What is an Internal Privacy Policy?

According to the Office of the Australian Information Commissioner, a privacy policy is a statement that explains in simple language how an organisation or agency handles personal information. All organisations and agencies as defined by the Privacy Act 1988 are required to have a privacy policy.

You may have heard of a similar term known as a privacy statement. While a privacy statement is used for external purposes such as informing customers or suppliers, privacy policies are intended for internal use, formulating policies and informing employees. 

The areas that privacy policies usually cover include:

  • Employee records: Personal information, medical history, etc.
  • Email and Internet usage guidelines
  • Handling customer information
  • Internal systems: Permission, responsibilities, access to files, etc.
  • Mobile devices: company phones, laptops, etc.
  • Established laws and regulations
  • Consequences for policy violation
  • Reporting a security breach

Why is it Needed?

Companies often need to collect and house personal information about their employees and customers, as well as confidential information about the company itself. If a rival firm were able to access this information, it could mean that your company would lose its competitive advantage, as well as breach customer trust for having their information leaked. There would also be serious consequences if an employee were able to look at another employee’s files.

To mitigate against these threats to your company, an internal privacy policy is required so that all employees know what policies are in place regarding personal information. All employees will be on the same page on what they can and cannot do, the penalties for breaching policies, and what to do if they spot a breach themselves.

How to Write an Internal Privacy Policy

General Tips

The following tips should be integrated throughout your private policy:

  • Use the active tense (you, we, I) and simple language.
  • Avoid using legal jargon, acronyms, and in-house terms
  • Use short sentences and break up large blocks of text into paragraphs or dot points
  • Use headings to help readers easily locate information relevant to them
  • Only include relevant information by focusing on what is likely to be important to the reader. This will help avoid unnecessary length.

Be Specific

Your privacy policy should not leave any room for employees to speculate or assume. You should delve into specific details so that your employees know what to do in every situation. This may mean using real-world examples of situations that may occur in the workplace. Some specific questions that your privacy policy should answer include:

  • What strict password and virus protection procedures are in place?
  • How often should employees change their passwords?
  • Is encryption used to protect sensitive information?
  • How often are system-penetration tests conducted to verify if your systems are hacker proof?
  • What regular training programs are in place that allow employees to keep up-to-date on technical and legal issues?
  • What is the response plan in the event of a security breach?
  • What are the procedures that prevent former employees from accessing computers and paper files?
  • Are sensitive files separated in secure areas/computer systems and available only to specific individuals?
privacy policy

Another way of being more specific is including a list of definitions for terms that may need more clarification. As an example, the meaning of ‘personal data’ is often misunderstood, as some employees think that if information can be found in the public domain, it isn’t personal data. Personal data is any information that relates to an identified or identifiable individual, and can be as simple as name, number, IP address, or cookie identifier. The definition of personal data should be set out in a business context so that employees have a clear understanding of how to handle this information. 

Determine what Structure to Use

Due to the breadth of information that needs to be included in a privacy policy, it is vital that you have a clear structure. Information should be arranged in a way which makes sense in terms of your company’s functions, activities and audience. For example, you could separate the different groups from which you collect information from and have different privacy policies for, such as customers, employees, and businesses.

You should also ensure that the privacy policy is contained within a singular document. This will avoid the fragmentation of information and allow employees to easily find out where the policy is.

Outline How to Report Security Breaches

One topic which is often neglected in privacy policies is what employees should do in the event of a security breach. Whether an email has been accidentally sent to the wrong recipient, or an employee has overheard another employee selling sensitive company information, all incidents involving security breaches need to be reported.

Your privacy policy should include phone numbers, email addresses and other contact details so that employees can report any security breaches they observe. Besides the privacy policy, you should end all emails containing sensitive information with instructions to contact your company and delete the email if it was sent in error.

Test Your Privacy Policy

An essential step in formulating your privacy policy is testing it on your target audience. If possible, a sample of employees from different departments and levels should be chosen to review the policy.

The readers will be able to provide feedback, pointing out areas that will likely cause confusion within the target audience and which need more clarification. They can also provide a unique perspective and offer improvements that can be made to the privacy policy that you may have missed.

Regularly Update Your Privacy Policy

Finally, your privacy policy should be regularly reviewed and updated to reflect changes in the law, your business, or your protocols. You should also let your employees know that these changes have occurred in a timely manner. A number of methods are available for this, which include brief introduction videos by executives, presentations during department meetings, and as follow-up communications. 

Conclusion

Internal privacy policies are important tools for employees to raise their awareness on how to handle personal information. Some important points that companies should consider when drafting this document include being specific, having a clear structure, outlining how employees should report security breaches, testing the privacy policy, and regularly reviewing it. Given the detrimental impacts a breach in information security can have on the company’s functioning and reputation, companies should treat privacy incredibly seriously and ensure all employees are aware of their policies.