While you may not think about it often, data privacy in the workplace can play a bigger role in your day to day life than you realize. Think about all of the junk mail that you receive or the telemarketing calls that make their way to your phone. All of those advertisers got your contact information from somewhere.
Data privacy in the workplace is mainly about getting a say in who or what gets to view your personal information which can include your telephone number, email address, or other personal tidbits. This privacy should extend to who sees the information, who sells the information, and what they can do with it.
As a company, making sure that your customer’s data remains private is not just an ethical issue, in many cases, it can be a legal one as well. Ensuring that customer data is secure protects the customers, the employees, and the company.
What Exactly is Personal Data
So what types of data should be protected?
Personal data is any information that pertains to a living person. This data can be used to identify a person, such as a name, phone number, address, bank details, or even medical history.
What Exactly is Sensitive Data
Another form of data that must be protected is what is known as ‘sensitive data’. This is information that relates specifically to a person, such as his or her race or ethnic origin. Other types of Sensitive Data includes sexual orientation, religious beliefs, political opinions, biometric data, and union memberships.
Protecting Data of Employees
Employers collect plenty of information regarding their employees, and this data must be protected with as much vigor as the data provided by customers. The employees of the company have a right to know whether or not the bargain is being held fairly.
The company must be completely transparent, and employees must be able to see exactly how their data is being stored and used. Companies should be able to answer a few simple questions about the data that is being stored.
- Where is the information being stored?
- Why is it being stored?
- How was it initially obtained?
- Why was it initially obtained?
- How long will it remain in the storage facility?
- How secure is the data? Is it encrypted?
- How accessible is the data?
- Is the data sold or shared with 3rd parties?
- As a company, you should only be collecting data that is necessary to obtain. Just like your customers, your employees should trust that the personal information they have shared is protected and that it won’t be shared or sold to other entities.
Being Responsible with Data
In this day and age, people worry about keeping their personal information safe and out of the hands of individuals who would exploit it. Data privacy and security is taken very seriously by your customers, and it should be taken very seriously by your company as well. In order to ensure that data is kept safe, it is necessary to instill a sense of importance and responsibility in your employees.
Each person within the company has a responsibility to keep customer data secure. Most of the data privacy incidents that occur are caused by employees making simple, careless mistakes. In order to avoid these types of mistakes, it is important to create a few principles within the company to build a culture that protects customer data.
Employees should never collect data that isn’t needed, and any data that is collected should only ever be used for the stated purpose. This is the purpose that the customer consented to when they released their personal data to the company. Any data that is collected should be protected at all costs, and when the personal data is no longer needed, it should be destroyed.
Consent must be given by the client or customer before any personal data can be disclosed to a 3rd party. For example:
Joan works as a scheduling assistant for a glaucoma specialist at a busy ophthalmology practice, and one day an out of state doctor calls requesting the files for a patient named Mr. Robinson. The doctor says that Mr. Robinson was on vacation and injured his eye, and he is now being treated for the injury in the doctor’s office. Legally, Joan cannot give the doctor any information about Mr. Robinson. She would need a written consent form signed by the patient to release the requested information to the other doctor.
Since Joan is well-versed in data privacy rules and ethics, she does not disclose any of Mr. Robinson’s private information until the out of state doctor faxes over the necessary signed consent form.
Security, Access, and Accountability
Whenever data is collected, your customers should be reasonably certain that it is being kept secure. That means private data will be encrypted, and all the company computers and devices will be password protected, among other security measures.
Another important aspect that should be controlled within the company is the ability to access data. The customers that provide their private information do so with the understanding that the information is being used for a specific purpose. Employees should always respect that policy, and customer data should never be accessed for any other purpose.
Continuing with the example above:
A few weeks after the contact with the out of state doctor, Joan remembers that Mr. Robinson had an eye injury while on vacation, and she wonders what happened to his eye. Joan decides to pull up his patient chart in the system to check through the doctor’s notes to see if she can figure out what type of injury Mr. Robinson had. Joan doesn’t have a reason for checking up on the patient, she is just curious about what may have happened.
This is a breach of Mr. Robinson’s privacy because Joan is not using his personal information for a necessary purpose. She is simply “browsing” through his file in order to satisfy her own curiosity.
Should Mr. Robinson find out about Joan accessing his patient file without authorization, he could hold the practice responsible for the breach of his privacy. As a patient, Mr. Robinson is allowed to request information on how is data is being accessed, and if it was found out that Joan was logged into his patient chart without reason, she should face disciplinary action.
Creating a Culture of Data Privacy in the Workplace
It is unlikely that you would ever knowingly expose your own personal data. No one would post a picture of their bank account number on social media or leave their social security card lying on a table in a public place. You already understand the potential consequences of allowing your personal data to be seen and shared in that manner.
The culture of your company should be the same. Employees should consider allowing a breach of the customer’s private data as serious a consequence as allowing a breach of their own personal data. Company culture should insist upon only appropriate sharing of data, that all data be stored securely, and that data that is no longer needed is disposed of in a proper manner.
Your customers should always trust your company’s data privacy policies, and those policies are only as good as the employees that are following them. There are so many ways that employees can cause a data breach such as leaving a computer unlocked in a public space or sending confidential emails to the wrong recipient.
Help build an integrity-based training program that stresses the importance of data privacy. Make the practice of keeping customer information safe and secure by making it a part of your company’s culture.
Let Interactive Services whelp create an effective training program to instill the importance of data security in your employees. Click here to learn more about our innovative training programs.