When it is all said and done, no matter what policies you put in place, no matter what procedures you define, no matter what documentation has been written to support your privacy program, it is worthless unless your organization’s staff knows that these items exist. Without the team being “privacy aware” mistakes will occur. Here are a couple of horror stories:
The case of the shared prescriptions
A nationwide pharmacy chain has a book that you sign when you receive your prescriptions. Upon signing, you indicate if you want to talk to a pharmacist and if you prefer not to have a safety cap on your bottles. The person at the counter takes a pre-printed label from the prescription bag and places it next to where you should sign. The book is kept on the counter near the cash register and publicly displayed.
There are several pre-printed labels on the bag, some with the name of the prescription and the person receiving it, others with just an order number. A new counter person used the labels with names for several pages of prescriptions allowing everyone to see what medications their neighbors were taking.
Unprotected credit card account numbers
A small business with a telemarketing operation wanted to make it easy for customers to reorder product. For each transaction they wrote the customer’s credit card number on the inside of the customer’s paper file folder. The company kept the file folders in unlocked cabinets in an unsecured area of a warehouse allowing wide access to customer credit card numbers.
Sharing prospect contact information
A technology service company had a retail operation and business had taken off. To allow business customers who wanted to discuss an on-going relationship to avoid waiting in line at the retail store, the company placed a pad of paper on the counter and asked these customers to provide their name, business name, email address, and telephone number. The pad was on the counter for a few days, but at the end of the week it was missing. It turned out that a competitor had taken the pad and was contacting the customers on the list explaining that the original company was too busy to help them, so he was asked to take their business.
Privacy awareness avoids damage to your organization
You can find regulatory violations, brand damage, and direct lost business in these cases. In each of these situations either the person executing a process or the person who had created a process was not aware of the privacy issues being created. By stepping up privacy awareness efforts these situations could all have been avoided.
Please understand that I am not suggesting that everyone needs to be a privacy expert conversant in the nuances of the laws and industry regulations. However, there is a need for employees to be “privacy aware” enough of your company’s privacy policy and practices. When new policies or procedures are created, and training is usually provided, but is it enough?
Why do you need an awareness program?
Awareness is different than training. While training is a formal process with attendance to a class, participation in a webinar, or utilizing computer-based training, awareness is informal. It reinforces the training messages, reminding the team what they need to do.
Training for privacy usually occurs annually. Staff takes the training and goes back to their daily activities. Maybe they take training in other areas during the year, but they are certainly inundated by information and emails. Awareness activities help keep privacy top of mind between annual training sessions helping to reduce the risk of damage to your organization.
Some simple awareness activities include posters, newsletters, emails, lunch-and-learns, speaking at group meetings, and privacy games in your lobby. Be creative in making your own activity, but make it fun too.