Introduction
This checklist provides a framework for in-house legal counsel and professional practitioners to draft an organization’s internal-facing privacy policies and procedures.
This checklist addresses the following:
- Conducting initial evaluation and preparation
- Drafting internal data privacy policies and procedures
- Drafting employee and contractor information privacy policies
The checklist is presented as a list of considerations that you can check off as they are addressed in your development of internal privacy policies and procedures. After the checklist, there are explanatory notes corresponding with each requirement in the checklist.
This checklist should be read in conjunction with How-to guides: How to develop, implement and maintain a US information and data security compliance program, How to implement privacy by design within your organization, and Checklists: Understanding privacy laws in the US and Privacy and data security law training.
Step 1 – Conducting initial evaluation and preparation
| No. | Action |
| 1.1 | Determine organization’s privacy obligations |
| 1.2 | Identify stakeholders and build collaboration |
| 1.3 | Determine what internal privacy policies and procedures are appropriate |
Step 2 – Drafting internal data privacy policies and procedures
| No. | Action |
| 2.1 | Determine approach to drafting data policies and procedures |
| 2.2 | Set out responsibility and scope of policies and procedures |
| 2.3 | Set out purpose and rationale |
| 2.4 | Define key terms |
| 2.5 | Set out organization’s privacy policies and procedures |
| 2.6 | Include key dates |
| 2.7 | Provide a contact person and resources |
| 2.8 | Set out penalties for non-compliance with data privacy policies and procedures |
Step 3 – Drafting employee and contractor information privacy policy
| No. | Action |
| 3.1 | Provide background |
| 3.2 | Define employee personal information and other key terms |
| 3.3 | Address cross-border employee data issues |
| 3.4 | Address employee data collection, use, and disclosure |
| 3.5 | Disclose monitoring |
| 3.6 | Include key dates and acknowledgement |
| 3.7 | Modify policy for independent contractors |
Scope and use of checklist
This checklist is designed to help organizations develop internal-facing privacy policies and procedures. Internal privacy policies and procedures are directed to those inside the organization; typically, its employees and contractors. Although directed internally, these policies may deal with the private information of those outside the organization, such as clients and customers.
This checklist does not address the details of US privacy laws and regulations. However, these topics are covered in other guides and checklists. See How-to guide: How to determine and apply relevant US privacy laws to your organization and How to develop, implement, and maintain a US information and data security compliance program.
General notes
Overview of US legal framework
There is no single source for privacy law in the United States. Privacy law stems from a number of different sources including federal laws, state laws, and common law privacy claims. US privacy law is an evolving patchwork of federal and state laws that often overlap with data security law.
Some federal and state privacy laws affect only certain businesses or industries. However, a handful of states have enacted comprehensive privacy laws, and privacy is becoming an area of increasing focus for state legislatures. At the time of preparation of this guide, many states have proposed legislation that could impact privacy obligations for businesses operating within those states.
As US privacy law is a complex medley of state and federal statutes and regulations, organizations must determine which laws apply to them on a case-by-case basis. US privacy law is also in a period of flux, so it is important to regularly check for changes.
For more guidance, see How-to guide: How to determine and apply relevant US privacy laws to your organization.
Key considerations
The goal of a privacy policy is to comply with the applicable legal requirements. Since privacy law is in flux, it is essential that your organization is alert to any changes that could impact its privacy practices.
State laws on privacy may vary, so it is important to understand the differences between the laws in the different jurisdictions in which your organization operates. Some state laws may provide a ‘safe harbor’ saying that an organization that is in compliance with the more restrictive laws of another jurisdiction is automatically in compliance with their own laws.
Step 1 – Conducting initial evaluation and preparation
1.1 Determine organization’s privacy obligations
Start by determining the organization’s privacy obligations. The primary sources of privacy obligations are federal and state privacy laws and an organization’s privacy-related contracts.
For further information, review Checklist: Understanding privacy laws in the US.
Organizations with global operations must be aware that international laws, most notably the EU’s General Data Protection Regulation (GDPR), also impose privacy obligations.
An organization’s privacy obligations will dictate the topics to cover in its privacy policies and procedures. The goal is to ensure that the policies and procedures adequately explain what must be done in order to comply with the relevant privacy obligations.
1.2 Identify stakeholders and build collaboration
Involve an organization’s stakeholders in the development of privacy policies and procedures as well as their rollout and use. Identify and build collaboration and buy-in from the organization’s privacy program stakeholders. Stakeholders may include operational staff that process private data, legal and compliance staff responsible for privacy compliance, and information technology (IT) staff who help ensure the security of privacy data.
1.3 Determine what internal privacy policies and procedures are appropriate
Based on applicable privacy obligations, determine what types of internal-facing privacy policies and procedures are appropriate. Typically, organizations need two categories of internal-facing privacy policies and procedures:
- Data privacy policies and procedures. These types of policies and procedures set standards and processes that employees must obey to ensure that the organization complies with its privacy obligations.
