You may have heard of a similar term known as a privacy statement. While a privacy statement is used for external purposes such as informing customers or suppliers, privacy policies are intended for internal use, formulating policies and informing employees.
The areas that privacy policies usually cover include:
- Employee records: Personal information, medical history, etc.
- Email and internet usage guidelines
- Handling customer information
- Internal systems: Permission, responsibilities, access to files, etc.
- Mobile devices: company phones, laptops, etc.
- Established laws and regulations
- Consequences for policy violation
- Reporting a security breach
Why is it Needed?
Companies often need to collect and house personal information about their employees and customers, as well as confidential information about the company itself. If a rival firm were able to access this information, it could mean that your company would lose its competitive advantage, as well as breach customer trust for having their information leaked. There would also be serious consequences if an employee were able to look at another employee’s files.
The following tips should be integrated throughout your private policy:
- Use the active tense (you, we, I) and simple language.
- Avoid using legal jargon, acronyms, and in-house terms
- Use short sentences and break up large blocks of text into paragraphs or dot points
- Use headings to help readers easily locate information relevant to them
- Only include relevant information by focusing on what is likely to be important to the reader. This will help avoid unnecessary length.
- What strict password and virus protection procedures are in place?
- How often should employees change their passwords?
- Is encryption used to protect sensitive information?
- How often are system-penetration tests conducted to verify if your systems are hacker proof?
- What regular training programs are in place that allow employees to keep up-to-date on technical and legal issues?
- What is the response plan in the event of a security breach?
- What are the procedures that prevent former employees from accessing computers and paper files?
- Are sensitive files separated in secure areas/computer systems and available only to specific individuals?
Another way of being more specific is including a list of definitions for terms that may need more clarification. As an example, the meaning of ‘personal data’ is often misunderstood, as some employees think that if information can be found in the public domain, it isn’t personal data. Personal data is any information that relates to an identified or identifiable individual, and can be as simple as name, number, IP address, or cookie identifier. The definition of personal data should be set out in a business context so that employees have a clear understanding of how to handle this information.
Determine what Structure to Use
Outline How to Report Security Breaches
One topic which is often neglected in privacy policies is what employees should do in the event of a security breach. Whether an email has been accidentally sent to the wrong recipient, or an employee has overheard another employee selling sensitive company information, all incidents involving security breaches need to be reported.
Book a Demo Now
Learn more about how Polonious can help you implement an effective and confidential whistleblower hotline.