the data will not be sold to others. The company also states that the privacy policy and access to it will always be available to customers and that any time there is a policy change, customers will be notified.
How customer information is collected and used
The privacy policy issued to customers should explain how the company plans to use customer information (e.g., to improve products) and what customer information the company plans to collect for this purpose (customer account information, browsing history, etc.). If the company plans to use/collect the location information or personal information that resides on users’ local devices, this should also be disclosed.
How customer information is shared
The company privacy policy should tell customers of any organizations the company plans to share its customer information with. Typically, these are affiliates or third-party business partners of the company that it feels would be a value-add for the customers.
Opt-in or opt-out choices that customers can make with respect to their information
The privacy policy should explain to customers what their opt-in or opt-out choices are for maintaining privacy of their information. For example, companies might give customers an opportunity to opt in (or out) for offers from advertisers or third-party business partners or to decline anonymizing their customer data for purposes of analytics reporting.
Customer privacy rights
Customers should be informed of their privacy rights under law. For example, they might have a right to request information concerning whether the company has disclosed personal information to any third parties, and to which third parties, for marketing purposes or whether the company has sold any of their personal information without their consent.
Company contact information for customers with questions about privacy
The company should always furnish customers with an email address, a telephone number, and a physical address so that customers can contact it with any questions or feedback about the privacy policy.
Legal, compliance, and IT
How customer account activity is tracked
Companies often use cookies to track which websites users are coming from and which websites they are going to after they’ve visited the company website. In addition, usage activities can be tracked on the company website itself. How those cookies are used to track user activities should be explained in the privacy policy, along with the fact that users can de-implement cookie tracking if they choose to. However, before a policy is published out to users, legal, compliance, marketing, and IT should define which user activity patterns are to be tracked and how tracking information is to be used.
How customer information is provided to third parties
Internally, legal, compliance, and IT should develop policies and standards that govern how customer information will be provided to third parties and what privacy protections will be implemented. In co-marketing efforts where the customer is informed and can opt out of sharing personal information, the company might share direct customer information and contact information with business partners. In other cases, such as data analytics information offered for sale, the company might be required to anonymize individual customer contacts and information so that data can’t be traced back to individuals.
Data protection and security
Security measures, secure storage, and protection of data for purposes of privacy should be defined as a policy and as procedures that are activated in IT, which is the custodian of the data. IT practices should adhere to guidance and standards that are issued from both legal and compliance sources.
Log information
As part of its network management, IT maintains server logs that automatically collect and store details of how users used company online services; their telephone and/or IP addresses, time of contact, duration of contact, etc.; the browser type used and the times and dates of their service requests; and information gathered by cookies on the website. From a privacy standpoint, IT, legal, and compliance should define how this information is to be used internally, how it is to be protected to guarantee the privacy and security of individuals using the company website, and under which circumstances it will be permissible to share this information.
Employee privacy practices
For companies in highly sensitive customer information industries (healthcare, finance, insurance, etc.), employees may often be required to interact with customers online, by telephone, or in person. During these times, sensitive information can be shared. Guided by the recommendations of its legal and compliance departments, the company should have a set of written policies that govern how employees are to treat customers and their private information, accompanied by training of all employees who are in customer-facing functions and/or come in contact with sensitive information. Similar privacy policies and procedures should be enacted for IT personnel who are tasked with managing and accessing private customer information. As part of this process, IT should maintain extensive logs that track employee, IT, and business partner access to customer information.
Privacy compliance
Companies should develop policies and procedures that minimally assure annual audits of information security and privacy of customer and other information critical to the enterprise, with audit cycles addressing and documenting any changes to existing information privacy practices.
Data retention
IT, together with business user areas, compliance, and legal, should annually review data retention policies, making and documenting revisions as needed. Data retention specifically addresses how long sensitive customer history will be maintained in corporate data stores.
Policy development and execution
Audit cycles and regulatory compliance
Companies should check with their legal counsel, regulators, and auditors to determine what needs to be audited in areas of information privacy. In some cases, companies might also have internal audit procedures that their own audit and compliance teams perform. As part of the audit and compliance process, companies should take steps to ensure that their privacy policies are kept up to date with the latest regulatory and compliance rules and that policy updates are issued on a timely basis to customers, business partners, and other stakeholders.
Policy updates and approvals
Privacy policy updates should be immediately issued upon approval. The approval signature list for these updates should be agreed to within the company and should be fully executed before any policy update is placed into effect. All policy updates should be accompanied with immediate issuance, along with education/training for employees affected by the policy. For each policy, a historical record of all updates should be maintained.
Policy sign offs by employees
As part of the new employee orientation process, employees being placed into positions that involve privacy issues should be required to receive training, read policies, and sign off that they have read all policies concerning privacy before they begin their assignments. A record of all employee sign offs should be maintained.
Violations and penalties
Violations of privacy policies can result in serious consequences for employees and for the company. For this reason, employees should be informed that violation of privacy policies can result in disciplinary action leading up to and including termination of employment and civil and/or criminal prosecution under federal and/or state laws. Employees assuming responsibilities that involve the protection of private information should be required to read and sign off on the corporate statement on violations and penalties before they begin their assignments. The company should maintain a record of these signed employee acknowledgements that the violation/penalties memorandum has been read and understood.