2/13/2014

Checklist of Responsible Information-Handling Practices | Privacy Rights Clearinghouse

Sign In to Your Complaint Center.

Fact Sheet 12: Checklist of Responsible Information-Handling Practices

Send to Printer (https://www.privacyrights.org/print/checklist-responsible-information-handling-practices)

Copyright 1994 - 2014 Privacy Rights Clearinghouse Posted January 1995 Revised December 2013

Introduction (#Intro) A Business Issue (#Intro1) Using This Checklist (#Intro2) Section I. Developing Privacy Policies to Guide Customer/Client Relations (#I) A. Organizational Policies (#IA) B. Privacy Principles (#IB) C. Data and Network Security (#IC) D. Some Additional "Common Sense" Security Practices (#ID) E. Records Retention and Disposal (#IE) F. Facsimile Transmission (#IF) G. Copiers, Printers and Fax/Multifunction Machines (#copier) H. Answering Machines and Voice Mail Systems (#IG) I. Wireless Communications (#IH) J. Social Security Numbers (SSNs) and the Use of Personal Identifiers (#IJ) K. Guidelines for Security of Lists (#IK)
(#IK)

1. Opt-out program (#I1) 2. Security practices (#I2) 3. Use of marketing data (#I3) 4. Data accuracy (#I4) 5. Additional tips (#I5) Section II. Developing Privacy Policies for Employee Relations (#2) A. Inhouse Privacy Policies (#IIA) B. E-Mail and Voice Mail Systems (#IIB) C. Electronic Monitoring (#IIC)
(#Resources)

Case: A credit bureau mailed a credit report to a man who had requested it, and mistakenly included the credit report of a woman who had no connection to him. To make matters worse, the woman's credit report had been "flagged" by the credit bureau for security purposes.* * All case studies reported in this Fact Sheet are true stories taken from the PRC hotline log. Introduction When we think about data breaches, we often worry about malicious-minded computer hackers exploiting software flaws or perhaps Internet criminals seeking to enrich themselves at our expense. But the truth is more complicated than that. Hardly a day goes by without a news story about some company or government agency losing control over vast quantities of customer or client information. In fact, the Privacy Rights Clearinghouse reports that over half a billion personal records have been improperly exposed since 2005. www.privacyrights.org/ar/ChronDataBreaches.htm (/data-breach) Thus, a critical starting point for preventing future data breaches (and the identity theft that can follow) is developing ironclad policies and practices for handling personal information from within the workplace. In the past, security often was dealt with by trying to protect sensitive data from outside intrusion. However, that leaves far too much room for internal errors, carelessness, and wrongdoing by those who handle personal information. Responsible data-handling practices begin with the development of workplace privacy policies and the implementation of regular training programs for employees. The Federal Trade Commission offers a 20 minute interactive tutorial called "Protecting Personal Information: A Guide for Business" at http://www.ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html (http://w w w .ftc.gov/bcp/edu/multimedia/interactive/infosecurity/index.html) . The tutorial explains why safeguarding sensitive data is good business and how to implement steps to protect personal information. The Internal Revenue Service has a "Facility Security Survey Checklist" in Section 10.2.3.8 of the Internal Revenue Manual. The checklist is available at http://www.irs.gov/irm/part10/irm_10-002-003.html#d0e248 (http://w w w .irs.gov/irm/part10/irm_10-002-003.html#d0e248) . A Business Issue The proliferation of office printers, copiers, fax machines, email, laptop computers, personal digital assistants (PDAs), smartphones, and portable storage devices has allowed for dissemination accidental or intentional of information in quantities never before imagined. Thus, the challenge for organizations is not just in keeping track of the ever-growing mountain of new information being produced each year, but also monitoring and managing the archives. Putting clear policies in place and effectively enforcing them are essential.

https://www.privacyrights.org/checklist-responsible-information-handling-practices#I

1/6

2/13/2014

Checklist of Responsible Information-Handling Practices | Privacy Rights Clearinghouse

