Work Practices and Environments in GPII and P4A Personal Data Handling and Privacy

From wiki.gpii
Jump to: navigation, search

The following questions can serve as a guide in order to make sure all process performed during the research activities carried out by people involved in Prosperity4all in their work environments are compliant with the norms.

Appropriate dealing with personal data handling and privacy concerns:

·         Security of personally identifiable information—whether stored in electronic, paper or micro-graphic form— should be safe.

·         Does the project have staff specifically assigned to data security?

·         Do project staff members keep abreast of technical and legal issues concerning data security?

·         Have you developed a security breach response plan in the event that the project experiences a data breach?

·         Have you developed security guidelines for laptops and other portable computing devices when transported off-site?

·         Is physical access restricted to computer operations and paper/micrographic (certain documents regarding questionnaires used in Prosperity4all that contains for example demographic data) files that contain personally identifiable information?

·         Do you have procedures to prevent former employees engaged in Prosperity4all from gaining access to computers and paper files?

·         Are sensitive files segregated in secure areas/computer systems and available only to authorized persons?

·         Are filing cabinets containing sensitive information locked? Are computers, laptops, and networks password protected?

·         Do all Prosperity4all project involved personnel follow strict password and virus protection procedures?

·         Are employees engaged in Prosperity4all required to change passwords often, using "fool proof" methods?

·         Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)?

·         Do you regularly conduct systems-penetration tests to determine if your systems and Prosperity4all systems and solutions are hacker proof?

·         If your organization is potentially susceptible to industrial espionage, have you taken extra precautions to guard against leakage of information?

Additional Security Practices

·         When providing copies of information for others, do employees make sure that nonessential information is removed and that personally identifiable information that has no relevance to the transaction is either removed or masked?

·         Are employees engaged in Prosperity4all trained never to leave computer terminals unattended when personally identifiable information is on the screen? Do you use password-activated screen-saver programs?

·         Are all employees engaged in Prosperity4all who handle personal information—including temporary, back-up and contract staff—trained to detect when they are being "pumped" for personal information by unauthorized and unscrupulous persons? For example pretext interviews are more common than might be expected and are the stock in trade of persons bent on finding out confidential personal information to which they are not entitled. Equally, information registered on forms (experimental tasks as well as questionnaires from all user involvement activities) has data that must be safeguarded.

·         Do you perform background checks on prospective employees who will have access to personal information of customers, clients, or employees?

·         Have employees been instructed on what might constitute inappropriate use of social networking sites? Employees must be made aware of the privacy pitfalls inherent in social media. "Tweeting" or "Facebooking" about sensitive work issues can have adverse consequences far beyond a simple conversation. This point is relevant in Prosperity4all in the use of dissemination and recruitment activities.

·         Have you inventoried the various types of data being stored and classified it according to how important it is and how costly it would be to the organization if it were lost or stolen?

Records Retention and Disposal

·         Does your organization have a records retention/disposal schedule for personally identifiable information, whether stored in paper, micrographic or electronic (computer) media?

·         Volunteers’ records stored electronically or in paper files are company assets, just like the furniture or the computers. Not only is that, but volunteers’ personal information, subject to a myriad of laws that dictate privacy protections, safeguarding measures, and proper disposal. Even in hard times, when a company has to close its doors, customer data should never be abandoned or left at the curb for the trash collector. Such actions could subject owners, even of a defunct business, to unwanted lawsuits by customers and government regulators.

·         When disposing of computers, diskettes, magnetic tapes, CD-ROMs, hard drives, memory sticks, mother boards, and any other electronic media which contain personally identifiable information, are all data rendered unrecoverable by either physically destroying the device or by over-writing the data sufficiently to ensure destruction?

·         If you use third-party services for computer recycling or destruction, have you selected a service that provides a certificate of destruction?

·         When disposing of waste and recycling paper, are all documents that contain personally identifiable information placed in secure padlocked containers or shredded? (Shredding should be cross-cut, diamond-cut, or confetti-cut shredding, not simply continuous [single-strip] shredding, which can be reconstructed.) Does your recycling company certify its disposal/destruction methods? Is it bonded?

·         When engaging an external business to destroy records or electronic media, do you check references? Do you insist on a signed contract spelling out the terms of the relationship? Do you visit the destruction site and require that a certificate of destruction be issued upon completion?

·         When dealing with another company or government agency, do you ask about its security protocol regarding personal information? Do you inquire whether it shares that information with anyone? Do you find out if it does background checks on employees with access to your personal information.

·         Contracts with outside service providers as well as employee agreements should specify that customer data is the company’s exclusive property and should only be used as necessary to carry out contractor or employment duties. Such contracts and agreements should also incorporate the company’s privacy and data security policies. Contracts should also delineate the service provider's specific obligations, rather than simply stating that the contractor will comply with all applicable laws. Is staff specifically assigned to data security?

·         Do staff members participate in regular training programs to keep abreast of technical and legal issues?

·         Have you developed a security breach response plan in the event that your company or organization experiences a data breach?

·         Have you developed security guidelines for laptops and other portable computing devices when transported off-site?

·         Is physical access restricted to computer operations and paper/micrographic files that contain personally identifiable information?

·         Do you have procedures to prevent former employees from gaining access to computers and paper files?

·         Are sensitive files segregated in secure areas/computer systems and available only to qualified persons?

·         Are filing cabinets containing sensitive information locked? Are computers, laptops, and networks password protected?

·         Do you have audit procedures and strict penalties in place to prevent telephone fraud and theft of equipment and information?

·         Do all employees follow strict password and virus protection procedures? Are employees required to change passwords often, using "fool proof" methods?

·         Is encryption used to protect sensitive information (a particularly important measure when transmitting personally-identifiable information over the Internet)?

·         Do you regularly conduct systems-penetration tests to determine if your systems are hacker proof?

·         If your organization is potentially susceptible to industrial espionage, have you taken extra precautions to guard against leakage of information?

Wireless Communications

·         Are employees properly trained to make sure that all data is properly encrypted and that encryption is not either accidentally or intentionally disabled?

·         While organization policies should emphasize the importance of encryption, these policies may be ignored by careless users, particularly if non-compliance does not result in adverse consequences.

·         Many organizations remain overly dependent upon encryption solutions to protect sensitive data on their laptops. Companies relying solely on encryption cannot be sure whether stored data has actually been encrypted, if it has been compromised, or even which files have been accessed. Corporations should take a layered approach to security, making encryption but one layer of their approach to data security.

·         Are employees trained in techniques to spot suspicious activity, including signs that a computer has been infected with malware?

·         Does the organization have policies, procedures and training programs that emphasize responsible information-handling practices?

·         Is the network connection between home and work secure?

·         Do laptops containing sensitive information have a "kill-switch," that is, remotely- enabled software that can disable lost or stolen laptops? The loss or theft of laptops is one of the most common ways that the security of corporate data is compromised.