4 minutes
Take some time tomorrow to consider how you're protecting member information
While not celebrated with a day off, deep discounts or special sales, Data Privacy Day is (or should be) an important event in your credit union’s calendar.
Observed annually on Jan. 28, Data Privacy Day marks an international effort by leading privacy organizations and champions to educate and empower individuals to understand and protect their digital data and privacy. Led by the National Cyber-Security Alliance, Data Privacy Day started in the United States and Canada in 2008 to mark and expand on the Data Protection Day celebrated in Europe. For credit unions, Data Privacy Day notes an important aspect and critical objective of credit union operations: maintaining and protecting the privacy of member and CU information.
Take some time tomorrow to mark the day by considering the following best practices as noted in Organization for Economic Cooperation & Development’s 2013 release of its Privacy Framework:
Limited Collection
Any data collected should be done fairly, lawfully and, where appropriate, with the knowledge and consent of the individual. More than just requiring the credit union to abide by applicable laws and regulations (such as the FACT Act and the Children’s Online Privacy Protection Act), the first part of this principle notes the importance of obtaining information “fairly.” All above board, nothing “on the sly.” If you collect contact information from non-members that later may be used to market to them, you need to disclose this. If you use cookies to gather information on your website, you should disclose this and explain how the collected information is used. (Note: This is a legal requirement for CUs operating in the European Union.)
Quality Data
Collected data should be accurate, relevant, necessary, and kept up to date. Additionally, your credit union needs to ensure data is entered (manually or electronically) into computer systems correctly and free from errors.
Specific Purpose
When collecting data, OECD best practices require:
- individuals be notified of the purpose of the collection (e.g. how the data will be used) at the time it is collected;
- data be used only as disclosed; and
- additional notification be given if data use changes.
If your CU collects email addresses solely for online banking purposes and then decides to “repurpose” them for email marketing, you need to notify members of this change.
Limited Use
Following on the principle of specific purpose is the understanding that collected data will not be distributed, disclosed or used outside the specified/understood purpose without consent of the individual or as provided by law. While most people are cognizant of the credit union’s requirement to hand over data for legal purposes (such as discovery in a lawsuit), a CU needs to make sure there is a clear understanding of what and when data could be distributed to other organizations or groups.
Security Safeguards
Once collected by the credit union, data needs to be protected against unauthorized access, destruction, use, modification or disclosure. It’s important to note effective and appropriate data privacy isn’t only about computer security. As such it cannot be looked at solely in terms of technical controls around data. For a CU to appropriately handle privacy, it needs to consider privacy controls, measures, and principles at the board level and throughout all operational areas
Openness
A CU needs to be up front and open about its privacy policy and practices. Individuals should be able to determine easily what personal data is collected and how it will be used. Additionally, the CU should provide contact information individuals can use if they have questions or concerns. As “individuals” may include non-members, a CU cannot limit availability of this to just member-focused communiqués.
Individual Participation
A CU should have a program allowing individuals to request information on what data is held. This program should also provide for timely response to requests that data be deleted, corrected, amended, completed, or changed. Understanding some information cannot be changed (delinquency, overdrafts, credit bureau info, etc.), the credit union should be able to provide clear communication to the member on why this information can’t be changed beyond saying, “Our policy says so.” When data does need to be changed, the processes should provide for prompt updates.
Accountability
As with other aspects of credit union operations, clear accountability should be established for the various procedures and privacy practices the credit union establishes. Policies, standards, and position descriptions should note who is responsible for various items. Regular reviews or audits should confirm policies and standards are being followed.
At a time when it seems the availability of privacy is diminishing, it is critical that credit unions make the trust and reliability of their privacy practices a cornerstone of their strategy and vision. The answer to “Can I trust you to keep a secret?” should be readily apparent to members through the actions of credit union board members and all employees. So, for Data Privacy Day, give your members the gift of knowing their privacy is expected, respected, and maintained at the credit union.
Jim Benlein, CISA, CISM, CRISC is owner of KGS Consulting, LLC, Silverdale, Wash.