Privacy is increasingly becoming an important business issue. Nearly every state in the U.S. has enacted a data breach notification law. These laws require businesses to notify consumers of breaches of security. Many of these laws may impose additional obligations upon businesses. Data breaches can cost companies millions of dollars per incident in direct costs, such as notifying victims. In addition, the public relations fallout from a data breach can be significant. Corporate reputations can suffer tremendously. Twenty percent of data-breach victims cut ties with institutions that compromised their privacy, according to one study by the Ponemon Institute. www.ponemon.org (http://w w w .ponemon.org/index.php) Furthermore, lawsuits against firms for negligent handling of personal information are becoming more common. Some states have passed laws allowing individuals to sue organizations that fail to safeguard their private data. Federal statutes and regulations also permit government agencies to sue organizations over data breaches and other failures. Even if your organization prevails, litigation costs can be substantial. Many employers are imposing new restrictions on who can take confidential records out of the office and are providing special training on how to keep data secure. Workers found violating security policies are being disciplined, or even dismissed. So whether or not a company is cracking down on computer security, employees should consider protecting themselves. Experts say its wise to check your companys policy or urge such policies be adopted or clarified. Companies using outside vendors to collect, store, process, transmit, or destroy their data should investigate their vendor's privacy and security policies and practices, delineate the vendor's specific obligations (rather than simply stating that the vendor will comply with all applicable laws), and perform privacy audits on vendors. Using This Checklist This checklist provides an overview of key points to consider when preparing information-handling policies and conducting privacy audits within your organization. The checklist can be used by private, public and not-for-profit organizations alike. Not all points will be relevant to your organization. Some situations may require you to take more stringent steps than those listed here. For example, medical records may necessitate extraordinary steps. The checklist is divided into two sections. Section I suggests issues to consider when drafting privacy principles to safeguard the personal information of your clients and customers. Section II concerns privacy policies affecting your employees, such as personnel records, electronic monitoring, and email. Understand that this is not an issue you can address once and have solved forever. Threats will change, technology will change, and employees will change. So your plans and processes should change along with them. Updates are crucial. No one is immune. While some companies have data collection as their core business, all firms collect information on their clients, customers, and employees. Dont wait until a computer goes missing to think about what actions to take. Develop a complete checklist now. Section I. DEVELOPING PRIVACY POLICIES TO GUIDE CUSTOMER / CLIENT RELATIONS A. Organizational Policies Does your organization have policies that outline its privacy practices and expectations for handling the personal information of its clients, customers, users, members and/or listees? Are your organization's privacy policies communicated regularly? Opportunities include in employees initial training sessions, in regular organizationwide training programs, in employee handbooks, on posters and posted signs, on company intranet and Internet Web sites, in brochures available to clients. Are all employees who handle personal information included in the training programs, including temporary employees, back-up personnel, and contract staff? Is your organization familiar with and has it adopted International Standards Organization (ISO) security standards, known as ISO 27001? www.iso.org (http://w w w .iso.org/) For a guide to ISO 27001, visit www.iso27001security.com/index.html (http://w w w .iso27001security.com/index.html) . The Web site for the ISO 27001 User Group is www.17799.com (http://w w w .17799.com) . The progress of the 27000 standards is being tracked at the Web site of the ISO 27001 and ISO 27002 Directory: www.27000.org (http://w w w .27000.org) . B. Privacy Principles The major components of effective privacy policies are listed below, adapted from the fair information practices developed by the Organisation for Economic Cooperation and Development (OECD). www.oecd.org (http://w w w .oecd.org/) Another useful compendium is the Canadian Privacy Code under the federal law, Personal Information Protection and Electronic Documents Act (PIPEDA). http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html (http://law s-lois.justice.gc.ca/eng/acts/P-8.6/index.html) Although designed to guide the development of national privacy legislation, these principles are also appropriate for organizations. Openness. A general practice of openness about practices and policies should exist. Means should be available to establish the existence and nature of personal information and the main purposes of its use. Purpose specification. The purpose for collecting personal information should be specified at the time of collection. Further uses should be limited to those purposes. Collection limitation. Personal information should be collected by lawful and fair means and with the knowledge and consent of the subject. To the greatest extent possible, companies should employ principles of data minimization, that is, collecting only data that is actually necessary to conduct their business, and collecting such information only for the stated purpose. Use limitation. Personal information should not be disclosed for secondary purposes without the consent of the subject or by authority of law. Individual participation. Individuals should be allowed to inspect and correct their personal information. Whenever possible, personal information should be collected directly from the individual. Quality. Personal information should be accurate, complete and timely, and be relevant to the purposes for which it is to be used. Security safeguards. Personal information should be protected by reasonable security safeguards against such risks as loss, unauthorized access, destruction, use, modification or disclosure. Access to personal information should be limited to only those within the organization with a specific need to see it. Accountability. Someone within the organization, such as the chief privacy officer or an information manager, should be held accountable for complying with its privacy policy. Privacy audits to monitor organizational compliance should be conducted on a regular basis, as should employee training programs. There are many variations of fair information principles (FIPs). For an overview of FIPs, read our guide, http://www.privacyrights.org/ar/fairinfo.htm (/ar/fairinfo.htm) See also Web site seal programs such as TRUSTe at www.truste.com (http://w w w .truste.com) , and BBB Accredited Business Seal at http://www.bbb.org/us/bbb-online-business/ (http://w w w .bbb.org/us/bbb-online-business/) C. Data and Network Security

