6. Operations: Policies

Question 1

What is a privacy policy?

Answer 1

It governs the privacy goals and strategic direction of the organization’s privacy office

Question 2

What does a privacy vision and mission statement accomplish?

Answer 2

It serves as the foundation for developing effective privacy policies.

Question 3

What are the key elements of an effective policy?

Answer 3

1. Clear and easy to understand
2. Accessible to all employees
3. Comprehensive and concise
4. Action-oriented
5. Measurable and testable

Question 4

What are the components of a privacy policy?

Answer 4

1. Purpose
2. Scope
3. Applicability
4. Roles and responsibilities
5. Compliance
   - General organizational compliance
   - Ability to apply penalties, sanctions, and disciplinary actions
6. Understanding of the penalties or sanctions for noncompliance
7. Written and implied rules

Question 5

What is the difference between a privacy notice and privacy policy?

Answer 5

Privacy policy is an internal document addressed at employees and data users

Privacy notice is an external communication to individuals, customers, or data subjects to create transparency on how the organization uses, shares, retains and discloses PI

Question 6

What is the role of a privacy committee?

Answer 6

Making strategic decisions that may affect the the vision, change key concepts, or determine when alterations are needed and act as an additional resource to the privacy function.

*Organizations with a global footprint often create a governance structure composed of representatives from each business function and every geographic region in which the organization has a presence to ensure that privacy policies, processes and solutions align with local laws.

Question 7

What is the role of a communications plan?

Answer 7

1. Educate about privacy
2. Provide awareness
3. Provide updates and guidance
4. Change or modify employee behaviour

Question 8

What questions should be considered when developing a communications plan?

Answer 8

1. What is the purpose of the communication?
2. Should there be a recurring time slot assigned on the communications calendar dedicated to specific messaging?
3. Is the communication necessary?
4. How will the privacy team work with the communications team?
5. Who is the audience?
6. What communications methods can be employed?
7. Which functional areas most align with the privacy program?
8. What is the best way to motivate training and awareness?
9. Has the privacy team conducted a privacy workshop or training for stakeholders to define the privacy for the organization , explain the market expectations, answer questions, and reduce confusion?

Question 9

What is the privacy balance most organizations must achieve?

Answer 9

Balance between:

1. Practical protections to comply with laws and regulations
2. Privacy vision and mission
3. Need to preform intended business transactions

Question 10

What should employee policies include?

Answer 10

Onboarding and exit procedures that ensure full awareness of the organization’s privacy intent while protecting against misappropriation of knowledge and data upon termination of contract of employment.

Question 11

What is an acceptable use policy (AUP)?

Answer 11

It stipulates rules and constraints for individuals within and outside the organization who access the organization’s mobile devices, computers, network, and internet connection.

Question 12

In an AUP, through the notice of monitoring what does the user agree to?

Answer 12

The AUP terms that include a privacy notice that details monitoring and logging.

Question 13

What business function plays a key role in developing an AUP?

Answer 13

The security function.

Question 14

How often should AUPs be reviewed?

Answer 14

Annually.

*They should be modified and updated as as privacy standards and regulations change, to keep pace with IT, social media and other challenges.

Question 15

What do information security policies focus on?

Answer 15

Protecting the organization from internal and external threats through use of IT methods and practices:

1. Protect against unauthorized access to data and information systems
2. Provide information to stakeholders efficiently, while maintaining CIA
3. Promote compliance with laws, regulations, standards, and other organizational policies
4. Promote data quality and security locally

Question 16

What is the focus of information security policies?

Answer 16

1. Administrative responsibilities - user management, password changes, user provisioning, system changes
2. Antivirus and malware policies - mandatory applications, configurations, and update schedules
3. Email policies - email security, use of email systems
4. Firewall rules and use - confidential settings, administrative controls, internet connections
5. Internet policies - proper and restricted use
6. Intrusion detection - configurations and reporting
7. Loading of software - authorized and unauthorized
8. Monitoring and logging of all technology use
9. Wiping of audit logs
10. Risk assessments
11. User and password policies
12. Use of security tools
13. Wireless management

Question 17

What are the appropriate privacy standards for vendors?

Answer 17

As the IT boundaries of the organization disappear in the use of external storage and the processing found in the cloud, there must be a strategy and vision for how the organization will remain in control of the data privacy as well as how the data will remain secure and protected.

Question 18

What should an organization do when engaging with vendors?

Answer 18

1. Identify vendors and their legal obligations
2. Evaluate risk, policies, and server locations
3. Develop a thorough contract
4. Monitor vendors’ practices and performance
5. Use a vendor policy

Question 19

What concepts should be considered for vendor contracts?

Answer 19

1. Standard contract language
2. Data backup and disaster recovery plans
3. Generation of reports and metrics
4. List of authorized users with privileged access
5. List of organization authorized users of the data or those who can make changes
6. Requirement to inform the organization when any privacy/security policies change
7. Right to audit
8. Unauthorized changes to the data to include migration/deletion upon termination
9. Vendor liability
10. Vendor security incident response procedures
11. Vendor risk management

Question 20

What is employee data?

Answer 20

Any data the employee has created in the process of preforming normal business efforts for the organization, including emails, phone calls, voicemail, internet browsing, and use of systems.

Question 21

What are HR privacy concerns that should be addressed through policy?

Answer 21

1. Employee communications - browser histories, contact lists, phone recordings, and geolocations
2. Employee hiring and review - performance evaluations, background checks, and handling of resumes
3. Employee financial information - bank account information, benefits and salary
4. Employee data collection exceptions and emergency situations

Question 22

What defines HR policies?

Answer 22

1. Internal need
2. Industry
3. Standards
4. Regulations that impact the organization

Question 23

What dictates the HR policies and protections needed?

Answer 23

Types of data collected, use, and storage.

Question 24

What actions should be taken to develop a data retention policy?

Answer 24

1. Determine what data is being retained and how and where it is stored
2. Applicable legal retention requirements
3. Consideration of scenarios that would require data retention
4. Estimate business impacts of retaining versus destroying data.
5. Consideration of both privacy and IT needs.