compliances , policies , security

Simple – External Party Information Disclosure Policy

February 6, 2012

Determining if Disclosure is Appropriate

Duty to take special care: To the extent required to perform their job duties, workers are given access to “Corporate” restricted internal information.  Proper protection of this information is essential if the interests of not only “Corporate”, but also customers and business partners, are to be preserved.  These interests include maintenance of competitive advantage, trade secret protection, and preservation of personal privacy.  Accordingly, as indicated in the Non-Disclosure Agreement signed by all workers, special care should be taken to prevent disclosure of internal information to unauthorized third parties.

Sources of additional information: While this policy describes the considerations one should bear in mind before, during, and after disclosure to third parties, it cannot specifically address every possible situation.  Questions about disclosure should be directed to either a local information security coordinator [intranet link to list of these and their telephone numbers] or the relevant information owner [link to the corporate data dictionary, which then indicates who is the owner for various types of information]

Note: Need to establish internal weblinks…

Two Types of Information: For purposes of this policy, there are basically two types of information.  The first type of information has been approved for release to a specific group (such as customers), an organization (such as a regulatory agency), or an individual (such as a contractor).  Public information also falls into this first category.  If the party requesting information falls within the limits of the approved group of recipients, then no owner approval is required.  The second type of information has not yet been approved for release to a specific group, organization, or individual.  This policy discusses the specific requirements for dealing with the second category.  Additional guidance may be found in the Information Classification Policy [intranet link to that policy].

Third Parties and The Need to Know: Unless it has specifically been designated as public, all “Corporate” internal information must be protected from unauthorized disclosure to third parties.  Third parties may be given access to “Corporate” internal information only when a demonstrable need-to-know exists, and when such a disclosure has been expressly authorized by the relevant “Corporate” information owner.

Non-Disclosure Agreements: The disclosure of sensitive information to consultants, contractors, and temporaries must always be preceded by the receipt of a signed non-disclosure agreement (NDA).  When a NDA pertains to an organization, to be valid, an officer of the recipient organization must sign the NDA.  Workers must not sign NDAs provided by third parties without the advance authorization of “Corporate” legal counsel designated to handle intellectual property matters.

Third Party Requests for “Corporate” Information: Unless a worker has been authorized by the information owner to make disclosures, all requests for information about “Corporate” and its business must be referred to the Public Relations Department [intranet link to that department’s page].  Such requests include questionnaires, surveys, newspaper interviews, and the like.  This policy does not apply to sales and marketing information about “Corporate” products and services, nor does it pertain to customer requests for information that has been approved for release to customers.

Prior review: Every speech, presentation, technical paper, book, or other communication to be delivered to the public must first have been approved for release by the involved employee’s immediate manager.  This policy applies if the employee will represent “Corporate”, if the employee will discuss “Corporate” affairs (even if only generally), or if the communication is based on information obtained in the course of performing “Corporate” duties.  If new products, research results, corporate strategies, customer information, or marketing approaches are to be divulged, prior approval of the director of R&D and the director of the Legal Department must also be obtained.

Releasing Information About Internal Events: Specific information about “Corporate” internal events, including new products and services, staff promotions, reorganizations, and information system problems, must not be released to third parties, including members of the news media, without specific authorization from a Vice President or Corporate Information Officer.

Discussions in public forums: Care must be taken to properly structure comments and questions posted to electronic bulletin boards, electronic mailing lists, on-line news groups, and related forums on public networks like the Internet.  If workers aren’t careful they may tip-off the competition that certain “Corporate” projects are underway.  If a user is working on an unannounced new financial service, a research & development project, or related confidential “Corporate” matters, all related postings must be cleared with one’s manager prior to being posted to any public network.  Likewise, workers should be careful not to reveal specifics about “Corporate’s” internal systems (such as configurations or products used) via public postings.

Mosaic theory: Both the worker performing the disclosure and the owner need consider the mosaic theory.  A mosaic is made up of many little pieces, which when combined paint a picture that could not otherwise have been seen.  The plethora of information available from the Internet and other sources like on-line databases means that one additional piece of information could lead to card holder privacy violation, identity theft, publicity problems, or other undesirable repercussions.  Both the workers handling the disclosure and the owner should consider how the release of the information in question could be just enough to allow these and other abuses.

