How to develop and maintain an effective privacy-protection plan

How to develop and maintain an effective privacy-protection plan

Jul 01, 2007


The first article in this series discussed reasons veterinarians should keep their private practice private (May, 2007). Last month, the topic was why privacy makes good business sense. This final article outlines a program on making sure sensitive data about employees and customers is protected. To access previous articles, go to

You can determine the best ways to secure sensitive data only after you've traced how it flows through your veterinary practice. Start by creating an Information Privacy Map (IPM) that shows how you receive personal information, where it goes and who has or could have access to it.

Here are some details to consider:

What types of personal data do you collect from staff and clients?

  • Credit/debit card account numbers
  • Bank-account information
  • Staff members' Social Security numbers
  • Staff members' driver's license numbers

Where do you keep the information you collect?

  • Computer database
  • File cabinets
  • Employer's home

Who has or could have access to this information?

  • Staff members
  • Contractors working in your practice
  • Third-party sharing – payroll services, radiation-detection services

How does your business receive personal information?

  • Mail
  • Fax
  • E-mail
  • Telephone

The Federal Trade Commission (FTC) requires an effective security program for any company that holds private information. To the FTC, failure to develop and implement such a program constitutes an unfair trade practice. To meet this requirement, your security program must include these six steps:

Step 1: Name a security administrator

Designate a senior member of your staff to coordinate and implement the security program. His or her job will be to construct a privacy policy that is clear and enforceable. Mandatory staff-training meetings should cover the policy, and the risks and liabilities for noncompliance.

Step 2: Create a written policy

At its core, your privacy policy will be a simple statement of how you will handle, use and store employee/client information. Your policy should address basic questions that only you and your staff can answer:

  • What federal and state laws regulate handling of private information?
  • What private information is used in your practice?
  • How do you secure private data?
  • Where do you lock down (locking file cabinets or perhaps a safe) paper information?
  • How do you encrypt and password-protect digital information?
  • With whom do you discuss private information?
  • How do you dispose of sensitive documents? Do you shred paper and physically destroy all information on digital storage devices when they are taken out of service (e.g., computers, faxes and copiers)?

Step 3: Train employees

Your information-privacy plan may look great on paper, but it's only as strong as the staff members who implement it.

It is your responsibility to see that all of your staff understands how private information is collected, stored and protected. Take time to explain that to your staff, and train them to spot security weaknesses.

Periodic training emphasizes the importance you place on meaningful information-security practices.

Update staff members as you find out about new risks and vulnerabilities.

Train staff to recognize and report suspicious activity and publicly reward those who alert you to vulnerabilities.