https://www.privacyrights.org/checklist-responsible-information-handling-practices#I

2/6

2/13/2014

Checklist of Responsible Information-Handling Practices | Privacy Rights Clearinghouse

Security of personally identifiable informationwhether stored in electronic, paper or micro-graphic formis covered in many websites, books, journals, trade magazines, and conferences. Only the major points are listed here. Several professional associations are listed in the Resources section at the end of this guide. Do you have staff specifically assigned to data security? Do staff members participate in regular training programs to keep abreast of technical and legal issues? Have you developed a security breach response plan in the event that your company or organization experiences a data breach? Have you developed security guidelines for laptops and other portable computing devices when transported off-site? Is physical access restricted to computer operations and paper/micrographic files that contain personally identifiable information? Do you have procedures to prevent former employees from gaining access to computers and paper files? Are sensitive files segregated in secure areas/computer systems and available only to qualified persons? Are filing cabinets containing sensitive information locked? Are computers, laptops, and networks password protected? Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information? Do all employees follow strict password and virus protection procedures? Are employees required to change passwords often, using "foolproof" methods? Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)? Do you regularly conduct systems-penetration tests to determine if your systems are hacker proof? If your organization is potentially susceptible to industrial espionage, have you taken extra precautions to guard against leakage of information? D. Some Additional "Common Sense" Security Practices Case: A medical office photocopied more of a car accident victim's record than necessary and released extremely sensitive but irrelevant information to the insurance company. Information about the woman's child, given up for adoption 30 years ago, eventually became part of the court record, a public document. When providing copies of information for others, do employees make sure that nonessential information is removed and that personally identifiable information that has no relevance to the transaction is either removed or masked? Are employees trained never to leave computer terminals unattended when personally identifiable information is on the screen? Do you use passwordactivated screen-saver programs? Are all employees who handle personal informationincluding temporary, back-up and contract stafftrained to detect when they are being "pumped" for personal information by unauthorized and unscrupulous persons? "Pretext" interviews are more common than might be expected and are the stock in trade of persons bent on finding out confidential personal information to which they are not entitled. Do you perform background checks on prospective employees who will have access to personal information of customers, clients, or employees? (See our guide, "Small Business Owners Background Check Guide," at http://www.privacyrights.org/fs/fs16b-smallbus.htm (http://w w w .privacyrights.org/fs/fs16bsmallbus.htm) ) Have employees been instructed on what might constitute inappropriate use of social networking sites? Employees must be made aware of the privacy pitfalls inherent in social media. "Twittering" or "Facebooking" about sensitive work issues can have adverse consequences far beyond a simple conversation. Have you inventoried the various types of data being stored and classified it according to how important it is and how costly it would be to the organization if it were lost or stolen? E. Records Retention and Disposal Case: An automobile dealer did not shred loan applications before tossing them into the garbage. A "dumpster diver" retrieved one and used the financial information to commit thousands of dollars of fraud against someone who had applied for a car loan. Does your organization have a records retention/disposal schedule for personally identifiable information, whether stored in paper, micrographic or electronic (computer) media? Customer records stored electronically or in paper files are a company asset, just like the furniture or the computers. Not only that, but customers personal information, unlike the furniture, is subject to a myriad of laws that dictate privacy protections, safeguarding measures, and proper disposal. Even in hard times, when a company has to close its doors, customer data should never be abandoned or left at the curb for the trash collector. Such actions could subject owners, even of a defunct business, to unwanted lawsuits by customers and government regulators. When disposing of computers, diskettes, magnetic tapes, CD-ROMs, hard drives, memory sticks, mother boards, and any other electronic media which contain personally identifiable information, are all data rendered unrecoverable by either physically destroying the device or by over-writing the data sufficiently to ensure destruction? If you use third-party services for computer recycling or destruction, have you selected a service that provides a certificate of destruction? Does it dispose of toxic materials properly? As an asset, customer data may be up for sale in the case of bankruptcy. However, all parties to a bankruptcy should be familiar with the Federal Trade Commissions lawsuit brought against ToySmart under Section 5 of the Federal Trade Commission Act ("FTC Act"), 15 U.S.C. 45(a), for disclosing, selling or offering for sale personal customer information, contrary to the terms of the companys privacy policy that personal information would never be disclosed to third parties. For more on this case, see www.ftc.gov/os/2000/07/toysmartconsent.htm (http://w w w .ftc.gov/os/2000/07/toysmartconsent.htm) . Many states have enacted data disposal laws requiring proper disposal of records containing personal information. For a list of such laws, see http://www.ncsl.org/issues-research/telecom/data-disposal-laws.aspx (http://w w w .ncsl.org/issues-research/telecom/data-disposal-law s.aspx) . When disposing of waste and recycling paper, are all documents that contain personally identifiable information placed in secure padlocked containers or shredded? (Shredding should be cross-cut, diamond-cut, or confetti-cut shredding, not simply continuous [single-strip] shredding, which can be reconstructed.) Does your recycling company certify its disposal/destruction methods? Is it bonded? When engaging an external business to destroy records or electronic media, do you check references? Do you insist on a signed contract spelling out the terms of the relationship? Do you visit the destruction site and require that a certificate of destruction be issued upon completion? When dealing with another company or government agency, do you ask about its security protocol regarding personal information? Do you inquire

https://www.privacyrights.org/checklist-responsible-information-handling-practices#I

3/6

2/13/2014

Checklist of Responsible Information-Handling Practices | Privacy Rights Clearinghouse

