Today is Data Privacy Day, and in light of all the credit card hacking and fraud issues in the news, we wanted to celebrate by giving you some best practices from the Organization for Economic Cooperation and Development. Jim Benlein inspired us with his great article for the Credit Union Management Magazine, and we have the highlights he shared from the Privacy Framework for 2013 below:
Limited Collection
As a credit union or small bank, I'm sure you have a Facebook, do email campaigns, and keep your members informed online or by mail. Whether you are contacting members or potential members, the data you collect needs to come "fairly, lawfully, and where appropriate, with the knowledge and consent of the individual." Let's think about 'fairly.' If you want to collect referrals, or leads of non-members for marketing, these entities need to be AWARE that you collecting their information for that purpose. What is 'lawful' in this case? In the European Union, credit unions have to disclose and explain the collection of information using cookies. Why not implement that practice for your own credit union? Informed members and customers = HAPPY members and customers.
Quality Data
Do you know if those emails you exported from Facebook are even valid? Your data should also be "accurate, relevant, necessary, and kept up-to-date." Double check the emails or addresses you're using for marketing efforts BEFORE you mass communicate with them. An incorrect name could make a bad impression and an incorrect email or mailing address could mean wasted time and money for you! Create and send effective and relevant emails securely with a great exchange service, consistent branding, and encryption with content filtering.
Specific Purpose
You have members that just signed up for your mobile deposit capture product. They entered in their information, including their email and password to sign in. Great! Can you send them an email notifying them of your great new loan rates or cool PictureCard program? Sure- but you have to notify your member first. Best practice says: "individuals need to be notified of the purpose of the collection at the time it is collected, data can be used only as disclosed, and additional notification needs to be given if data use changes." The people that trust you with their information, let alone their MONEY, may be disappointed if they all of a sudden get marketing emails they didn't sign up for.
Limited Use
As stated with limited collection- everyone needs to be on the same page about the use of their information. Don't distribute or disclose any information unless you get consent to do so (or required to by law). If you have a partner or other organization that would just love to have your members/customers- of course they would, your members/customers are awesome - make sure they know that they may get contacted by third parties.
Secuirty Safeguards
Protect your members/customers. Easier said than done? Make sure you're looking at the bigger picture. Once you have their data, it needs to be "protected against unauthorized access, destruction, use, modification, or disclosure." Not only do you need to have great computer or network security, but also security at the board level for sharing information and reports, and your general operations with employees. Protecting your data is also crucial - having a great backup and recovery strategy will ensure you don't lose all the critical information you need!
Openness
So you have all these great policies and practices in place to protect your members/customers and you employees are great at implementing them. But do your members/customers know about it? Be up front and open about all the great policies you have to collect, use, and protect their data. Be available to any individual - member/customer or not - that has any questions or concerns about your data policies.
Individual Participation
Your financial institution should be able to take requests from individuals that want more information on what data you have. Make sure you are making changes as needed, but also let members/customers know when things cannot be changed- such as delinquency or credit bureau information. Have a system in place to take care of these requests and in a timely manner.
Account-Ability
Keep everyone at your institution accountable for their role in enforcing the procedures and privacy practices you have set in place. Stay on top of your plan and stick to it! It's becoming more and more difficult to ensure privacy, give your members/customers peace of mind by keeping data security as a cornerstone of your strategy and mission. Data Privacy Day in in place to educate and empower financial institutions to maintain and protect the privacy of their information and that of members and customers.
