Tailored Privacy Training Curriculum
By Scott Crosby, President, Sysanova Ltd.
This is the third in a series of four articles on privacy
training, and deals with the curriculum development for specific work groups.
Previous articles dealt with Privacy Training Strategy and Privacy Training
Needs Assessment.
It is at this stage that the training becomes really focused
on the workgroup and their role in the overall operations of the company. While
it is true to say that nearly everyone in an organization will require privacy
training, there are some groups that will require it sooner rather than later,
and some groups can be dealt with fairly quickly as they require merely an
overview session. Other groups will require detailed training on the legal responsibilities,
and on how the organization plans to fulfill these responsibilities, and
capture the value in privacy as a differentiator from the competition.
Tailoring the curriculum to specific workgroups creates the
opportunity to gain the most from a privacy management practice. Any company
can create a privacy policy and publish it, send it out in mail outs or post it
to the website. However, such actions are simply the icing on the cake. The
real challenge is ensuring that the organization can develop detailed policies
and practices, and even more, can live by them. It is highly risky to make a
public policy statement and then be proven to be unable to follow through on
the statement. Developing training curriculum specifically by workgroup will
ensure that the organization has applied due diligence toward getting it.
Having a thorough and valid policy statement goes a long way to defending
against such complaints and avoiding them in the first place, and towards
illustrating to your workforce and clients that the company considers its
relationship with them important.
Most corporations of medium to large size have sectors
dealing with specific tasks. They might be divided into three basic groups. The
Executive team, the Operational team and the Support team. Each group could
then be sub-divided further. The Executive team might include an executive
board, an audit function, public relations and legal advisors. The Operational
team would have a sales team, service or product development team and delivery
team, a regional infrastructure and marketing staff. The Support team would
house the financial services, human resource team, information and technology
management team, security, telecommunications and other support functions. Each
one of these categories will require training with different focuses.
The Executive team
The curriculum for the Executive team needs to cover the
basics from a high level. Starting with the laws themselves:
Executive Team Privacy Training Curriculum
| Legal basis |
- PIPED
- HIPPA
- FCRA
- Provincial laws
- federal laws
|
PIPED:
- Role of CPO
- Role of Commissioner
- Responsibilities of Customer Service Representatives
- Code of Fair Information Practices
- 10 Principles
- Notification requirements
HIPPA
FCRA
|
| Corporate Policy |
- Customer databases
- Customer relations
- Employee databases
- Employee relations Privacy Policy
|
Statements in each policy regarding the 10 principles and
how they are implemented for all types of personal information |
| Corporate Practices |
Personal Information collection, use, disclosure,
retention practices |
Who collects personal information, what information it is,
where it goes, information flow, what changes are taking place due to PIPED,
access procedures, public relations component, security component,
information management upgrading, notification and consent activities |
| Privacy as a societal value |
|
History of privacy, current survey results, privacy
infractions and public reaction, other jurisdictional activity, OECD, EU,
Safe Harbours, workplace surveillance etc |
This table shows an example of a curriculum for the
Executive Team. It’s components would be different for any other workgroup, for
example, the public relations staff would need detail on messages for
customers, information protection measures, limiting collection of personal
information, how to file a request, how to file a complaint, what types of
information are stored and where etc. Whereas Information Technology staff must
be trained on minimizing collection, security requirements, use and disclosure
components and data mining considerations. An orientation program for new staff
would also have a different curriculum, one that more closely resembles the
Executive Teams’ curriculum and offers a broad perspective content that
contributes to meeting the goals of organizational cultural change, upgrading
skills and awareness of the law and the customer relations dynamics imbedded in
privacy management services.
At this stage of developing a privacy training plan,
consideration needs to be given to delivery techniques, detailed schedules,
hand out material, pre-reading, follow-up reading and references to websites.
Once the training is delivered, measuring how it is meeting your original
strategic goals is critical. This will be considered in the next article.
|