whether it shares that information with anyone? Do you find out if it does background checks on employees with access to your personal information. Contracts with outside service providers as well as employee agreements should specify that customer data is the companys exclusive property and should only be used as necessary to carry out contractor or employment duties. Such contracts and agreements should also incorporate the companys privacy and data security policies. Contracts should also delineate the service provider's specific obligations, rather than simply stating that the contractor will comply with all applicable laws. F. Facsimile Transmission Case: A medical doctor, who was filing for bankruptcy, faxed a financial document to his attorney. He entered the wrong telephone number, and the document was instead transmitted to the local newspaper. Is the fax machine in a supervised area, off-limits to unauthorized persons? Is use restricted to authorized personnel only? Is the fax machine used exclusively for sending nonconfidential materials? When sending documents, do all users complete a cover sheet that indicates the sender's and receiver's names, addresses and telephone numbers? When confidential materials are sent, is notice of their confidential nature indicated on the cover sheet? Do users always check the receiver's telephone number before transmitting documents? Do they compare the number displayed with number being called to check for errors? Do they check the transmission report after the fax has been sent? When transmitting confidential materials, is the recipient notified in advance that the document is being sent? Does the sender check with the receiver to make sure the document has been received? For additional tips, read Guidelines for Facsimile Transmission Security, by the Information and Privacy Commissioner of Ontario. Web: www.ipc.on.ca/images/Resources/fax-gd-e.pdf (http://w w w .ipc.on.ca/images/Resources/fax-gd-e.pdf) G. Copiers, Printers and Fax/Multifunction Machines Case: Four used copiers purchased from an office supply warehouse for about $300 each contained a gold mine of personal data. Using a forensic software program available free on the Internet, tens of thousands of documents were downloaded. Some of the data available included 95 pages of pay stubs with names, addresses and Social Security numbers; 300 pages of individual medical records; detailed domestic violence complaints and a list of wanted sex offenders; and a list of targets in a major drug raid. When copiers, printers, or fax/multifunction machines are repaired or disposed of, do you consider the digital data that is likely to be present in the equipments hard drive? Digital copiers, printers, and fax/multifunction machines represent one of the most important and least understood opportunities for data leaks. They are a virtual digital time bomb containing a wide variety of sensitive information. Most of these types of equipment manufactured since 2002 contain hard drives that store digital images. These machines are capable of storing an image of every document that has been copied, scanned, printed, emailed, or faxed. Although it may be stored in a proprietary language or encrypted, a hacker can easily gain access to years of sensitive data. Some machines dont even require hacking because they may allow jobs to be reprinted from a printed job list. Sophisticated copiers may contain a list of user's email addresses, outgoing fax numbers, and contact names. All of this information can easily be transferred from the copier to a hacker's laptop. Accordingly, simply disposing of this equipment presents a significant opportunity for a security breach. While much of the hard drive space in many machines is used for processing, the drive may also store thousands of pages of information. Once the hard drive memory has been