Determine what information you need.
By limiting the personal information you obtain to only what’s required to perform your normal functions, you reduce the risk that extraneous information will fall into the wrong hands and be abused.
Provide a secure workplace.
Keep personnel files under lock and key, and restrict access to only those people who need it. Visitors should not be allowed to roam the workplace unattended. Provide employees with secure storage for files containing sensitive information and for their own possessions, such as pocketbooks.
Protect the privacy of data transmission.
If you receive or transmit personal information online, use encryption to protect it. Don’t send sensitive information by email, which is not generally secure. If you are transmitting personal information by fax, use a cover sheet and alert the recipient to stand by for it.
Keep prying eyes away from customers’ information.
If personal information about customers, clients, or constituents can be viewed on computer screens, make sure the computers are not left unattended. Train employees not to leave files or papers containing that information lying around. Access to that type of information should be restricted to those employees who need it. Monitor employees to ensure that they are not misusing personal information about others.
Don’t expose information to the outside world.
Don’t use envelopes with personal information such as customers’ account numbers printed on them or that have windows revealing that type of information. Since mail can be stolen, limit the amount of personal information inside. For instance, it may not be necessary to put the full account number or social security number on a statement that you send a customer.
Keep hackers at bay.
Use technology that protects databases containing personal information from being obtained by computer hackers.
Don’t use Social Security Numbers as customers’ account numbers.
Social Security Numbers are the keys to people’s identity. If you have a legitimate need for people’s social security numbers, store that information securely and don’t use it needlessly.
Take care when you provide employees’ or customers’ personal information to others.
Provide personal information only when required by law or necessary to perform a specific function. Delete any information that is not necessary. Ask about the privacy and security policies and procedures of the other party before you hand information over.
Explain how you handle personal information.
Let people know what information you collect about them, how it is used, how you safeguard it, and how to contact the appropriate person if they have questions or concerns.
Ask for permission to share personal information.
If the information isn’t necessary to provide to others by law or to perform a function that the person to whom it relates has authorized, give consumers an opportunity to opt out before you share their personal information.
For suggestions about how to handle personal information responsibly and securely, visit the Privacy Rights Clearinghouse, a nonprofit organization.