Presentation is loading. Please wait.

Presentation is loading. Please wait.

Privacy of Client Data.

Published byEunice Lee Modified over 6 years ago

Similar presentations

Presentation on theme: "Privacy of Client Data."— Presentation transcript:

1 Privacy of Client Data

2 Objectives Outline the positive effects of data privacy for an FI and the client Learn good practices practiced by the FI around data privacy and security. New slide – review content. Are these the right objectives? NEW

3 The Principle in Practice:
The provider complies with all local data privacy laws. Client information is only used in the ways agreed upon at the time of data collection. Consider this: Clients trust financial service providers with very sensitive personal and financial information. This is the Campaign’s definition of the principle “Privacy of Client Data.” An institution puts the principle into practice by complying with all local data privacy laws. And only using client information in the ways agreed upon at the time of data collection. Consider the responsibility that comes with client trust. Clients trust financial service providers with very sensitive personal and financial information.

4 Digital Financial Services and Privacy
Rapid growth in mobile usage increases client “digital footprints” Partnerships between financial institutions, telecos, agent networks, technology platforms etc complicate the question of responsibility for client Have data management practices and systems evolved at your institution since you have worked there? How so?

5 CPP #6: Adequate Standards of Care
Client data is kept secure and confidential. Clients are informed about data privacy and consent to the use of their data. Discussion – 12 mins. Introduce 2 standards of adequate care – 7 compliance indicators and rest are indicators. 4 mins. Ask participants 2 questions: 2 mins each, sharing 2 mins each Q: What is required to meet 1st standard? 1) Policy - should be written; 2) Systems both for hard and soft data; 3) Sanctions for those who violates these policy and system (Note: Privacy of hard data is as important as of soft data) Q: What is required to meet 2nd standard? 1) Staff training – Talking points, orientation/refresher workshops, etc; 2) Disclosure to clients – loan agreement, reading loud especially for illiterate clients, written consent, beneficiaries notified etc, FI verifies staff and 3rd party training

6 CPP #6: Adequate Standards of Care
Client data is kept secure and confidential. ✔ Privacy policy/ process - Written ✔ Sanctions in event of violation ✔ Agreement with 3rd party ✔ Control process when staff leave ✔ System to protect client data ✔ Disaster recovery /Business continuity plan ✔ Secured files – physical/ electronic ✔ IT passwords changed frequently ✔ Perform daily backs ups ✔ Usage of file outside office is controlled Lecture and Discussion: 7 mins Client data is kept secured and confidential. A policy and documented process are in place to maintain the confidentiality, security, and accuracy of clients' personal, transactional and financial information. They cover gathering, processing, use, distribution and storage of client information. There are penalties for exposing or revealing client data to third parties (including guarantor and family not party to the account) without prior client consent. The FI's agreement with third-party providers that have access to client data specifies that these providers will maintain the security and confidentiality of client data. The FI monitors fulfillment of this agreement and takes action when problems are identified. There is a clear process to safeguard client data when staff leave or are terminated. The FI's systems protect against theft or misuse of client data or identity; security breaches, and fraudulent access. There is a disaster/ downtime recovery plan in place, including a business continuity plan. Files are maintained in a secure system, whether electronic or in physical format, with protections from inappropriate access, theft and damage. Data security measures are in place to protect against unauthorized access to data (i.e., passwords, access levels, software infrastructure). IT passwords are changed periodically with different access levels according to the position of the staff member accessing the data. The FI performs at least daily back ups of its client data. Employees use of files outside the office is controlled (e.g. they cannot take client files or loan documents to their homes or access the MIS from home), and the FI keeps records of the names of staff who request access to client files.

7 CPP #6: Adequate Standards of Care
Clients are informed about data privacy and consent to the use of their data. ✔ Written consent – 3rd party/ credit bureau checks etc. ✔ Privacy clause in product contracts ✔ Bénéficiaires are notified ✔ Staff Training program ✔ Group Leaders trained ✔ Clients informed to protect PINs ✔ FI verifies 3rd party staff training on data privacy policy /process Lecture and Discussion: 7 mins Clients are informed about data privacy and consent to the use of their data. Starting at the time of the application, clients give their consent before the FI shares personal information with any external audience, including credit bureaus, family members, guarantors, insurance agents, collections companies, and marketing material or other public content. Staff is required to highlight the text of consent signed by a client.) (Certifier: The consent should be given at the time of application since the credit bureau check will be done before loan sanction and signing of contract. Product contracts include a clear, concise explanation of how client data will be protected and how it may be used or shared and with whom, including sharing with a credit bureau. Clients name beneficiaries for life insurance policies, and are reminded to notify those beneficiaries that they have been designated. The FI has an effective training program in place to ensure that staff understand and have the skills to implement the policies and processes related to privacy of client data. Group leaders are trained to safeguard group member information, particularly saving account balances, dates of loan disbursement, and information on repayment problems. Staff inform clients on importance of protecting Personal Identification Numbers (PINs) and how to do so. The FI verifies that third parties (agent network managers, etc.) train their own representatives on policies and processes related to privacy of client data.