exceeded, files are automatically overwritten. Cap points limit the number of pages stored to hard drives, and the cap limitation will vary in each make and model. Depending on the type of machine, information from small print jobs may be stored in random access memory (RAM) only, and the files may be overwritten with each new print request, or lost when the machine is powered off. Most major manufacturers now offer security or encryption packages to help protect against this problem. However, many businesses fail to pay for this protection. If your equipment does not have this protection, you should erase or remove the copiers hard drive, clear its memory, and change the copiers passcodes. Does your organization have security procedures in place for deleting digital data from copiers, printers and fax/multifunction machines? Does your organization recycle or resell copiers, printers or fax/multifunction machines to wholesalers or refurbishers? If so, does your organization take steps been taken to remove any data history? The Federal Trade Commissions Copier Data Security: A Guide for Businesses provides a information about digital copier operation, lifecycles, encryption, overwriting, and security measures. The guide is available at http://business.ftc.gov/documents/bus43-copier-data-security
(http://business.ftc.gov/documents/bus43-copier-data-security)

The Federal Deposit Insurance Corporation (FDIC) has issued guidance describing the risk posed by sensitive information stored on these types of devices and how financial institutions can mitigate that risk. The FDIC requires financial institutions to implement written policies and procedures to ensure that a hard drive or flash memory containing sensitive information is erased, encrypted or destroyed prior to the device being returned to the leasing company, sold or otherwise disposed of. http://www.fdic.gov/news/news/financial/2010/fil10056.html
(http://w w w .fdic.gov/new s/new s/financial/2010/fil10056.html ) .

H. Answering Machines and Voice Mail Systems Case: Message left on the wrong answering machine when the phone number was misdialed: "Hello, Mrs. Weaver. This is Judy from the County Parole Office. You called earlier about your daughter Crystal? She has already been taken to the California Youth Authority [juvenile detention center]." Are precautions taken in situations where confidential and highly sensitive messages are expected to be left on answering machines or voice mail systems? Is the number of the call recipient verified for accuracy? Is permission asked of the intended call recipient to leave confidential messages? Are non-specific messages left when prior permission has not been obtained from the call recipient? I. Wireless Communications Case: As people stood in line to enter the theater, the cellular phone conversation of one theatergoer was overheard by those nearest her. It soon became obvious that the woman was a medical doctor talking about the care of a patient. Are employees properly trained to make sure that all data is properly encrypted and that encryption is not either accidentally or intentionally disabled? While organization policies should emphasize the importance of encryption, these policies may be ignored by careless users, particularly if noncompliance does not result in adverse consequences. Many organizations remain overly dependent upon encryption solutions to protect sensitive data on their laptops. Companies relying solely on encryption cannot be sure whether stored data has actually been encrypted, if it has been compromised, or even which files have been accessed. Corporations should take a layered approach to security, making encryption but one layer of their approach to data security. Are employees trained in techniques to spot suspicious activity, including signs that a computer has been infected with malware?

