Principle #6 – Privacy of Client Data This presentation is made possible by the Smart Campaign www.smartcampaign.org Principle #6- Privacy of Client Data [Introductions of facilitator(s) and participants]
Agenda Client protection principles Principle #6 in practice The client perspective Participant feedback Tools for improving practice Conclusion and call to action This is the agenda for today’s discussion. We will begin by reviewing a summary of the Seven Principles of Client Protection. 2
Client Protection Principles 1. Appropriate product design and delivery 2. Prevention of over-indebtedness 3. Transparency 4. Responsible pricing 5. Fair and respectful treatment of clients 6. Privacy of client data 7. Mechanisms for complaint resolution [Each principle is listed, along with how the Smart Campaign defines the principle]. These are the Seven Principles of Client Protection 1. Appropriate product design and delivery Providers will take adequate care to design products and delivery channels in such a way that they do not cause clients harm. Products and delivery channels will be designed with client characteristics taken into account. 2. Prevention of over-indebtedness Providers will take adequate care in all phases of their credit process to determine that clients have the capacity to repay without becoming overindebted. In addition, providers will implement and monitor internal systems that support prevention of overindebtedness and will foster efforts to improve market level credit risk management (such as credit information sharing). 3. Transparency Providers will communicate clear, sufficient and timely information in a manner and language clients can understand so that clients can make informed decisions. The need for transparent information on pricing, terms and conditions of products is highlighted. 4. Responsible pricing Pricing, terms and conditions will be set in a way that is affordable to clients while allowing for financial institutions to be sustainable. Providers will strive to provide positive real returns on deposits. 5. Fair and respectful treatment of clients Financial service providers and their agents will treat their clients fairly and respectfully. They will not discriminate. Providers will ensure adequate safeguards to detect and correct corruption as well as aggressive or abusive treatment by their staff and agents, particularly during the loan sales and debt collection processes. 6. Privacy of client data The privacy of individual client data will be respected in accordance with the laws and regulations of individual jurisdictions. Such data will only be used for the purposes specified at the time the information is collected or as permitted by law, unless otherwise agreed with the client. 7. Mechanisms for complaint resolution Providers will have in place timely and responsive mechanisms for complaints and problem resolution for their clients and will use these mechanisms both to resolve individual problems and to improve their products and services. 3
Agenda Client protection principles Principle #6 in practice The client perspective Participant feedback Tools for improving practice Conclusion and call to action Now, let’s discuss how institutions put Principle #6 into practice. 4
The Principle in Practice: Privacy of Client Data The Principle in Practice: The provider complies with all local data privacy laws. Client information is only used in the ways agreed upon at the time of data collection. Consider this: Clients trust financial service providers with very sensitive personal and financial information. This is the Campaign’s definition of the principle “Privacy of Client Data.” An institution puts the principle into practice by complying with all local data privacy laws. And only using client information in the ways agreed upon at the time of data collection. Consider the responsibility that comes with client trust. Clients trust financial service providers with very sensitive personal and financial information.
The Principle in Practice Use a privacy policy Use appropriate systems Inform clients Use a written privacy policy that governs the gathering, processing, use, and distribution of client data. Use technology that keeps client data secure. Train staff to keep data confidential, secure, and accurate. Inform clients how their information will be used internally and externally—including data shared with 3rd parties and the use of photos. The Smart Campaign has defined the following as indicators for how a financial service provider puts this principle into practice.
The Principle in Practice Obtain client permission Train clients Obtain client consent for using information in promotions, marketing materials, and other publications; and for sharing personal information with any external parties, including credit bureaus. Offer information, orientation, or educational sessions to clients on how to safeguard information, access codes/ PIN numbers, and group information. [Continued from previous slide] The Smart Campaign has defined the following as indicators for how a financial service provider puts this principle into practice.
Good practices for privacy and security Ask employees to sign a confidentiality agreement at the same time as their employment contract. Establish a clearly defined “user access hierarchy” for staff accessing sensitive data. Hold periodic campaigns for clients to update their data and incentivize them to participate. Don’t allow information available on the ‘intranet’ to be printed or downloaded for use outside the office. These are example good practices for participants to consider when designing policies and systems for ensuring the privacy and security of client data.
