One of the easiest and most inexpensive ways to create a clear screen policy is to use a template or learn and adapt from other policies online.

Below you will find a list of clear screen templates and policies created by other organizations. Feel free to browse them, learn from them, and adapt them to your own organization:

Clear Screen Policy Templates

• Clean Desk and Clear Screen Template (Desktopauditing.com)
• Clear Desk Clear Screen Procedure (Somerset Gov’t UK)
• Clear Desk and Clear Screen Policy (Emporia University)
• Clear Desk and Clear Screen Policy (Hampshire Fire and Rescue Services)
• Clear Desk and Clear Screen Policy (University of Mannheim)
• Clear Desk and Clear Screen Guidelines (Georgia Department of Human Resources)
• Clear Desk and Clear Screen Policy and Procedure (Concordia College)

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: clear screen policy, clear screen policy templates

One of the easiest and most inexpensive ways to create a clear desk policy is to use a template or learn and adapt from other policies online.

Below you will find a list of clear desk templates and policies created by other organizations. Feel free to browse them, learn from them, and adapt them to your own organization:

Clear Desk Policy Templates

• Clean Desk and Clear Screen Template (Desktopauditing.com)
• Clear Desk Clear Screen Procedure (Somerset Gov’t UK)
• Clean Desk Policy (sans.edu)
• Clear Desk and Clear Screen Policy (Hampshire Fire and Rescue Services)
• Clear Desk and Clear Screen Policy (Emporia University)
• Clean Desk Policy (University of Cincinatti)
• Clean Desk Policy and Guidelines (City of Toronto)
• Clean Desk Policy (BankersOnline.com)
• Clear Desk and Clear Screen Policy (University of Mannheim)
• Clear Desk and Clear Screen Guidelines (Georgia Department of Human Resources)
• Clear Desk and Clear Screen Policy and Procedure (Concordia College)

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: clear desk policy, clear desk policy templates

According to the study which surveyed more than 600 IT security professionals across the country:

IT security breaches cost the average Canadian organization an estimated $834,000 in 2009 – a 97 per cent increase from the $423,000 reported by the study last year (source).

IT security breaches happen when systems get compromised or sensitive information voluntary or involuntarily leaks from the system, often due to carelessness or dishonest employees. When a security breach involves the loss of people’s personal information it is commonly referred to as a privacy breach.

Many organizations are bound by privacy legislation to properly secure their systems with respect to the sensitivity of personal information collected but many still fail to do so.

Can we attribute these numbers to the state of the economy?

Not necessarily:

“Canadian organizations are finding it difficult to improve their security posture within the current economic climate.

However, we found several organizations that performed well despite the adversity. Those organizations tended to review whether or not they were focusing on the right threats and conducted regular assessments of their capabilities to prevent, detect and respond to security concerns,” said Alan Lefort, managing director, TELUS Security Labs.

While some organizations will not place a priority on keeping your personal information safe in a weak economy, many still do, so it is not an excuse.

Businesses must remember that personal information is a liability and it must take appropriate measures to secure it and properly train staff to handle it.

Advice for Organizations

Here’s some advice for organizations wanting to minimize the possibilities of a privacy breach:

• Hire a Privacy Officer. This will ensure that you have someone responsible for privacy compliance in the office. The privacy officer will need to work closely with security personnel from IT to secure systems containing personal information.
• Conduct Privacy Training Regularly. Employees need to be constantly reminded about the proper way to handle sensitive information (e.g. A document destruction and data destruction policy) so that it does not carelessly slip into the wrong hands.
• Hire Professional Help. If your organization realizes it has suffered a privacy breach, finding and hiring a privacy lawyer can be one of the smartest moves to make.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: Privacy Breach

If you’re unfamiliar with the services of a privacy lawyer and the benefit they can bring to your organization, read the article on hiring a privacy lawyer.

In addition to hiring a privacy lawyer, you may also want to read the article on hiring a privacy officer — especially if your organization has not made an effort to become privacy compliant yet.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

Becoming privacy compliant is not an option for most organizations — it’s the law.

Not being prepared with the appropriate policies and procedures to handle your customers’ and clients’ personal information can cost your organization dearly later on in the form of legal services, deteriorating company image, and loss of business revenue.

One of the quickest and most surest ways of becoming privacy complaint is by hiring a privacy lawyer.

The Benefits of Hiring a Privacy Lawyer

Your organization has other options for ensuring privacy compliance. For example, you can hire a privacy officer. However, there are numerous immediate benefits by hiring the services of an experienced legal professional.

Get it Done Right — Right Away

Hiring a privacy lawyer means expertise immediately within your reach. Sure, they may cost more initially, but your organization will benefit by having results that you can count on now.

Developing Policies and Procedures

A privacy lawyer is able to create policies and procedures for the collection, usage, disclosure, and management of personal information that is consistent with your organization’s business processes.

You can rest assured that your organization’s policies and procedures are developed using best practices and backed by a professional.

Understanding Tricky, Cross-Border Issues

Many organizations are large, diverse, and have offices scattered throughout the globe.

