2019 privacy update -  security awareness module for November

Important disclaimer

These are generic security awareness materials, not legal advice.

 

Background and scope New this month

Purchase the modulePrivacy is a fairly complex concept with various implications under various circumstances.  It means different things to different people.  Privacy and information security have a lot in common but each goes further:

  • From an individual’s perspective, privacy is mostly about people retaining control over their own personal information (e.g. being able to restrict its use and onward disclosure).
  • Organizations use or exploit personal information for various business purposes within the bounds of privacy laws, regulations and ethics.  Information security controls are needed to mitigate information risks relating to personal information. 

Our primary concern in this security awareness module is to help workers (staff, managers and specialists) appreciate and fulfill their obligations under privacy policies, laws and regulations (particularly the General Data Protection Regulation), mostly by maintaining the confidentiality of personal information in their care.  However, integrity and availability of personal information are also relevant considerations, ensuring that personal information is reasonably complete, accurate and accessible for legitimate business and personal purposes.

Learning objectives

November’s NoticeBored security awareness module:

  • Introduces privacy, providing general context and background information on privacy concepts;
  • Expands on the information risks and security controls applicable to personal information;
  • Emphasizes the legal, regulatory and ethical compliance aspects – particularly given the punitive financial penalties available under GDPR;
  • Motivates workers to think - and most of all act - in the best interests of data subjects (first) and the organization (second), for example:
    • Taking privacy seriously – this is no trivial matter;
    • Complying with privacy policies, regulations and laws, plus ethical and social norms;
    • Avoiding risky or inappropriate activities that might unduly compromise privacy;
    • Respecting data subjects’ privacy rights and reasonable expectations; and
    • Reasonably expecting or demanding that their own privacy rights are respected as well.

Consider your learning objectives in relation to privacy.  Consult and collaborate with your Privacy Officer (if you have one!).  Take into account the particular laws and regulations that apply to your organization.  Consider any privacy incidents, breaches or near-misses you have suffered - plus those that might be ongoing  right now but have yet to be noticed and reported. 

Work with colleagues to spread the word about this topic.  Privacy tends to be pertinent to:

  • Everyone regarding their own personal information, privacy rights and expectations;
  • Workers handling or accessing personal information at work, such as those in HR, company medics, and managers;
  • Management in general, given the governance, direction, oversight, compliance and risk management implications;
  • Information owners, risk owners, application owners etc. for privacy-relevant IT systems, services and business processes;
  • The Privacy Officer or equivalent and colleagues.  They should ideally get directly involved in planning and delivering the awareness content, for example checking that the materials and messages support and comply – rather than conflict – with applicable policies, laws, regulations and practices;
  • IT in respect of personal data stored, processed and communicated on IT systems and networks;
  • Cloud Service Providers for cloud apps involving personal data;
  • Information Risk and Security, plus Risk Management, Legal/Compliance and Audit;
  • Facilities and Physical Security e.g. concerning cleaning rest rooms and other private areas, and monitoring workers and visitors on CCTV systems;
  • Anyone who has personally suffered a privacy breach, identity theft or similar, or is close to someone who has.

 

Module 199 listing

 

As well as taking legal advice and customizing the NoticeBored materials to suit your awareness branding and objectives, feel free to blend-in additional content.  Use the materials in the company newsletters and magazines, your intranet Security Zone, in awareness events and training courses, and for new employee induction or orientation purposes.

Home > NB this month >

Copyright © 2019 IsecT Ltd.