Train clients on how to keep group information private. Good practices for privacy and security Spot check the security of physical files in branches (e.g. using internal auditors). Train clients on how to keep group information private. Describe the sanctions for the misuse of client data in the staff book of rules. These are example good practices for participants to consider when designing policies and systems for ensuring the privacy and security of client data.
Agenda Client protection principles Principle #6 in practice The client perspective Practitioner feedback Tools for improving practice Conclusion and call to action Let’s look at the client’s perspective on privacy of data. 10
Can your clients agree with the following? The client perspective Can your clients agree with the following? I have been told that the institution will ask my permission before sharing my information with third parties, and before using my photo in any marketing materials. I know how to keep my PIN number safe. I know how the keeps my data secure. The institution explained the importance of keeping group information confidential. Maintaining the privacy of client data includes more than just putting safeguards, systems, and policies in place within an institution. It also requires an institution to inform the client about the use of their data and obtain permission before sharing their personal and financial information. This checklist will help participants think about how well they communicate with their clients about data security and privacy. [Ask participants: Do you think your clients would agree with all of the following statements?] If there are statements here that your clients wouldn’t agree with, your institution should examine how they communicate with their clients about data security and privacy.
Agenda Client protection principles Principle #6 in practice Protecting client data & the client perspective Participant feedback Tools for improving practice Conclusion and call to action Now, we would like to hear from YOU. 12
Feedback from Participants Do your clients care about data security? If something went wrong and their personal or financial information was compromised, would it affect your business? Have you witnessed privacy or security lapses at your institution? How did your institution respond? At this point in the presentation, asks participants for their feedback on the information presented so far. Use these questions (or others that have come up during the presentation) to stimulate discussion. Have data management practices and systems evolved at your institution since you have worked there? How so?
Agenda Client protection principles Principle #6 in practice The client perspective Participant feedback Tools for improving practice Conclusion and call to action Now, let’s look at some of the tools that are available from the Smart Campaign to help practitioners improve on this principle. 14
Tools available from the Smart Campaign Technical Tools Getting Started Questionnaire: Self Assessment for MFIs Security is the Key: Pocket Guide to Financial Security for Clients Smart Lending Smart Savings Technical Guide for Investors Samples and Case Studies Client Welcome Kit Smart Note: Customized IT at Caja Morelia Smart Note: Protecting Client Data These, and dozens more tools are available for free on the Smart Campaign website. www.smartcampaign.org.
Agenda Client protection principles Principle #6 in practice The client perspective Participant feedback Tools for improving practice Conclusion and call to action Now, let’s conclude with a summary of what we’ve discussed, and a call to action. 16
Conclusion Financial institutions satisfy this principle by respecting the privacy of client data and keeping it secure. Maintaining the privacy of client data requires implementing adequate safeguards, systems, and policies, but also informing the client about the use of their personal information and obtaining client consent before sharing it with a third party. Staff and client training is important for making sure privacy and security procedures are successful. [Read the summary on this slide] [Use the Call to action question, and any of the questions below, to stimulate discussion among participants]. How could a particular action be implemented in your institution? What other solutions have you seen (or would like to see)? Have you seen a similar (or different) practice in your institutions or elsewhere? Does your institution typically receive complaints about the privacy and security of client data? What are the costs of implementing robust mechanisms for protecting client data? What are the benefits? How do you think respecting client privacy and safeguarding client information can make your institution more competitive? Do you feel comfortable proposing that your institution change the way it handles client data? Why or why not? Call to Action: What “next steps” can your organization take to institutionalize and/or improve systems for maintaining the privacy and security of client data?
Thank you! Endorse the Smart Campaign. Visit www.smartcampaign.org Sign up to receive news and information. What’s next? Download the Getting Started Questionnaire and conduct a client protection self-assessment. Thank you! Email us! comments@smartcampaign.org