There are many…*MANY*…reports of privacy breaches and security incidents virtually every day. However, I think it is important to point out when organizations do something right with regard to privacy practices, particularly when they are uncommon compared to what other businesses do; perhaps other organizations will see their positive example and follow their lead.
Yesterday I was dealing with some very poor customer service from a very large government agency who had made a very big and very obvious mistake (did I mention how VERY big and VERY obvious?) and did not want to ackowledge it, when I had a bright moment occur to lighten some of the frustration and disappointment I was feeling.
I got a call from one of my alma maters, Central Missouri State University (recently renamed the University of Central Missouri).
“Hi, this is alumni relations from the University of Central Missouri.”
I thought…Oh, no…another call asking for donations to the school! I hate getting those calls. I know schools need money, but I’ve attended 3 universities, have nieces and nephews attending several others, and am now teaching at a university, and I just don’t want to decide between which one to support. So I take the, admittedly wimpy, way out by having a personal policy of not donating to any of them.
I was ready to let my personal policy explanation roll off my tongue right after hearing their request for money.
“We have a former UCM student who wants to get in touch with your husband [who also attended UCM], but it is our policy not to release personal information about students or alumni without getting their explicit permission to do so. In fact it is our policy to give the requestor’s contact information to the person they want to get hold of and leave it to you whether or not you want to get in touch.”
Wow…that is great! They didn’t just pull up our address and phone number and hand it to this yet-unknown requestor. I bet many, if not most, other universities would have.
Upon further questioning I found out that they had told the requestor this was the policy, and that he agreed to let them give his name and contact information.
It is very good that they are letting students and alumni know about people asking to get in touch with the alumn and giving the choice of whether or not to get in touch with the person who wants to initiate contact. If someone is actively trying to get information about me and where I live, I sure want to know about it. True, it is possible they may not have provided their real name, but at least if I have their name and contact information I can do whatever digging necessary to determine if I want to reciprocate the contact.
So many universities are consistently making the news because of vulnerable security practices and resulting privacy breaches it is nice to know that there is a university that has taken the time to think about privacy issues such as this, created privacy policies and procedures to support them, and then obviously trained their personnel to follow the procedures when a situation such as this arises.
True, I have no idea what other privacy practices UCM has in place; that would take a privacy impact assessment (PIA) to determine. However, I really appreciate that they actually have a policy and procedures in place to not give out to requestors personally identifiable information (PII) about their students and alumni. I like knowing about people who are tracking me or my family members down, and I want the choice of deciding whether or not to allow someone to know my address and phone number instead of the university (or whatever organization it may be) making that decision for me.
Hmm…maybe now I’ll make an exception to my personal no-donation policy for universities…
Tags: awareness and training, CMSU, Information Security, IT compliance, policies and procedures, privacy, risk management, UCM