https://www.privacyrights.org/checklist-responsible-information-handling-practices#I

4/6

2/13/2014

Checklist of Responsible Information-Handling Practices | Privacy Rights Clearinghouse

Does the organization have policies, procedures and training programs that emphasize responsible information-handling practices? Is the network connection between home and work secure? Do laptops containing sensitive information have a "kill-switch," that is, remotely-enabled software that can disable lost or stolen laptops? The loss or theft of laptops is one of the most common ways that the security of corporate data is compromised. J. Social Security Numbers (SSNs) and the Use of Personal Identifiers Case: The supervisor of a unit within a large state government agency sent an electronic mail message to every employee that listed all their names and Social Security numbers, disregarding the privacy and fraud implications of releasing that information. The use of SSNs for record-keeping purposes and personal identifiers should be strongly discouraged, and, preferably, prohibited. Proliferation of SSNs puts customers and employees at risk of allowing unscrupulous persons to obtain the number for fraudulent purposes, for example, obtaining credit card accounts in another persons name. (See the Privacy Rights Clearinghouse identity theft publications. Web: www.privacyrights.org/identity-theft-databreaches (/identity-theft-data-breaches) . See also Recommended Practices for Protecting the Confidentiality of Social Security Numbers. Web: http://www.oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf? (http://w w w .oag.ca.gov/sites/all/files/pdfs/privacy/protecting_ssns.pdf?) . If the organization uses the SSN as a record-keeping number, does it offer its clients and/or employees the option of using an alternative number? Does the organization have a strict policy prohibiting the display of SSNs on any documents that are widely seen by othersfor example, time cards, parking permits, employee rosters, mailing labels, paycheck stubs, health insurance cards? If the organization requires an access code for certain transactions (e.g., ATM cards, computer access, phone banking, security system codes, building access cards, passwords), does it prohibit the use of SSNs, or any part of the SSN such as the last four digits, as personal identifier numbers? Is the organization aware of states which have enacted laws that place restrictions on the display and transmission of SSNs? Such states include California and New York. K. Guidelines for Security of Lists Case: Before departing the singles dating-service office, a fired employee stole a computer disk containing the supposedly confidential mailing list of all its clients. He sold the list to other dating services in the area. Does your organization maintain information on clients, customers, potential customers, users, and/or members? Does it make those lists available to other entities by selling, renting, or exchanging them? If so, the Direct Marketing Association (DMA) recommends that the following guidelines be practiced. These are adapted from DMA's "Guidelines for Ethical Business Practice" and a previous publication, "Fair Information Practices Checklist." The use of the word "customer" below can be altered to fit your specific situation, such as "client," "member" or "user." Web: www.dmaresponsibility.org/guidelines/ (http://w w w .dmaresponsibility.org/guidelines/) 1. Opt-out program a. Does your organization offer its customers name-removal options? Are those options effectively communicated? b. Do you subscribe to the DMA's name-removal services, the Mail Preference Service (MPS), and/or its E-mail Preference Service (EMPS)? Web: www.the-dma.org (http://w w w .the-dma.org/) . Are MPS and EMPS names removed prior to renting or exchanging lists? c. If you are a telemarketer, do you subscribe to the Federal Trade Commissions Do Not Call (DNC) Registry? Are DNC numbers removed prior to renting or exchanging lists? Web: https://telemarketing.donotcall.gov (https://telemarketing.donotcall.gov/) . 2. Security practices a. Is someone in your organization responsible for list security? Is someone responsible for keeping up to date on current laws and regulations regarding fair information practices? b. Are your lists physically secure? c. Are there sufficient restrictionssuch as audit trails and strict penalties for violationon your employees to protect against unauthorized access? d. Does your organization instruct its employees in initial employee orientations and ongoing training programs that customer data are confidential? e. Does the organization have adequate security to prevent remote computer access to your lists? f. Does your organization ensure that list recipients employ sufficient safeguards? Does it make sure security measures are in place during the transfer of lists? Do you ensure the secure and timely return or destruction of lists used by other entities? Do you use a monitoring system to track list usage, such as the use of decoy names, called seeding? 3. Use of marketing data a. Is your organization collecting only those consumer data that are pertinent and necessary for the purpose at hand? b . Are you sensitive to a consumer's expectation that some personal information may be considered confidential and should not be used for marketing? c. If your organization contributes customer data to a cooperative database, are you satisfied about the database's security? 4. Data accuracy a. Does your organization have the means to update its customer data? b. Are customer data reviewed/revised by your organization on a regular basis? c. Are customer inquiries regarding data accuracy answered promptly and to the customer's satisfaction? 5. Additional tips The Privacy Rights Clearinghouse suggests these additional security guidelines: a. Do you disclose up-front the intended uses of the data that are collected? b. Do you allow the data subjects to inspect and correct data held about them? Section II. DEVELOPING PRIVACY POLICIES FOR EMPLOYEE RELATIONS A. In-house Privacy Policies Does your organization have policies for handling the personal information of your employees? Such policy statements typically concern hiring procedures, personnel records, medical records, discipline procedures, email usage, electronic monitoring, and Internet access. B. E-Mail and Voice Mail Systems Case: Charles was absent from work for a month on disability leave. Upon his return, he was shocked to discover that his supervisor had changed his password and listened to his voice mail messages. Does your organization have a policy regarding the privacy expectations of its employees and any third party users (i.e., clients, customers), who use the email and/or voice mail systems? Are those policies effectively communicated to all employees and third-party users? Points to include in your policy:

