Intranet Journal
The online resource for intranet professionals

Privacy 101
Page 2

2/10/03

Go to page: 1 2

Privacy Policies

Privacy policies are high-level laws of the land regarding your confidential information. Without privacy policies, no enforcement of privacy controls or standards can be made. By establishing a policy, you are implying that enforcement can or will follow.

Privacy policies are the foundation of your privacy infrastructure. Your privacy policies serve as a guide and a reference point to numerous privacy tasks in your organization. Privacy controls are systems and technologies that enforce privacy policies on your intranet. The process of developing privacy controls forces you to understand what information needs to be kept private. Implementing privacy controls reduces the risk that privacy policies will be violated.

Privacy Policy Samples

In order to give you a jump-start on creating privacy polices, here are some sample privacy policies that might make sense for your organization:

• Private customer information will be made available to authorized individuals on a need to know basis only.
• Private customer information will not be transmitted across insecure intranets and public networks in plaintext.
• All private customer information needs to be specifically defined.
• There must be a legitimate purpose for collecting personal information.
• Private customer information includes credit card numbers, addresses, phone numbers, medical history, medications, doctors' names, account numbers, financial institution routing numbers, names of family members include spouse and children.
• Privacy Impact Assessments will be conducted a minimum of once a year.
• The Privacy Policy will be published and made known to all customers.
• Customers need to be notified if the Privacy Policy is changed.
• Employees will be held accountable to abide by all Privacy Policies.
• Strong authentication will be required to access all designated private databases.
• Private databases will be scanned for security vulnerability assessments annually.
• Privacy incidents will be reported to the CIO and Office of Security.
• A process for handling privacy incidents must exist and be documented.

If your organization was being audited, here are some questions that an auditor might ask in regards to your privacy policies:

1. Are employees informed about reporting privacy violations? How would they know what to report, and to whom to report it to?
2. Where can employees turn for information to guide them on how to handle privacy issues and incidents?
3. Are there privacy policies associated with change-management?
4. What databases are designated as private?
5. Who has access to private databases and why?
6. How are employees made aware of your Privacy Policy?
7. How are customers made aware of your Privacy Policy?
8. When was your last Privacy Impact Assessment?
9. What systems and networks contain private customer information?
10. Are appropriate systems and networks scanned for vulnerabilities and threats?

A Word to the Wise

Paying attention to privacy is similar to paying attention to information security. The primary difference between privacy and security is that privacy processes force organizations to understand personal customer information. Organizations must know what their personal customer information is, where it is stored, how to secure it, and who has access to it. Paying attention to privacy makes businesses and organizations get more focused about security and puts the focus on personal customer information. Some organizations are hiring Chief Privacy Officers to lead privacy initiatives. If your organization does not have a Chief Privacy Officer, at the very least someone in your organization should be held accountable for determining if private information exists on your intranet, and what should be done to secure it.

Go to page: 1 2