Connecting privacy notices to internal company procedures
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There is the sense of data protection and the importance of privacy notices. In this week’s article, I start with a live scenario which involves a Nigerian human resource company that collects large amounts of CVs, allows clients access these CVs based on contractual obligation and most importantly, it claims that it helps candidates apply for jobs.
What I am trying to address here is the lack of connectivity between company’s privacy notices and their processes. And what has led to this development is the availability of templated policies and often leads companies to believe that once they have a privacy policy that they must be doing something right. They fail to answer the question about the practicality of what’s on their website. A cursory read of many companies’ privacy notice gives a telling reality that these words serve basically as paper tigers.
Let’s go back to the HR company. In its privacy notice it makes the following claims:
1. Information collected will be kept depending on the type of information that has been collected.
2. Information will be deleted or anonymised based on the type of information
3. Or, it will securely store information and isolate it from any further use until deletion is possible.
These statements, although might read clear for some minds but when one digs deep into their construct, they are dangerous and only points to the fact that a lot of companies don’t pay attention to what is published as privacy notice. After all, like a stakeholder argued, how many people will actually read these privacy notices.
What’s the essence of having a statement on your privacy notice when it’s clear that internally, there is no procedure to back it up. For example, an insurance claims that the data used for claims are kept for only seven years and after that they are deleted. However, when after eight years, a particular data subject came back to raise an issue with the claims they had filed, the insurance company was able to present documentation about the case. When informed that they had stated in their privacy notice that they only keep this information for seven years, the lawyer claimed that that was an oversight by the privacy team in that company. It only points to the disregard most companies give “transparency, fairness and lawfulness” in their processing activities.
Connecting privacy notices to internal company procedures is indeed pivotal to any company privacy compliance framework. Plus, it points to the priority placed on reputation and trust. If a company says it would keep data for x number of years, then its internal processes and procedures should match it. There is a disconnect when a company’s procedures do not match what is stated on their website. Also, to avoid shooting themselves in the feet, company stakeholders should scrutinise the truths and realities embedded in their privacy notices and place emphasis on creating a yearly review methodology to ensure that it remains up-to-date with existing and new procedures.
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com