How to Write an Internal Privacy Policy for Your Company

Companies need to take care of privacy issues, as they house tons of personal information about employees and customers – not to mention confidential information about the company itself.

Posted by Joe Gerard in Corporate Security, Ethics, Ethics & Compliance on March 3rd, 2011

Protecting personal information stretches far beyond keeping your credit card close to your chest. Companies need to take care of privacy issues, as they house tons of personal information about employees and customers – not to mention confidential information about the company itself. Think about what would happen if one of your competitors had access to your systems, or if an employee cracked into the HR database and snooped around at information in other employee files.

Doesn’t really sound like something you want happening within your organization, and I don’t blame you. Companies are up against an ever-changing list of internal and external security threats. Depending on who you ask, some people say that your biggest corporate security threats come from within the organization.

So, how do you handle this?

Internal Privacy Policies

As with most issues in the workplace, start with a policy. Your company’s internal privacy policy should cover areas such as:

  • Employee records- personal information, medical history, etc.
  • Email and Internet usage guidelines
  • Handling client/customer information
  • Internal systems and access- permission, responsibilities, access to files, etc.
  • Mobile devices- company phones, laptops and other devices and their disposal
  • Established laws and regulations
  • Consequences for violating the policy
  • Reporting a security breach

FREE Investigation Report Template

Prepare thorough, consistent investigation reports with our free report template.

Download Template

It seems like a lot to cover, and it is, but these are all important topics that require significant consideration. If your company uses any sort of employee monitoring, such as web surfing or telephone monitoring, communicate this in the policy and make employees aware that there are measures in place to ensure compliance with the policy.

The Nitty Gritty

When writing your internal privacy policy, don't leave room for employees to speculate or assume.
When writing your internal privacy policy, don’t leave room for employees to speculate or assume. If you think you have to “spell it out” to your employees, do so. Include real-life examples of situations that could (or have) occur in your workplace. There are a ton of great resources out there to provide you with examples of privacy policies. The Privacy Rights Clearinghouse offers a number of resources, including a checklist for handling information. The  checklist discusses privacy policies and important questions to ask when writing it. Some of the questions on the checklist include:

  • “Do all employees follow strict password and virus protection procedures?
  • Are employees required to change passwords often, using “foolproof” methods?
  • Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)?
  • Do you regularly conduct systems-penetration tests to determine if your systems are hacker proof?
  • Do you have staff specifically assigned to data security?
  • Do staff members participate in regular training programs to keep abreast of technical and legal issues?
  • Have you developed a security breach response plan in the event that your company or organization experiences a data breach?
  • Have you developed security guidelines for laptops and other portable computing devices when transported off-site?
  • Is physical access restricted to computer operations and paper/micrographic files that contain personally identifiable information?
  • Do you have procedures to prevent former employees from gaining access to computers and paper files?
  • Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?”

In addition to these questions, it’s important that employees know how to report a suspected or known security breach. Whether it was an accident such as sending an email to the wrong contact or overhearing about an employee selling sensitive company information, every incident needs to be reported. In the policy, include a list of phone numbers, email addresses and any other contact information employees can use to report a security breach.


Joe Gerard
Joe Gerard

CEO, i-Sight

Spend my days showing off the i-Sight investigative case management software and finding ways to help clients improve their investigations. Usually working with corporate security, HR & employee relations, compliance and legal teams.

Visit Website