For example, your organization may collect personal information from people in Canada, process that information in India where labour is cheap, and finally store the information in a data warehouse in the US.

When personal information crosses borders and is subject to difference privacy legislation, it is vital to have a privacy lawyer review your situation to ensure you are aware of your risks and responsibilities and are compliant in each area.

Responding to Access Requests and Complaints

What happens when you receive a nightmare access request?

A customer who seemingly knows privacy legislation better than the back of his hand is demanding volumes of records containing personal information and is demanding information about how his data is collected, used, stored, and deleted.

On top of that, he’s also threatening to make a complaint with the privacy commissioner if you do not provide a satisfactory response within thirty days.

Are you prepared to handle difficult privacy access requests and complaints?

Mitigating a Privacy Breach

Everyone knows about the financial damage that TJX corporation suffered when it failed to provide adequate security measures to protect the personal information it had collected.

A privacy lawyer can mitigate the chances of a privacy breach which has the power to cripple your organization. If your organization has already suffered a privacy breach, a privacy lawyer can help minimize its impact.

Privacy Training

For larger and more specialized organizations, training privacy officers, employees, and creating educational materials needs to be done properly. Some organizations can simply not afford to make mistakes.

Privacy training done properly will create knowledgeable, trained employees and reduce the risks of an employee making a careless mistake with your organization’s sensitive information.

Contracts

Perhaps the most important, a privacy lawyer can assess, create, or modify your legal contracts to ensure that your organization is legally covered in its business activities when collecting, using, and disclosing personal information.

Finding a Privacy Lawyer

PrivacySense offers a free Privacy Lawyer Directory where you can search for law firms practicing privacy law in Canada. Take a look at the law firms in your area and see what services they have to offer.

Conclusion

Privacy law is relatively young and not fully understood by a majority of businesses. Although hiring a privacy lawyer can seem expensive on the onset, your organization will save valuable time and costs in the long-run and will get started on the right foot by having dependable professional resources from an experienced law firm.

Once your organization has employed the use of a privacy lawyer, continuing to use one can be an ongoing, costly expense. Consider using the resources of a privacy lawyer to properly train a privacy officer you hire to handle the management of personal information in your organization.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

Your organization can spend thousands of dollars on high-tech solutions to protect personal information but all it takes is a careless slip by an employee to cause a massive privacy breach.

This is why employees need constant reminders about the importance of handling personal information properly and why privacy officers need solid ideas to foster privacy awareness in their organization.

Here are some creative ideas for privacy officers:

Write for the Company Newsletter

Most medium-to-large sized organizations have a company newsletter that gets circulated through the office. This is a great opportunity for privacy officers to have a presence and deliver privacy-related information to employees at regular intervals.

Provide Practical Tips

Chances are, many of the employees in your organization manage online profiles such as Facebook. Use this opportunity to show employees how to keep their profiles private and show them what type of personal information they should not share with the entire world.

Show Consequences for Failing to Comply with Policies and Procedures

Policies and procedures are easier to comply with if employees know why they should be following them.

For example, if your organization uses a document destruction policy to instruct employees to shred all paperwork containing sensitive information, you can refer to news stories where employees have contributed to a privacy breach by throwing personal information into a dumpster rather than using the shredder.

Report on Privacy News

Privacy news, especially if it is relevant to your industry, may interest many of your employees. You may choose to provide snippets from articles or rewrite and summarize news stories for your audience.

Mention Changes in Policies and Procedures

A “what’s new” section may be an effective place to remind employees about changes to policies and procedures.

Make Privacy Officers Open and Accessible

Consider publishing the names and contact information of all privacy officers in the organization.

Depending on the size of your organization, you may also consider posting a picture and location of the privacy officers in the office. Employees will feel more comfortable approaching privacy officers if they know who they are, where they are located, and if they are open to questions, comments, and suggestions.

Another thing to consider is having your organization create an email specifically designated for privacy related inquiries (e.g. privacy@yourbusiness.com). This will ensure that employees always remember where to send inquiries via email.

Deliver Introductory and Refresher Privacy Training

Whenever possible, deliver introductory and refresher privacy training in person. This will allow you to meet employees and promote privacy awareness on a personal level.

Write an F.A.Q. Document

After a few years there will be numerous questions that will be frequently asked by employees. Consider creating a Frequently Asked Questions document and putting it online or making it available in hard-copy.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: privacy awareness

An individual should expect that the information your organization has collected is complete, factual, and current. If an individual requests records of his/her personal information and believes that it is not, a request can be made to have your organization correct it.

If your organization corrects any errors or omissions it should, whenever appropriate, notify all other organizations to which the individual’s personal information was originally disclosed.

If there are no errors or omissions the organization should annotate the individual’s file with the unsuccessful request.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

A personal information access request allows an individual the right to view or obtain a copy of some types of personal information that your organization has collected. Before releasing personal information, it is important to verify the identity of the individual and only charge nominal fees whenever acceptable.

Policies and Procedures

Your organization may already have policies and procedures in place to ensure that personal information access requests are dealt with appropriately. If not, it will be your privacy officer’s responsibility to create and follow them in accordance with privacy legislation.

