This section of the Course Paper, which may be named whatever you like (e.g., “Executive Summary,” “Introduction,” “Preamble,” etc.), should only be a handful of sentences; certainly no more than a page. Here, your team will describe the nature of your business. You should explain what your firm does, who your customers are, and briefly mention any other key stakeholders in light of privacy concerns. This is also the place to list your team members. And, finally, in this section, you should explain to your audience—i.e., your company’s staff—why privacy is important in your business. Essentially, this is where you “sell” your audience on the fact that they must abide by your company’s privacy policies.
Policy 1.1 Policy Statement Section Overview
Policy 1.2 Policy Statements Contents
The contents of these policies should contain at least the following features:
• The policy, itself, such as “Reasonable Expectation of Privacy for Employees.”
• The laws, regulations, or standards that relate to the policy at issue.
• An example, when applicable, that helps your audience understand the policy.
• Directions on how to effect the policy. For example, if your company processes payments by credit or debit cards, and your policy is something like “Anyone who processes payments via payment cards must conform their actions to PCI DSS standards related to privacy.” then you may want to insert a link to those standards. Or, perhaps, incorporate examples as mentioned directly above.
This list is not exhaustive. Depending on the set of facts, you may need to include more.
Policy 1.3 Comprehensive Policy Statements
The Policy Statements must be a comprehensive body. Do not omit the discussion of laws that may apply to your business. This means that you must understand what your business does, and its privacy implications. Every company has employees, so employees’ privacy must be addressed. While it is debatable, I have discussed that any HRIS, or a company’s personnel records kept otherwise, has the propensity to contain medical information that we now know to refer to as “PHI.” Thus, you should have some policy that governs handling those data vis-à-vis privacy. Could your company be known as a “financial institution?” If so, you must discuss GLB Act privacy policies.
The point is that in three to five pages you must tell your employees everything they need to know about maintaining appropriate privacy while conducting your business.