« September 2004 | Main | November 2004 »
October 14, 2004
Creating A Privacy Policy
Again from the Privacy Journal we bring you a list of tips and hints for creating a privacy policy for your organization.
1. Organizations establishing privacy policies should incorporate the elements of the widely accepted *Code of Fair Information Practice:
* The existence of all data systems with personal information in them should be publicly disclosed, and the purpose for which information is gathered about people should be disclosed. This is the principle of openness or transparency.
* There must be a way for an individual to find out what information about him or her is in a record and how it is used.
* There must be a way for an individual to prevent information about him or her that was obtained for one purpose (which was stated when the information was gathered) from being used or made available, either within the organization or outside, for a purpose that is incompatible with the original purpose, without getting the consent of the individual. This is the principle of secondary use.
* There must be a way for an individual to correct or amend a record that contains information that is identifiable to him or her.
* The organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability, accuracy, security and timeliness of the data. In other words, the custodian of information that is disseminated has an obligation to the individual to make sure it is accurate, secure, and not misused. This obligation ought not be delegated to another entity.
2. An organization must make sure that other entities handling personal information in behalf of the first organization are bound by these same principles.
3. An organization must conduct periodic risk assessments, balancing the possibility or probability of unauthorized access or disclosure against the cost of security precautions and the expected effectiveness of the precautions. In some cases, it will be necessary to establish an audit trail so that records are kept of disclosures of personal information, both within the organization and outside.
4. Organizations must take special precautions in collecting and using personal information about children, both those 13 or younger and those 18 or younger.
5. An organization should openly disclose its policies and practices with regard to electronic surveillance of its employees' and customers' telephone calls, electronic mail, Internet usage, changing rooms, and rest rooms. It must articulate in advance the reasons for the surveillance.
6. An organization should collect only that personal information that is PROPORTIONAL to the purpose of the information. It must scrutinize each demand for information to determine that it is relevant and necessary.
7. An organization should designate an individual or office (whether full-time or part-time) to handle privacy issues by (a) acting as an ombudsman for customers or employees, (b) assessing the privacy impact of new undertakings, (c) assuring that the organization complies with all laws and trade-association standards; and (d) informing the organization of the latest technology and policies that affect the privacy of customers or employees. An organization, if it utilizes "opt-out" for customers to stay out of certain uses of their information, should make exercising "opt-out" easy, as easy as clicking a button or checking a box, without the need to write a letter or to communicate with another office.
8. An organization should conduct periodic training of its employees (and volunteers) to assure that they know (1) applicable laws on confidentiality that govern the organization, (2) the organization's policies and actual practices, (3) the rationale for protecting confidentiality and the sensitivity of personal information, (4) the ability to recognize possible breaches and to report them to the proper person. An organization may chose to certify that employees who handle personal information are properly trained.
Posted by Irene at 07:02 PM