The role of staff in protecting customer privacy

Introduction

The importance of protecting customers’ privacy is widely recognized among managers, consumer groups and industry watchdogs. While the topic is not new and may even have fuelled the Revolutionary War in North America¹, it is particularly relevant in the current environment, where data collection is often an inherent part of the service, be it provided by a governmental body, a charity or a commercial firm.

There is now an abundance of legislation regulating what data may be collected and how it may be used, or defining organisations’ obligations in terms of systems of checks and controls. Likewise, there is a plethora of technology-based solutions to ensure compliance with those same privacy regulations, such as encryption technology to anonymize data, or firewalls and passwords to limit access to sensitive information.

Despite the availability and widespread use of legal and technical mechanisms to protect customer’s privacy, data breaches continue to occur. For instance, according to the Privacy Rights Clearinghouse, in the past year there were 250 separate cases of data breaches in the USA, alone, representing the compromise of thousands and thousands of records containing sensitive personal information, and affecting the privacy of numerous individuals².

The sustained occurrence of privacy breaches undermines customers’ trust in service providers and their willingness to adopt or use particular products or services, as well as their willingness to provide information that helps organizations know their customers, forecast demand or customize delivery. It is, therefore, extremely important for organisations to understand why privacy breaches continue to occur.

Understanding privacy breaches

Analysis of recent privacy failures reveals that a very large number of data breaches result from either the deliberate actions of members of staff or from their failures. For instance, in some cases privacy was compromised through the purposeful theft of personal information with the intention to defraud. In other cases, the breach was due to human error.

While the range of actions or failures is quite broad, there is one common message for those holding or manipulating customer data: in order to understand why many organizations fail to protect customer privacy and, hopefully, be able to draw effective privacy enabling mechanisms, it is crucial to appreciate how - and why - staff compromise customer information.

Research conducted at Henley Business School has looked at the role of employees in privacy protection³. The research is innovative in the sense that it adopts an inside-out perspective, centred on employees, and looking at the handling of customer data from the point of view of staff. The key findings are summarized next.

An employee-based view of privacy

In order to obtain a holistic view of privacy protection, from the perspective of the employees, we examined the impact on privacy compliance behaviour of the individual employee’s pragmatic and social position in the organization, as well as the interaction between the employee and the relevant legal and technical tools.

The findings indicate a strong link between the employee’s attitude towards privacy and the resulting behaviour. In particular, where employees consider that the privacy enhancing behaviours are beneficial and rewarding, they are more likely to protect customer information.

When investigating what informs particular attitude towards privacy, we concluded that it is largely driven by the demands, expectations and rewards of different job roles. For instance, when privacy leads (or is perceived to lead) to increased workload, employees are more likely to disclose customer-related information. Furthermore, when the results of privacy-protection behaviour clash with performance targets, employees are less likely to be privacy compliant.

The study, furthermore, concluded that having formal guidance and privacy enabling mechanisms in place is necessary but by no means sufficient to ensure the protection of customer data. Formal organization initiatives, such as policies or training programmes, outline obligations and frame expectations concerning the collection and use of information regarding the customer’s identity and transactions. However, the message from such formal initiatives may be overridden by informal group norms such as habits and unofficial conventions. Each organizational group - for instance, production or distribution or accounting - brings with it a different set of norms. At times, informal group norms are in conflict with formal ones, which raises the question of which one prevails in different scenarios.

The wording and choice of terms used to outline behavioural expectations seems to be highly consequential to the ensuing employee actions. For instance, behaviours described as ‘must’ register more clearly with employees than those using less stringent expressions such as ‘should’. Moreover, for the initiatives to be effective expectations need to be communicated clearly, be relevant to the employee and be enforceable - e.g., explicitly mentioning the sanctions for the employees that breach the policy guidance increases its relevance.

To minimize variability in privacy enhancing behaviour across the organization, technology can be deployed. In particular, the process may be redesigned so that employees have limited access to customer data and, where possible, the data is anonymous. Moreover, passwords and firewalls may be deployed. However, technology has limited scope against deliberate fraud, particularly where there is an internal accomplice. Moreover, not all exchanges between staff and processes can be redesigned in order to limit access to customers’ information - indeed, restricting information access is not enough to prevent staff talking with each other and disclosing the information that they do have.

A final, and crucial, aspect addressed in the research here described is the role staff’s preconceptions and mental processes in subsequent behaviour. Quite unexpectedly, the research case exposed that where there was limited access to customer identity or transaction data, staff members would infer information about the customer to confirm previously held beliefs about the nature of the customer activity and the need, or not, to safeguard customer data.

Implications for management

The findings here presented advance the understanding of why privacy breaches continue to occur. The study investigated the fit between a firm’s privacy goals and the actions of its members, as well as where misalignments may originate and, hence, identify eventual related conflicts within the organization.

The role of employees in creating value for customers and the firm has long been established⁴. Likewise, the behaviour of the individual employees that come into contact with identity and transaction data is crucial to enhance the protection of customers’ privacy. It is for this reason that an effective approach to the management and protection of customer data must specifically include staff’s role in safeguarding customer privacy.

In order to minimise data breaches, organizations are encouraged to:

• Audit the privacy related attitudes, norms and stereotypes in place in your firm, and consider whether they support or, indeed, undermine the effectiveness of training initiatives.
• Investigate ways in which various job-related environmental cues situate particular cultural frames and, therefore, influence privacy related behaviours.
• Increase the relevance of privacy measures to all functions in the firm, be it in their daily tasks, or as a component of their job evaluation. In particular, consider to what extent and in what forms commercial goals are in conflict with privacy obligations.
• Communicate relevant legal obligations and specific company privacy policies clearly, and using strong, unequivocal terms.
• Where possible, anonimize, and control access to, customer related data.

At Henley Business School we are extending this research into privacy breaches in specific organization environments. If you would like to participate in our study, or discuss the application of our findings to your organization’s circumstances, please contact the lead researcher at ana.canhoto@henley.reading.ac.uk

¹ According to Farr, L. M. (2002) Whose files are they anyway? Privacy issues for the fundraising profession. International Journal of Nonprofit & Voluntary Sector Marketing, 7, 361-367
² http://www.privacyrights.org/ar/ChronDataBreaches.htm#2009
³ See Canhoto, A. I. (2009) Safeguarding customer information: the role of staff. Journal of Consumer Marketing, 26(7), 487-495
⁴ E.g., Payne, A. and Holt, S. (2001) Diagnosing Customer Value: Integrating the Value Process and Relationship Marketing. British Journal of Management, 12, 159-192.

“Companies need to recruit and train people in whom they have confidence and whom they can trust. It is confidence and trust that are real safeguards against fraud and disaster, and they can only be fostered and instilled on a sound ethical basis”

Sir Adrian Cadbury, Committee on the Financial Aspects of Corporate Governance, 2002

• FSA compliant pre-employment screens
• Approved persons' checklist - Download a checklist to help you assess the Fitness & Propriety of your Approved Persons
• Request a quote
• What can we Verify?