https://www.privacyrights.org/checklist-responsible-information-handling-practices#I

5/6

2/13/2014

Checklist of Responsible Information-Handling Practices | Privacy Rights Clearinghouse

a. the purpose for which the system is to be used (business only? personal matters allowed? no trade secrets discussed?) b. penalties for misuse c. who is authorized to access e-mail/voice mail messages; the disposition of email/voice messages when the employee is on temporary but extended leave; d. the retention/purge schedule for files, including retention procedures for possible use as legal evidence e. expectations for privacy (none? only in files marked "private"?) f. password creation/change procedures g. the use of encryption (prohibited? allowed? required for sensitive communications?) h. safeguards concerning copying and forwarding messages, especially messages containing personally identifiable data i. how the policy is communicated, such as employee notice and training programs. C. Electronic Monitoring In addition to email monitoring, an increasing number of employers use a variety of employee-monitoring practices, such as telephone systems that allow supervisors to listen to telephone calls, computer keystroke monitoring systems that can determine work productivity, web-surfing monitoring, video monitoring systems, and locational detectors. Does your organization have a communications policy governing the use of employer-provided equipment? A written policy can help protect employers and minimize the possibilities that employees will misuse company technology. Does the organization have a policy that states the types of monitoring being conducted and the uses made of monitoring data? Does the policy include procedures to safeguard sensitive personal information encountered in the process of monitoring? Is this policy communicated to all employees at time of hiring, as well as other times, at least annually? Does the policy include provisions for employees to appeal adverse decisions based on data collected by the monitoring system? If telephone monitoring is being conducted, does the organization provide telephones that are not monitored and can be used for personal calls (at least pay phones)?

Tags:

Copyright Privacy Rights Clearinghouse. (/copyright.htm) This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines (/copyright.htm) . The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.

https://www.privacyrights.org/checklist-responsible-information-handling-practices#I

6/6