Privacy and Confidentiality Policy

Version: 1.00Issue Date: 11/4/2014

1.0 Overview

In order to properly protect the organization and those who do business with the organization, data must be handled in a manner that is consistant with the requirements based on sensitivity. This Privacy and Confidentiality Policy outlines requirements for the handling of data based on its security needs.

This Privacy and Confidentiality Policy also requires assurance to business partners, customers, and other external users that security measures are in place to keep systems and data secure.

2.0 Purpose

This Privacy and Confidentiality Policy is an internal Information Technology (IT) Policy. The purpose for this Privacy and Confidentiality Policy is to:

  • Provide guidance to protect the confidentiality and privacy of the organization and those organizations and individuals that interact with this organization.
  • Provide assurance to business partners, customers, and other external users that security measures are in place to keep systems and data secure.
  • Protect the organization and those who manage, use, or work with data held by the organization from loss or harm.

3.0 Scope

This Privacy and Confidentiality Policy applies to all employees and personnel that handle any data in the care of or owned by the organization. Personnel includes contractors, consultants, and temporary employees. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Responsibilities

Information technology staff must know and understand the categories of information security needs and sensitivities according to the Information Sensitivity Policy. They must ensure that the following actions or additional actions are taken to protect information when necessary:

  • Encrypt information during transmission and/or storage where appropriate.
  • Use user level access controls to protect information and computers.
  • User access controls must be effective and implemented in a timely manner.
  • When access control exceptions are made, the exceptions must be documented and evidence of privilege use must be kept for review. Control exceptions must be reported to management.
  • Be sure sensitive information is properly destroyed when necessary using defined proven methods, software, and tools.
  • Use defense in depth strategies to protect information, information systems, and the network.
  • Use key management for keeping encryption secure and reliable considering key recovery issues.
  • Consider the possibilities of Disaster Recovery or Business Continuity plans exposing sensitive information to attack.
  • Use testing data with no real sensitivity for testing applications when working with the business owners of projects.
  • Be sure areas for storing data off the normal site such as data backup storage areas are secure and have appropriate controls for the sensitivity of the information being stored.
  • Be sure information is not inadvertantly left exposed unattended but when not in use, ensure the information is locked away in an approved location.
  • Understand laws that relate to privacy and confidentiality of handled and stored information and receive periodic training.
  • Personnel sensitive handling data must have appropriate background checks relative to the sensitivity of the data they are handling, accessing, or in the care of.

6.0 Business Partners

Business partners must have access to documentation ensuring their privacy and confidentiality without revealing sensitive security measures that are in place. Some items include:

  • A privacy policy statement that the organization will protect private, confidential, and sensitive information and will not provide or sell information about customers or business partners to third parties without their consent.
  • A security statement indicating that security measures are in place to protect sensitive data stored in the organization.

6.0 Enforcement

Since data security and integrity along with resource protection is critical to the operation of the organization, employees that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

7.0 Other Policies

  • Disaster Recovery Policy
  • Business Continuity Policy
  • Encryption Policy
  • Information Sensitivity Policy
  • Employee Background Screening Policy
  • Virus Protection Policy
  • Patch Management Policy
  • System Lockdown Policy
  • Server Monitoring Policy


Approved by:__________________________ Signature:_____________________ Date:_______________