Implementing privacy policies

Troubling Clauses

Most of the policy contents are routine and expected. For instance, companies can release private information when required by law. However, we identified several clauses that deserve mention here as they could be very relevant for customers and IT alike. For example, a very large and well known bank’s privacy policy includes the following text:

“If you request that we not share information with third parties, we may still share information…with other financial firms with whom we have joint marketing agreements.”

And a large telecommunications company bypasses the whole privacy policy by stating that it may not apply in some (undisclosed) situations with this clause:

“Depending upon the…service to which you subscribe, parts of this Policy may not apply to you”

If one’s goal is to know and understand how these companies are handling private information, these clauses seem to undo any certainty contained in the rest of the policy. Such clauses are either good or bad, depending whether you are on the side of a company trying to limit exposure or a customer wanting clarity. Furthermore, 27% of the analyzed policies say that the company may sell or release your information to other companies at will. But these are the exception as most the policies convey a sincere attempt to contain and control customer information.

How to Control Customer Private Information
Here are some specific techniques and tips that IT might consider to control the dissemination of customer information. These are known as “output controls.” They are internal controls that can be used to prevent or otherwise validate the legitimacy of distributing information from an organization’s information systems. This is difficult to do! A prime mission of IT is to make information easily available to staff and yet we must somehow tightly restrict this same information when it is intended for certain uses.

It is important for companies to stay aware of new systems and technologies that can help execute their governance programs. Unfortunately at this time there are no systems I am aware of that automatically apply a thorough level of output controls that is enough to cause us to recommend them to our clients. As a result, we suggest implementing several separate controls, including manual ones, that will increase the likelihood that disclosure of customer information is in compliance with privacy policies. While some of these suggestions are specific and technical in nature, you might consider the following controls and techniques.

Transaction Logging

You must implement transaction logging to capture changes to the opt-in / opt-out flags. The biggest reason is that you need to show when, how and who authorized the change. Did the customer make the change from your web site? Did IT set the flag when they initially set up the opt-out system? Did the Customer Service department change the flag based on a support phone call? Any of these reasons are legitimate but you need to know who authorized the setting change and when it occurred. In case of dispute, a log of changes to the opt-in / opt-out flags will be invaluable.

Default Settings

We recommend using a special code to indicate the initial setting for opt-in / opt flags. Typically, when first implementing this, the Marketing department will insist that all customers are “Opted-in” so that all are included in marketing campaigns. When a customer calls your service centers and complains, you need to know whether they themselves previously chose to participate in the marketing or whether it was based on Marketing management’s initial decision. It’s offensive to tell a customer that they chose to receive marketing materials when that decision was actually made by internal managers.

Security Levels

Using database column security levels, set private information (which should be clearly identified on your company data models) to higher security values. Then, for the average user in Marketing or other departments, they can use most customer data for analytical analysis but those few private columns/fields are restricted to a manager or query specialist who is well trained in the legal implications of inappropriately releasing this more-secure information.

Templates

To increase the likelihood that people will consider the customer’s preferences, provide query templates that include checking the customer’s opt-in / opt-out preferences. While this is no guarantee, it will increase the probability that staff are complying with your privacy policy. Perhaps Internal Audit can periodically check recently created query scripts and verify that they considered the customer’s selections.

Approvals

Implement a procedure in the Marketing department, if possible, whereby the VP of Marketing must approve dissemination of all customer information. Then in conjunction with this, the VP of Marketing’s compensation and bonuses are contingent upon compliance with the customer’s privacy choices. Any violation will be noted and should be documented on the executive’s performance appraisals. This may be tough to do but if they resist this then that alone conveys intentions to bypass the policy and should immediately be addressed by executive management. Why would any CEO allow a VP of Marketing to ignore clearly-stated customer wishes?

Normalize

While this is the most technical of all these suggestions, normalize the opt-in / opt-out flags instead of trying to add them to the customer master table. It is increasingly common to have the customer make multiple in/out selections. If you try to build it into the customer master table then you will need to implement major data base structure changes to add new criteria. But, if you normalize this then it is simply a new row in the opt-master table and the customer-opt selection tables. Yes, this will slow queries but it should be considered.

Conclusion

There is no known magic way to assure that customer information is only being distributed in accordance with your organization’s privacy policy and customer selections. But we strongly suggest implementing several related controls and documenting them in your risk assessment. Test these controls as you would any other to gain confidence that they are operating effectively. Anything less might be considered less-than a “good-faith” effort.