Resolving problems with disclosure processes

Unassigned owner: If the “Corporate” internal information being considered for disclosure to a third party does not have a designated owner, then the disclosure decision must be made by the “Corporate” Legal Department.  Before referring such decisions to the Legal Department, those workers handling a request for disclosure must consult the corporate data dictionary to determine whether an owner has been assigned [Link to the corporate data dictionary here, which in turn indicates the owners for certain types of information]. Workers can also ask the designated information Custodian to identify the owner.

Unmarked information: If the information being considered for disclosure to third parties is not marked with an appropriate information classification, then workers must assume that the information is “Corporate” internal information, and not approved for public release.  Information marked Public does not require owner approval prior to release to third parties.

Marking preservation: The worker disclosing “Corporate” internal information to third parties must preserve markings indicating author, date, version number, usage restrictions, and other details which might be useful in determining the approved usage, currency, accuracy, and relevance of the information in question.  An exception may be made, with owner approval, in those cases where such markings would reveal “Corporate” information which should not be disclosed to the third party (for example the identity of a confidential source).

Disclaimers: It is the information owner’s responsibility to make sure that when controversial, frequently changing, highly uncertain, or potentially-damaging information is released to third parties that it contain the appropriate legal disclaimers.  Such disclaimers, generally provided by the “Corporate” Legal Department, include words which limit “Corporate’s” liability, define the information’s intended uses, and place recipients on notice of potential problems associated with the information.

Naming: The terminology used to refer to information released to the third parties must be consistent with the terminology employed in “Corporate’s” corporate data dictionary.  Exceptions are permissible in those cases where specialized technical terms would not be readily understandable to a third party, or where use of such terms would reveal information that “Corporate” does not wish to disclose.  If there is any difference between the terminology used within “Corporate” and the terminology used within the information disclosed to a third party, then this difference must be approved in advance by the designated owner.  Consistent information naming terminology will reduce errors and confusion, and also allow a third party receiving the information to better adapt its information systems to interface with “Corporate’s” information systems.

Required disclosure records

Disclosure records: Records reflecting the sensitive “Corporate” internal information (not information designated Public) that has been distributed to third parties must be maintained by the worker releasing the information to the third party.  Such records must indicate the types of information disclosed, the receiving third party’s name and contact particulars (generally address, telephone number, and email address), as well as the date of release.  Maintenance of such records will allow errors to be quickly corrected, allow updates to be quickly provided, allow recovery of the information, and also allow “Corporate” to take legal action (should the third party use the information in unintended and unauthorized ways).  It should be noted that even though a confidentiality agreement may have been signed, and even though management has approved third party access to certain information, it is still the responsibility of the worker releasing the information to keep records reflecting the information disclosed.

Recovery or destruction: All copies of Secret information provided to third parties must be returned to the worker within “Corporate” who provided it.  Alternatively all such copies must be destroyed and a certificate of destruction sent to the worker within “Corporate” who provided it.  Such recovery or destruction should generally take place within a month of the time when the information ceases to be useful for the intended purposes.  The “Corporate” worker who provided the information is responsible for recovering the information or obtaining a certificate of destruction.  This “Corporate” worker must also note the recovery or destruction of the information in his or her records reflecting disclosures.

Reporting improper disclosures: If sensitive information has been inappropriately disclosed, or is believed to have been inappropriately disclosed, the circumstances must immediately be reported to the relevant information owner.  If an owner has not been assigned for the information in question, then the Legal Department must immediately be informed.  It is the owner’s responsibility to determine whether the disclosure or suspected disclosure needs to be reported to third parties such as government banking regulators, criminal justice system personnel, customers, and others.  If no owner has been assigned, this decision is the Legal Department’s responsibility.

Preparing information for disclosure

Using the best information: Authorized disclosures of “Corporate” internal information must be done with the best (most current, accurate, timely, and relevant) information available.  In other words, the worker disclosing the information must be aware of and extract the information from the “system of record,” or the definitive master copy of such information within “Corporate”.  If the worker involved is not aware of the system of record, the corporate date dictionary can provide this information.

Updates to previously disclosed information: owners have a duty to correct information that has been made public, or that has been disclosed to certain third parties, if subsequent events have made this information misleading or materially incorrect.  Timely and prompt correction of the previously disclosed information is especially important in those instances where the public or a third party is likely to rely on the information in its decision making processes.  This requirement does not apply if the disclosure took place a year or more in the past, and the information is unlikely to be still in use.

www.bestitdocuments.com