Fighting for data privacy — making sure people know who has access to their data, where it goes or could go, and that they have a choice in all of it — is part of Mozilla’s DNA; doing good is part of our code. In the context of our users, privacy is something most of us at think about daily and care about deeply.
“Individuals’ security and privacy on the Internet are fundamental and must not be treated as optional.” ~ Mozilla Manifesto (principle #4)
On January 28th, the world will celebrate Data Privacy Day — an international holiday intended to raise awareness and promote data privacy education. It is officially recognized in the United States, Canada, and 27 European countries.
As part of our own Data Privacy Day celebrations this year, we’d like to share our approach to employee data – something Mozilla treats with as much rigor and respect as we do the data of our users.
To build an Internet where the individual is respected, we start with a culture of respect. As with user data, we believe the protection of your employee data is fundamental. Here are some examples of our commitment to Mozilla’s privacy principles as they apply to employee information.
Privacy was an integral part of 2013 Summit planning. As you can imagine, coordinating a cast of thousands across multiple locations around the world involves a mountain of data. The privacy side of event planning includes collecting and storing data securely, sharing it appropriately, and deleting it once it’s no longer needed.
As part of the process, links to our privacy notices were placed on data collection forms (visa requests, registration, etc.) and when we received access requests, such as who was in which city or hotel, we thoughtfully considered what to share and when to delete it.
And, do you remember the Summit App? We put that app awesomeness through the privacy, legal, and security wringer before it was set free. Our privacy team asked questions like which data will be saved beyond the Summit? Who will have access? Where will the data be stored and for how long? Will it be aggregated or linked to a person? Can users delete their data? You may have noticed the Summit App even had its own privacy notice!
In 2013, Mozilla self-certified for the US-EU and US-Swiss Safe Harbor programs for employee (“human resources”) data. Safe Harbor [http://safeharbor.export.gov/companyinfo.aspx?id=17617] certification is optional provided an organization adheres to these seven principles:
- Notice – Individuals must be informed that their data is being collected and about how it will be used.
- Choice – Individuals must have the ability to opt out of the collection and forward transfer of the data to third parties.
- Onward Transfer – Transfers of data to third parties may only occur to other organizations that follow adequate data protection principles.
- Security – Reasonable efforts must be made to prevent loss of collected information.
- Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
- Access – Individuals must be able to access information held about them, and correct or delete it if it is inaccurate.
- Enforcement – There must be effective means of enforcing these rules.
We renew our certification under this program annually and everyone who handles employee data as part of their job is required to attend Safe Harbor training at least as often.
Agreements with Vendors
A very important part of how we select vendors at Mozilla is by their ability to protect user and employee personal data. We read their privacy policies, ask questions, and communicate our values and expectations. Once a vendor has sufficiently demonstrated that they can handle our data, only then do we launch formal privacy, security, and legal reviews.
Vendor reviews are launched using the Project Kickoff Form. If you plan to use a vendor, and said vendor will handle personal data, this is the form for you!
What You Can Do (even if you don’t work on the People Team)
Many of us, even those not otherwise designated as an “employee data handler” (like the People Team), come into contact with this data through the course of our work (surveys, birthday lists, etc.) Here are some things you can to do help protect your own data and that of your co-workers:
- Use encrypted email to transmit sensitive personal data to vendors and be sure to put “Mozilla Confidential” in the subject line [https://mana.mozilla.org/wiki/x/2gMXAg – LDAP required].
- Transmit only what you need to send, and nothing more.
- Ask permission before you share, even if it “seems” harmless (cupcake surprises are fun – data surprises are not).
- Don’t forward your email to an external account that may not have the same level of security.
- Use a dedicated printer or secure (password) printing for documents that contain personal data (and don’t leave it on the printer).
- Check to make sure your laptop is encrypted [https://mana.mozilla.org/wiki/display/SD/Confirm+that+WDE+is+Set+up – LDAP required].
- Avoid the use of portable (i.e. easily stolen or forgotten/lost) devices, such as thumb drives, to store employee data.
- Password protect your phone if you use it to access your work email.
Privacy Day is January 28th but for Mozilla it’s a lifestyle – we live it every day. Nonetheless, there will be cupcakes on the 28th so come join us if you can (cupcakes are also part of our lifestyle).
And, if you have any questions about any of this, please reach out to Stacy Martin (stacy at mozilla dot com), she knows a lot about privacy. Privacy geeks (might be all of us :), there’s lots more here: https://wiki.mozilla.org/Privacy.