Earlier this week a photo was posted on Facebook that was intended to be shared just with friends. The photo was tagged with someone appearing in it allowing tagged person’s friends to see the photo. One friend of the tagged person re-posted the photo and before you know it the photo went viral on Twitter. The person originally posting the photo was understandably not too pleased. The complexity of the privacy policy seems to have confused the user who may not have posted the picture if they knew it would be made public.
While this story is about an end-user’s confusion, unintended disclosure of information by a member of your staff can occur because they do not understand your privacy policy.
Your internal privacy policy should provide guidance
Every day your staff is handling personal information that is either regulated or simply expected to be kept private by your customers, employees, and other stakeholders. I have seen situations where a staff member unintentionally shares protected information in violation of the organization’s privacy policy thinking they were doing the “right thing” to help the business. In almost every case the staff member was confused by the privacy policy.
When you create your privacy policy think of it as a moral compass for your organization defining what is “the right thing to do”. Supplement this with some high level guidance on implementation (i.e. personal information will be encrypted in transit), but leave the details for your functional areas to define through procedures, standards, and guidelines. After all, the functional areas are experts in what they do and should not be constrained (as to how they operate as long as they comply with the privacy policy).
The privacy policy should also define consequences
The policy should also define the consequences to if the policy is violated. Including a statement such as “violation of this policy may result in disciplinary action up to and including termination” communicates how important protecting private information is to your organization.
Using this approach to an internal privacy policy allows for the policy to remain unaffected as technology, requirements, or the business climate changes. (By the way, the picture was posted by Randi Zuckerberg, Marc’s sister and former marketing director at Facebook.)