- Employee and contractor privacy policy. This type of privacy policy informs the workforce (eg, employees and contractors) how their personal information is collected, used, and disclosed by the organization.
Additional internal privacy policies and procedures include:
Access control policy, to delineate who is allowed to have access to personal data and under what conditions, ensuring data is only accessible to authorized personnel under the appropriate circumstances.
Data retention and disposal policy, setting out guidelines for how long the organization keeps personal data and the methods for its disposal once it is no longer needed.
Data breach response policy. This policy outlines the steps to take in the event of a data breach, including procedures for notifying customers, law enforcement, and other stakeholders, and mitigation strategies.
Training and awareness policy, to ensure that employees receive regular training on privacy policies and data protection practices.
Audit and monitoring policy, that describes how the organization will monitor its compliance with the privacy policies, and also requires the organization to conduct regular audits to identify and address privacy risks.
Step 2 – Drafting internal data privacy policies and procedures
2.1 Determine approach to drafting data policies and procedures
Since there is no legally required or standard form for internal privacy policies and procedures, your organization must decide its approach to drafting. Key questions to consider include:
- How will different types of sensitive data be addressed? Sensitive data is usually defined as data that must be protected from any unauthorized access, and includes Social Security numbers, health information, home addresses, and passwords. Organizations may create a single document that addresses privacy policies and procedures for all types of sensitive data together (ie, a single policy approach), or it may create independent policies and procedures for different types of sensitive data (ie, a multiple policy approach). For example, policies and procedures for dealing with personal health information (PHI) would be different from the policies dealing with protected financial information. Some organizations will group data into protection categories. For example, Level I data may be subject to stricter rules than Level II data.
- What structure will the privacy policies and procedures have? There is no required structure. Organizations should focus on clearly conveying information. Text, tables, and even flow charts may be used to convey the organization’s privacy policies and procedures.
2.2 Set out responsibility and scope of policies and procedures
In the policies and procedures, include a statement regarding to whom they apply and in what situations. For example, the scope may be that the document applies to all employees and all forms of data that include personal information. In a multi-policy drafting approach, different policies may apply to different groups of the workforce.
2.3 Set out purpose and rationale
Include a background statement in the policies and procedures that explains the purpose of the document as well as a summary of applicable privacy laws and obligations. This typically is one of the first components to address in the privacy policies and procedures. Workforce members are more likely to comply with privacy policies and procedures when they understand the purpose of them and the underlying privacy obligations.
Example of the purpose statement of an internal privacy policy:
This privacy policy is designed to address various aspects related to data collection and protection. It will define what constitutes personally identifiable information (PII) and specify the methods by which this information is to be collected, eg, through website forms or account registrations. Additionally, the purpose for which this data is collected may include user authentication, service improvement, or marketing purposes. Furthermore, this privacy policy will explain how the organization protects this data from unauthorized access or disclosure through security measures like encryption or restricted access controls and the role that employees must play in this process.
2.4 Define key terms
In the United States, privacy law-related terminology is used inconsistently across laws and in everyday vernacular. For example, a ‘privacy notice’ in one capacity may be referred to as a ‘privacy policy’ in another.
In the internal privacy policies and procedures, define key terms to avoid confusion. Place particular emphasis on defining the types of information to be protected.
Organizations may choose to create a single broad definition for all sensitive information, such as ‘personal information,’ or separately define different types of sensitive information, such as ‘protected health information’ and ‘personally identifiable information.’
Example of a single broad definition:
‘Personal Data’ means any personally identifying information of a natural person, including without limitation names, addresses, personal email addresses, personal phone numbers and persistent unique identifiers such as URLs and mobile device ID numbers and biometric data; government-issued identifiers, including Social Security numbers, passport numbers, tax ID numbers, and driver’s license numbers; personal financial information, including bank, credit and debit account numbers and access codes, bank account and credit card information, credit reports and ratings, and other non-public personal financial information as defined under applicable laws, including the Gramm-Leach-Bliley Act and the Fair Credit Reporting Act; personal health information, including health and medical records, medical payments, genetic data, ‘PHI’ and ‘e-PHI’ as defined under the Health Insurance Portability and Accountability Act of 1996 and amendments and associated regulations thereto, including the Privacy Rule and Security Rule; other sensitive information concerning a natural person, including information relating to race, ethnicity, religious beliefs or sexual orientation; personnel records of ABC Company or client employees; and combinations of any of the foregoing that may be subject to data breach notification requirements under applicable laws.
2.5 Set out organization’s privacy policies and procedures
Detail the organization’s privacy policies and associated procedures. The number of policies and topics covered is determined by the organization’s privacy obligations and chosen drafting approach.
One common approach is to set out a policy followed by procedures for carrying out that policy. For example, a policy may provide that all of the organization’s workforce is responsible for safeguarding personal information from unauthorized access or use. The procedures would then list specific measures for implementing that policy.
Regardless of the drafting approach taken, the following topics should be covered in the policies and procedures:
- information collection;
- information use;
- information access;
- information disclosure;
- information storage;
- information disposal and destruction;
- actions to be taken in the event of a breach; and
- responding to a complaint.
