The great security self-assessment test

As the laws governing the use of employee and customer data become ever more complex, IT directors are having to spend more time creating legally watertight privacy policies.

But there is much evidence to suggest that many aren't fully aware of the laws: a recent survey from Compuware, for example, found that 42 per cent of UK IT directors have broken the law by using real customer data to test applications - a practice which is outlawed under the terms of the Data Protection Act (DPA).

To help determine your privacy savvy, Rebecca Herold, chief privacy officer for QinetiQ Trusted Information Management, has come up with a short self-evaluation exercise.

She says that this is far from comprehensive and lacks the detail you will need to adequately address your privacy issues. However, it should help you see from a very high level where you need to start addressing privacy issues and concerns. Each question can be answered with a simple, yes, no or don't know...

1. Is your industry governed by any existing UK or international privacy regulatory requirements?

2. Has a position within your organisation been formally established to be responsible for staying up-to-date with and responsible for privacy issues and compliance?

3. In the past three months have you (or someone else) reviewed or updated the list of information security and privacy laws that apply to your organisation?

4. Do you have a customer privacy policy that outlines how your organisation will handle and protect customer information and confidentiality?

5. Do you allow customers to opt-out for sharing personal information?

6. Do you allow customers to examine the personal information you have on file for them, and allow them to request corrections?

7. Have you classified the information processed within your organisation to identify personal and confidential information?

8. Have you performed a data flow analysis for the personal and confidential information processed within your organisation?

9. Do you know the security and privacy practices of the third parties who have access to your identified personal and confidential information?

10. Are security and privacy requirements included at the beginning of each of your organisation's systems development projects and incorporated into the solution?

11. Do you have an employee privacy policy that communicates to your personnel what they can expect with regard to their personal privacy within the workplace?

If you answered 'yes' to most of these questions, Herold reckons you are an "awesome privacy-savvy guru". She suggests you go back and look at the questions you answered with 'no' or 'don't know' and make it part of your to-do list to find the answers.

If you answered mostly 'don't know' to these questions, you join the majority of people who are taking this quiz, according to Herold. "You need to set aside some time and determine the answers to the corresponding questions," she said.

If you answered mostly 'no' to these questions, you need to seriously examine and address your organisation's privacy policies and practices, and do so soon.

Herold said: "There is just too much at stake in today's business environment for any organisation to dismiss privacy issues."