Services
Workshops
Profile
Articles
Links
Contact

Strategic Privacy Training

By Scott Crosby, President, Sysanova Ltd.

Of all of the components of privacy management that are required to successfully develop a privacy infrastructure within an organization, a training program is one of the most important. I have heard it said many times by company representatives that meeting the requirements of the Personal Information Protection and Electronic Documents Act (PIPED) means that consideration must be given to training staff. Training sessions need to be variable to ensure that all reaches of the organization are prepared to fulfill their roles. The curriculum needs to deal with the law itself, company privacy policies and practices, and communications with customers at the service end. A good privacy program is of no value if it is not communicated effectively to critical staff so it can me implemented.

Privacy training is the conduit for the successful implementation of your privacy management plan, so it is critical that it be conducted carefully and strategically.  Goals, challenges and expectations need to be spelled out in advance, timing and delivery schedules need to be considered and post-training assessment needs to be conducted to test the effectiveness of the program. 

First, consider who needs training, what specific training do they need, why do they need it, how will they get it and when? Your goals should be spelled out clearly and as specifically as possible. To say that you are spending $75,000 on privacy training so that you can have a work force educated in privacy is too general and difficult to measure. The goals might be to “have a customer-service workforce that recognizes what privacy is and how your company protects it, what the key messages are to clients, and where to go for more detailed information on privacy to respond to customer needs.” There may be a requirement to have program development staff trained in privacy so that your company’s offerings can be proactively developed with privacy considerations in mind.  Executive staff need to understand the leveraging capacity and competitive considerations of a privacy culture, and your human resource staff need to understand a fairly comprehensive culture of privacy to meet the workforce requirements and deal with privacy in labour discussions.

From a strategic perspective, it is important to spell out the overall goal or expectation from the training plan, and then specific goals by workgroup. Overall, the mission for privacy training may be “ to supply all staff with the knowledge and skill to contribute to the company’s compliance with Privacy law”, or “ to equip the team with the means of enhancing corporate objectives through the respect for privacy”.  Once you have something along those lines as your guiding light, the rest of the plan starts to take clearer shape.

There are challenges to training your workforce successfully in privacy.

Privacy training is a horizontal management issue, something that nearly everyone in the company needs to learn about, from one perspective or another. Unlike sectoral training like accounting or help desk training, or other job-specific functions that need only be delivered to the specific staff groups, privacy training permeates the organization; it is a core function of everyone.  Weak links in the chain will negatively impact the whole organization. I recently reviewed the privacy statement of a major financial institution in North America and called the 1-800 number for more information, the person who answered had no idea what I was talking about when I asked a few basic questions about their privacy practices.

Another challenge is to create a momentum that leads to cultural change. There are few organizations in existence that brand themselves as privacy enhanced product or service providers. Imagine a company that can successfully create the image that, along with their regular service offerings, they are immediately linked to the notion of privacy. Such an business will take a leadership role within corporate North America. Just as we link safety with Volvo’s and luxury with Mercedes, we could link privacy with any company.

There is also the challenge of rolling out a training plan without breaking the bank. The Personal Information Protection and Electronic Documents Act is in force for many companies in Canada right now, and will be law for everyone in three years. What does that mean in terms of privacy management training?  Your training plan needs to consider your compliance requirements. For companies that must be complaint at this moment, the training plan needs to be developed and delivered quickly, with further ongoing training blended with regular workforce training programs later on. For other companies, where compliance might wait a year or two, privacy training might be combined with other training delivery plans to reduce the costs and maintain the effect.

It is also important to consider the business of the company in developing a training plan. Business to business companies will have a different need than business to customer companies. Some companies may not have an obvious privacy issue, like auto manufacturers, and yet they offer global positioning customer services and financing arrangements that collect personal information. Training programs need to reflect the company’s ventures and help position strategic direction that includes privacy law compliance and customer relations.

While setting training goals and recognizing the challenges are important,  once the training has been delivered it is essential to take a measure of the effectiveness of the training. There are lots of ways to do this, from straightforward training participant evaluation to hiring consultants to validate the training by posing as clients and trying the system out. Some workshops employ a validating tool in the form of a case study, or a crisis response roleplay.  The mix of validators will include a number of things, but the point is that your organization has invested money ,  time and it has placed privacy management as enough of a priority that you want to get the most out of the investment. 

If part of the overall objective was to change the culture of your organization so that it is actually branded with privacy, other tools will also be required, and measurable changes must be identified at the beginning. Behavioral changes, changes in routine, information management practices, information collection practices, security measures and customer relation management practices would all reflect a shift in focus, but this is a multi-armed approach that would require a fairly detailed matrix of strategy, program development, tools, implementation, delivery and follow-up.

This series of articles will deal with some of the fundamentals of a privacy training plan. This article focuses on strategic training planning, what some of the first steps are, key considerations, the formulation of an effective plan. The second article deals more specifically with a Privacy Training Needs Assessment, focusing on what core groups need what kind of training, the current state of knowledge and skills with respect to privacy. Since corporate training plans probably already exist, the third article will deal with tailoring the curriculum to specific work groups for greatest effect. Finally, validating the effectiveness of your training will be the fourth article. Recognizing that such training will be an ongoing activity, you will want to note successes and weaknesses in the initial phase of training, to redirect it as you continue.

Within a short period of time, every company in Canada will need to be compliant with the Personal Information Protection and Electronic Documents Act, and will consider privacy as a corporate profit enhancer. This means that employees will need to change their behavior, gain a strong knowledge of the laws, practices and policies, develop a stronger awareness of privacy and develop some new skills in dealing with clients, developing products and services, attracting and keeping an effective workforce and considering where privacy fits in with the overall corporate culture and image. Creating an effective training program to obtain this is challenging but attainable and the rewards will be fantastic.