2.6 Include key dates
Include the effective date of the policy and any revision dates. Knowing what policies were in effect at a particular time helps determine whether the organization was in fact in compliance with its own policies at the time of a data breach or incident.
2.7 Provide a contact person and resources
Provide a contact person to answer questions. It is best to have only one contact person, or, in a large organization, one contact person per division or department. This will avoid the possibility of different contact people providing inconsistent answers to questions. Include links to useful resources such as related policies and relevant laws.
2.8 Set out penalties for non-compliance with data privacy policies and procedures
The policies and procedures should state that non-compliance will result in penalties. The exact penalties can be laid out, referred to (eg, if they are in another document), or left to the organization’s discretion to allow the penalty to be tailored to the specific infraction. Typically, the policy would include a statement such as ‘non-compliance with this policy will result in penalty, up to and including termination of employment’.
Step 3 – Drafting employee and contractor information privacy policies
3.1 Provide background
The employee privacy policy should set out the purpose of the policy and the employer’s contact information.
3.2 Define employee personal information and other key terms
The primary focus of an employee privacy policy is how an employee’s personal information is collected, used, and disclosed, so it is important to define the term used to refer to this information. Typically, a broad definition is best.
Example:
‘Employee Personal Information’ means any Personal Information that is processed as part of an individual’s working relationship with ABC Company, for example, pertaining to a current, past or prospective employee of ABC Company processed in the context of an employment relationship or potential employment relationship with the ABC Company. Such information may include details of any dependents, beneficiaries or other individuals whose Personal Information has been provided to ABC Company for any purpose, including for any ABC Company benefits plan.
Other key terms used in the policy, including ‘Personal Information,’ should likewise be defined.
3.3 Address cross-border employee data issues
In today’s working environment, an increasing number of employees work remotely from different cities, states, and sometimes even countries. For this reason, it is important to consider jurisdictional issues, such as whether the employee’s home state has additional, or different, privacy laws and regulations that must be followed.
3.4 Address employee data collection, use, and disclosure
Address the following topics in relation to employee personal information:
- how information is collected;
- what information is collected;
- how information is used;
- how information is stored and protected;
- when information is disclosed;
- how long information is retained;
- special policies regarding the treatment of certain types of information (eg, health records), if applicable;
- employee rights regarding the information, including the right to update and remove the information, if applicable; and
- how an employee can get questions related to the policy answered.
Background checks are a common use of employee personal information. It should be noted that in addition to disclosure of the background check, having employees sign an independent consent to the background check may be required by law. Note also that for some types of jobs (eg, those that involve working with children), a background check may be required by law. For further information, see How-to guide: How to investigate the social media activity of prospective employees.
3.5 Disclose monitoring
In the employee privacy policy, disclose any monitoring conducted by the organization. This includes video surveillance, social media monitoring, email monitoring, and company device monitoring.
3.6 Include key dates and acknowledgement
Include the effective date and dates of any modifications to the policy. Also include an acknowledgement of receipt for the receiving employee to sign.
3.7 Modify policy for independent contractors
Since information collection and use is often similar for contractors, the employee privacy policy is often a good starting point when drafting a contractor privacy policy. However, review the agreement to ensure it is consistent with the contractor’s relationship to the organization. For example, some contractors may never come into the office, so disclosures of video monitoring conducted on the premises are irrelevant.
Additional resources
Related Lexology Pro content
How-to guides:
How to determine and apply relevant US privacy laws to your organization
How to manage your organization’s data privacy and security risks
How to implement privacy by design within your organization
How to develop, implement, and maintain a US privacy law compliance program
How to develop, implement and maintain a US information and data security compliance program
How to evaluate the effectiveness of a data security or data privacy compliance program
How to develop a vulnerability disclosure program (VDP) for your organization to ensure cybersecurity
How to draft a privacy policy, and privacy and data security provisions in contracts
How to manage third party supply chain data privacy, security risks, and liability
Incident response plan readiness and identification of a reportable data breach
How to prepare for and respond to a governmental investigation or enforcement action for violation of US privacy laws
Checklists:
Understanding privacy laws in the US
Completing a data privacy risk assessment
Completing a data and information security risk assessment
Drafting a consumer privacy policy
Developing key privacy and data security contractual terms and provisions (B2C)
Privacy and data security law training
Completing a data incident response plan assessment
Responding to a data breach
Privacy and data security due diligence in M&A
Quick views:
Key data privacy and data security terms
Collection and use of non-consumer data
Regulation of data brokers
Reliance on information posted:
While we use reasonable endeavours to provide up to date and relevant materials, the materials posted on our site are not intended to amount to advice on which reliance should be placed. They may not reflect recent changes in the law and are not intended to constitute a definitive or complete statement of the law. You may use them to stay up to date with legal developments but you should not use them for transactions or legal advice and you should carry out your own research. We therefore disclaim all liability and responsibility arising from any reliance placed on such materials by any visitor to our site, or by anyone who may be informed of any of its contents.