- Type of information (electronic, paper, encrypted?)
- Who the policy applies to (employees, contractors, vendors?)
- Policy statement
- Expected behavior
- Consequences of non-compliance
- Definition of personal information
- Information classification
- Protection standards
- Destruction standards
- Who to call for questions and concerns
- An effective date
A privacy notice typically discusses:
- When you collect personal information
- Why you collect personal information
- What information is collected
- How you protect the information
- When you share the information
- Who to contact
- Where questions should be directed
- How to opt-out / opt-in
- What to do if someone thinks there is a problem
- An effective date
Take for example the sharing of personal information with third parties such as a data processor. A privacy notice will typically have clauses that explains what is done with personal information. A good example of this may be found in the Staples Privacy Notice:
- We may provide your Personal Information to third parties to process this information on our behalf. We require that these parties agree to process this information based on our instructions and requirements consistent with this Privacy Statement.
- We may disclose your Personal Information to: (a) satisfy applicable law, regulations, legal process or valid governmental request; (b) enforce applicable Terms of Service, including investigation of potential violations of Terms of Service; (c) detect, prevent or mitigate fraud or security or technical issues; or (d) protect against imminent harm to the rights, property or safety of Staples, its customers or the public as required or permitted by law.
- We may disclose some elements of your Personal Information to third parties to notify you of offers or services that may be of interest to you. We do not share credit card or other financial information for marketing purposes.
- We may disclose Personal Information to third parties in connection with a merger, acquisition or sale (including any transfers made as part of insolvency or bankruptcy proceedings) involving Staples or its affiliated companies or as part of a corporate reorganization, stock or asset sale, or other change in corporate control.
- We may also disclose to third parties aggregated or other information that does not identify you individually, such as how many customers viewed a particular product or Web page, to conduct website analytics or to serve you targeted advertising.
- When it is permissible to share personal information.
- How the data may be transmitted (i.e. encrypted, clear text, secured, etc.).
- How information should be protected when it is shared.
- In transit to the third party
- At rest at the third party
- If and when it permissible to share de-identified information.
- How data may be de-identified.
- When and how consent for sharing must be obtained from data subjects.
- How data should be destroyed or collected from third parties when a relationship is terminated.
Typically, privacy notices are developed based upon privacy policies. This enables an organization to define what is permissible and then then tell external stakeholders what is being done.
The privacy office may then update the privacy notice if necessary and/or appropriate. This will inform the external stakeholders what has changed in the organization’s personal information handling processes.
This article is published as part of the IDG Contributor Network. Want to Join?