8 Good practices for privacy and security
Ask employees to sign a confidentiality agreement at the same time as their employment contract. Establish a clearly defined “user access hierarchy” for staff accessing sensitive data. Hold periodic campaigns for clients to update their data and incentivize them to participate. Don’t allow information available on the ‘intranet’ to be printed or downloaded for use outside the office. These are example good practices for participants to consider when designing policies and systems for ensuring the privacy and security of client data. Establish a clearly defined “user access hierarchy” for staff accessing sensitive data. This restricts access to the database, according to staff position. The database always requires that at least two people, and often more people from different departments, to authorize access or changes to client information data entry users and data modification users. And change passwords frequently. Each person who accesses the database uses an individual user name and password. Users must change their passwords every four months and cannot repeat previous passwords. Whenever an employee logs into the database, their name, the information they query, and the time when the request is made, are all recorded in a query log. Headquarters employees enter and leave the main office using a thumbprint scanner and sign in process to prevent unauthorized access to the client information stored there.  Periodic campaigns: MFIs can assist clients who need to correct/update incorrect personal or financial information. This includes not only helping clients correct the MFI’s record, but also making sure that credit bureaus and government agencies have correct information about the client as well.

9 Train clients on how to keep group information private.
Good practices for privacy and security Spot check the security of physical files in branches (e.g. using internal auditors). Train clients on how to keep group information private. Describe the sanctions for the misuse of client data in the staff book of rules. These are example good practices for participants to consider when designing policies and systems for ensuring the privacy and security of client data. AUDITING PHYSICAL SECURITY One MFI requires its Internal Audit department to check the physical security of filing systems at headquarters, branches, and correspondent banking locations. These security audits ensure that client files are stored securely and that only authorized employees can access them. Other Ideas: Use an “internal hacker” whose role is to constantly test the integrity of the system by attempting to break into the system from outside the cooperative.

10 Tools available from the Smart Campaign
These, and dozens more tools are available for free on the Smart Campaign website.

Download ppt "Privacy of Client Data."

Similar presentations

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health

H = P = A = HIPAA DEFINED HIPAA … A Federal Law Created in 1996 Health
2 1.Client protection principles 2.Principle #6 in practice 3.The client perspective 4.Participant feedback 5.Tools for improving practice 6.Conclusion.

2 1.Client protection principles 2.Principle #6 in practice 3.The client perspective 4.Participant feedback 5.Tools for improving practice 6.Conclusion.
Red Flags Rule BAS Forum August 18, 2010. What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Privacy and Information Security Training (2006-07) VUMC Privacy Website www.mc.vanderbilt.edu/privacy.

Privacy and Information Security Training ( ) VUMC Privacy Website
HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.

HIPAA Privacy Training. 2 HIPAA Background Health Insurance Portability and Accountability Act of 1996 Copyright 2010 MHM Resources LLC.
Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.

Health Insurance Portability and Accountability Act HIPAA Education for Volunteers and Students.
HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA.

HIPAA Basic Training for Privacy & Information Security Vanderbilt University Medical Center VUMC HIPAA Website:
The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.

The Health Insurance Portability and Accountability Act of 1996– charged the Department of Health and Human Services (DHHS) with creating health information.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.

Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.

1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
NAU HIPAA Awareness Training

NAU HIPAA Awareness Training
HIPAA Health Insurance Portability and Accountability Act 1.

HIPAA Health Insurance Portability and Accountability Act 1.
Springfield Technical Community College Security Awareness Training.

Springfield Technical Community College Security Awareness Training.
Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.

Guide to Massachusetts Data Privacy Laws & Steps you can take towards Compliance.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Network security policy: best practices

Network security policy: best practices
HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: www.mc.vanderbilt.edu/HIPAA HIPAA Basic.

HIPAA Basic Training for Privacy and Information Security Vanderbilt University Medical Center VUMC HIPAA Website: HIPAA Basic.

Similar presentations

Ads by Google