Clear Desk Policy
One of the most beneficial policies a privacy officer can implement is a Clear Desk Policy. In addition to saving your organization money, a clear desk policy will help your organization’s compliance with basic privacy and security principles.
What is a Clear Desk Policy?
A clear desk policy directs all your organization’s employees to clear their desks at the end of each work day. This not only includes documents and notes, but also post-its, businesses cards, and removable media (CDs, floppy disks, memory sticks).
Following a clear desk policy will help your organization reduce the risk of information theft, fraud, or a security breach caused by sensitive information being left unattended and visible in plain view.
A clear desk policy and a clear screen policy work hand-in-hand to safeguard your organization’s information.
The Benefits of a Clear Desk Policy
The clear desk policy should be adopted because of the numerous benefits it can provide your organization.
Saves Time and Money
According to an IDC report, a typical employee in your organization spends 2.5 hours a day searching for information. Assuming the knowledge workers in your organization earn $80,000 a year, a 1000-person organization loses approximately $2.5 million dollars a year from the inability to locate and retrieve information.
In addition, a clear desk policy will encourage employees to use digital versions of documents, significantly reducing your organization’s costs of paper, ink toner, and printer maintenance.
Who knows who and when someone will visit your office. A clean and tidy workspace makes your organization look efficient and presentable to anyone who decides to visit, including the auditors!
A clear desk policy is not only ISO 27001/17799 compliant, it also complies with basic privacy principles. Canada’s federal privacy legislation PIPEDA requires that Canadian organizations safeguard personal information. UK’s Data Protection Act requires organizations in the UK to ensure that personal information is kept secure.
Discourages Prying Eyes
Employees usually leave sensitive information on their desk. Post-it notes are usually the worst culprit, containing names, phone numbers, and even user names and passwords visible in plain view. These habits encourage dishonest employees, cleaning crews, and maintenance staff to view information they should not have access to.
A place for everything and everything in its place. When your employees are organized they can spend more time concentrating on work rather than stressing out because they can’t find a report due in the next 10 minutes.
Implementing a Clear Desk Policy
You are convinced that your organization needs a clear desk policy. Good. Your next step is implementation.
Put it in Writing
A clear desk policy should be in writing and communicated to all employees, especially during introductory and refresher training. Consequences for failure to comply should be serious yet practical, especially if your organization works with much sensitive information. Have all employees sign the document for approval.
You can get a headstart using free clear desk policy templates.
Add a Reminder to Email Signatures
You have probably seen it below many email signatures: Please consider the environment before printing this email. If your organization uses standardized email signatures, consider having this reminder added to the bottom.
You can’t implement a clear desk policy if you have no where for employees to put their documents. Consider purchasing small, lockable storage boxes for employees that fit under their desk.
Encourage Electronic Documents
Have employees work with electronic documents whenever possible. Without the need to print and work with physical papers, your employees will always have a clear desk whenever they log out of their computers.
Get Rid of Documents Securely
Your employees should never throw any work-related documents into the waste basket. Once garbage leaves your company’s doors, it becomes public property. Nothing can ruin your organization quicker than careless employees throwing sensitive information into a waste basket. Your organization does not want to be on the front page of the newspaper for exposing sensitive information.
Use a secure shredding service to ensure all documents are disposed of securely.
Perform Routine Backups
If you discourage employees from using physical documents, make sure your organization has a dependable backup routine in place. Employees need to know that their documents will be safe in the event of a power loss or hard-drive crash.
Enforcing a Clear Desk Policy
Implementing a clear desk policy and having a nonchalant attitude towards enforcement will render your policy useless.
Have your privacy officer conduct random weekly checks, possibly at the end of a work day. All papers, notes, post-its, or any other documents containing sensitive information should be shredded immediately. Removeable media, such as CDs, floppy disks, or memory sticks should be confiscated.
Upper Management Support
A clear desk policy needs to be taken seriously — especially with all levels of management. If your employees see that upper management does not have to abide by the policy, they will soon lose faith.
The fact that upper management usually handles more sensitive documents should reinforce the need for a clear desk policy for all employees regardless of their status within the organization.