Verifying an Individual’s Identity

It is important to have strong identity verification procedures before releasing personal information. Releasing personal information to the wrong individual is a privacy breach and can cause dire consequences for your organization.

It is important to follow industry best practices at a bare minimum when releasing personal information, especially if it sensitive.

Personal information usually used for verification purposes (e.g. name, date of birth, address, maiden name, SIN/SSN number) can usually be obtained easily. Your organization should show due diligence verifying an individual’s identity in relation to the sensitivity of personal information being released.

Fees

Depending on the scope and time required to produce personal information, your organization may choose to charge individuals for an access request.

Some legislation — such as Canada’s PIPEDA — suggests that fees must be minimal or at no cost to the individual making the request. An organization cannot use fees as a way to make profit.

It is important to consult privacy legislation or any available regulations when deciding to charge fees for access requests.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: Personal Information

During introductory privacy training a privacy officer will usually explain:

• Who the privacy officers in the organization are
• How and when to contact a privacy officer
• How to protect personal information and reduce the risk of a privacy breach
• The organization’s privacy policy and where to find it
• The organization’s policies and procedures with respect to the collection, usage, and disclosure of personal information (e.g. What personal information does the organization collect? Why? By what methods?)
• How to answer general inquiries about the collection, usage, and disclosure of personal information and when to recognize and direct inquiries to a privacy officer

In addition, a privacy officer will usually be responsible for providing ongoing privacy training to all staff members. This can be done in the form of meetings, presentations, or training documents.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags:

This means that you should have a thorough understanding of which privacy legislation applies to your organization and how it applies. Not only that, but you should also understand what privacy legislation applies to your key stakeholders, including your suppliers, service providers and clients.

This can seem like a daunting task for new privacy officers, especially if the role of the privacy officer is new in your organization and there is no training material to help you get started.

Depending on the privacy legislation that applies to your organization, there may already be free privacy resources online that can help your organization with compliance. For example, The Office of the Privacy Commissioner of Canada, UK’s Information Commissioner’s Office, and PrivacySense all offer free privacy resources.

But while these resources are helpful for summarizing key points of privacy legislation, it does not mean you can avoid reading privacy legislation in full. On the contrary, because you are responsible and accountable for privacy compliance within your organization, it is to your benefit to read and understand privacy legislation line-by-line. After all — it’s your job!

Know What Privacy Legislation Applies to Your Organization

Depending on your organization’s line of business, where it is located, whether it operates in the private or public sector and its flow of personal information, different privacy legislation may apply. With some basic online research you should be able to quickly find out what privacy legislation applies to your organization.

If your organization has a wide geographic presence, multiple offices around the world, or collects, uses, or discloses personal information across borders, it may be subject to different pieces of privacy legislation. In these more difficult scenarios, it may be wise to consult with a privacy lawyer.

Know What Privacy Legislation Applies to Your Key Stakeholders

In addition to understanding what privacy legislation applies to your organization, it is also equally important to understand what privacy legislation applies to your key stakeholders, including your suppliers, service providers and clients.

Your Suppliers

If your suppliers transfer personal information to your organization, you may be required to sign a contract agreeing to provide a comparable level of privacy protection or dispose of the personal information after a certain time period. You should not be caught off guard.

Your Service Providers

If you transfer personal information to a third party service provider, most privacy legislation will require that your provider have a comparable level of privacy protection.

Your organization can be fully compliant and have a top-notch privacy policy but transferring personal information to a service provider without adequate privacy protection undoes all your efforts and can also make your organization liable for personal information in the event of a privacy breach.

Your Clients

If your clients entrust you with personal information, many will require proof that your organization is compliant with privacy legislation. A privacy policy or evidence of other policies and procedures may be required.

Furthermore, some of your clients may be governed by different privacy legislation that can impose certain obligations on your organization.

As a privacy officer, it is your responsibility to be knowledgeable and answer any client inquiries that may come your way. Understanding your clients’ privacy legislation, at least on a basic level, will let your clients know that your organization is serious about privacy.

How to Understand Privacy Legislation

Now that you understand the importance of knowing what privacy legislation applies to your organization and its key stakeholders, it’s time to finally read it.

Privacy legislation can be found online by doing a simple Google search or by visiting the website of the privacy authority if one exists in your geographic area. For example, you can Google for Canada’s PIPEDA or UK’s Data Protection Act.

Start by printing out the privacy legislation — you will want a hard-copy to store later for easy access. Grab a highlighter, a pen, and start going through legislation slowly, highlighting relevant sections, making notes, and ensuring you understand everything.

After going through the legislation you may realize that your organization is not compliant in certain areas. As a privacy officer, it is your responsibility to look into any areas of non-compliance, document them, and work towards total organizational compliance.

Whenever possible, supplement your reading with online privacy resources such as those available at PrivacySense and other websites specific to your industry. This will help reinforce both your learning and memory retention.

As months pass, you may find that details from your memory slip. Review legislation, your notes, and online privacy resources whenever possible to ensure that your knowledge and proficiency does not fade away with time.

Copyright © 2009 PrivacySense.net. | Permalink | No comment | Add to del.icio.us
Tags: