How Do We Keep Your Information Safe Clauses

Written by John Lister (FreePrivacyPolicy Legal writer) and last updated on 15 June 2022.

How Do We Keep Your Information Safe Clauses

Securing personal data is a key component of most data privacy legislation.

Telling people how you secure their data is often necessary to comply with the letter of the law. It is also vital for following the spirit of such laws, helping people make informed decisions about their data.

Here's what you need to know about clauses that help inform your users about how you keep their information safe. We'll break down what your clause needs to include and show practical examples of such clauses, as well as where and how to display your own for maximum effectiveness.

Our Free Privacy Policy Generator helps you create a custom Privacy Policy for your website and mobile app. Just follow these few simple steps and your Privacy Policy will be ready to display in minutes.

  1. Click on the "Free Privacy Policy Generator" button, located at the top of the website.
  2. Select where your Privacy Policy will be used:
  3. FreePrivacyPolicy: Privacy Policy Generator - Select platforms where your Privacy Policy will be used - Step 1

  4. Answer a few questions about your business:
  5. FreePrivacyPolicy: Privacy Policy Generator - Answer a few questions about your business - Step 2

  6. Enter the country and click on the "Next Step" button:
  7. FreePrivacyPolicy: Privacy Policy Generator - Enter the country - Step 2

  8. Continue with building your Privacy Policy while answering on questions from our wizard:
  9. FreePrivacyPolicy: Privacy Policy Generator -  Answer on questions from our wizard - Step 3

  10. Almost done. Now enter your email address where you'd like your new Privacy Policy sent and click on the "Generate" button and you're done.

    FreePrivacyPolicy: Privacy Policy Generator - Enter your email address - Step 4

    That's it. Now you can copy and paste your Privacy Policy code into your website, or link to your hosted Privacy Policy.



Why Include a How Do We Keep Your Information Safe Clause

While many data laws say you must take particular measures to protect personal data, some go a step further and require you to tell users about the measures you take.

In the former case, it makes sense to tell users about the measures even though you aren't specifically required to do so. Indeed, failing to detail your security measures could raise questions among customers and potential customers.

Some of the relevant laws include the following:

  • Brazil's Lei Geral de Proteção de Dados (LGPD) says you must detail your responsibilities when processing data, specifically including the security measures you take to reduce and mitigate data breaches.
  • Europe's General Data Protection Act (GDPR) requires security measures providing data protection and privacy by design).
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires you to protect personal information in a way appropriate to its level of sensitivity.
  • The California Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (CDPA) both say you may have to pay damages if you don't protect personal data and you then suffer a breach.
  • South Africa's Protection of Personal Information (POPI) says consent for data processing must be "voluntary, specific and informed." Knowing how you secure data will help people give informed consent.
  • New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD) requires reasonable safeguards including administrative, technical and physical measures.
  • Australia's Privacy Act requires reasonable steps to protect against unauthorized access, alteration or disclosure.

Almost every data protection law has a key aim of letting people make informed decisions about their data. This is often expressed in the text of the law itself, in an introduction, or in the debate that led to the legislation.

Knowing what you do with their data helps people decide whether to provide it or, in extreme measures, whether to give you their business. They need to know a host of details about what information you collect, how you use it, and whether you share it with anyone else.

One point easily overlooked in this list is how you protect their personal information against misuse or inappropriate access.

If somebody isn't confident you'll do enough to protect your data, they may choose not to provide it. Alternatively, if you can give that confidence, they'll be more likely to provide the data or even choose to be a customer in the first place.

The best way to comply with these requirements and the spirit of the laws is to include a clause in your Privacy Policy that informs users how you keep their information safe.

Getting Ready to Write Your Security Clause

Before writing your clause about keeping information safe, it's worth reviewing your security practices. This brings two benefits:

  • You know exactly what you can include in the security clause, making it easier to write clearly and avoid any false claims.
  • You may reveal some gaps in your security practices that you can fix before you write the clause.

What to Include in Your Security Clause

What to Include in Your Security Clause

When deciding what to mention in your security clause and how you want to word it, you need to perform two balancing acts:

  • You need to provide enough detail to make the information meaningful, without overwhelming the reader with technical information they won't understand, and
  • You need to provide enough detail to give maximum reassurance, without giving away information that could help attackers

Some of the security measures you could mention include:

  • Technical measures (such as password protection, encryption and scanning for attacks)
  • Organizational measures (such as limiting access to particular staff)
  • Physical measures (such as keeping secure data on servers in a locked or restricted room)

Giving specifics can be helpful, but be wary about mentioning anything that you might change later on. If you fail to update your Privacy Policy, you might unintentionally give readers a false impression of how you protect their data. They could even argue their consent for data processing was invalid as it was based on incorrect information about your security.

You could mention if you follow any standards or programs for data security such as ISO 27001. If so, you could link to an external website that explains what these are and how they work.

It can be useful to detail any security principles you follow. For example, you could say if you have a policy of minimum access where only people who strictly need to see or alter specific data can do so.

Remember that data security isn't just about unauthorized access to data. Security also means preventing unauthorized (or accidental) alteration or deletion of personal data. This means you could mention if you use backups or data redundancy.

You should explain if you take any measures to make sure personal data remains secure when you transfer it to a third party. For example, you may have contract terms with suppliers and subcontractors that require them to adopt the same level of security that you use.

The Scottish Biometrics Commissioner uses a good balance of principles and specific examples, and also lets users know they can reach out for more information and specifics:

Scottish Biometrics Commissioner Privacy Notice: How do we keep your information safe clause

Dropbox gives specific examples of security measures it uses:

Dropbox Privacy Policy: Security clause

Disclaimers for Security Issues and Liability

Businesses often use the security clause as an opportunity for a disclaimer. This usually involves making several points clear:

  • Your security practices are not a 100 percent guarantee that nobody will be able to access, steal or alter the personal data you hold.
  • Data could be intercepted as it passes electronically between the user and you, or vice versa.
  • Users transmit personal data at their own risk.

The last of these points in particular is a practical rather than legal warning. The fact that you've made this disclaimer does not override your legal obligations under the relevant privacy laws to protect data.

The Vintage Art Gallery uses disclaimer language that addresses this:

Vintage Art Gallery: How do we keep your information safe clause - At your own risk section highlighted

Use Clear Language

Several privacy laws explicitly require that you use clear language when telling people about your privacy setup, including the way you protect and secure data.

For example, in Article 12 the GDPR says you must use "concise, transparent, intelligible and easily accessible form, using clear and plain language."

And PIPEDA says the information must be "clear and easy to understand" and that "individuals should not be expected to decipher complex legal language."

Using clear language makes it easier for customers to make a meaningful decision of whether to provide personal data and consent to processing.

When writing about the way you secure data, look for a balance of accuracy and simplicity.

For example, instead of saying you use "pseudonymised data" you could say you "store it in a way that means it can't be linked to an individual by itself."

Just make sure that you don't simplify anything in a way that creates a misleading impression of your security practices.

Informa uses clear, everyday language for most of the clause. When it uses specific technical language, it explains how users will experience the feature in question:

Informa Privacy Policy: How we protect personal information clause

After you have your security clause drafted, it's time to display it for your users to see.

Where to Display Your How Do We Keep Your Information Safe Clause

Where to Display Your How Do We Keep Your Information Safe Clause

Clauses about protecting people's information should go into your Privacy Policy. It should be a separate, standalone clause and should have a dedicated section if you use a subheadings menu. This lets people who are specifically looking for this information find it easily.

Glass House London uses a dedicated clause with a direct menu link:

Glass House London Privacy Policy table of contents with Security clause highlighted

Many privacy laws say you must display or link to the Privacy Policy at the point when you are collecting data, for example in a newsletter signup box or when a customer places an online order.

A standard way to do this is to add a link to your Privacy Policy to your website footer.

Here's how Glass House London adds its Privacy Policy link to its website footer, also close to a form that collects email addresses (which is legally protected personal information):

Glass House London website footer with Privacy Policy link highlighted

Summary

Let's recap what you need to know about How Do We Keep Your Information Safe clauses:

  • Many privacy laws explicitly say you must take reasonable steps to secure any personal data you handle.
  • Most privacy laws explicitly or implicitly say you should tell people about these security measures. This helps them decide whether to provide data or consent to processing.
  • When you tell people about security measures, you need to provide enough detail to help them make an informed choice but not overwhelm them with technical detail. You may want to avoid giving too much away to potential hackers.
  • One way to achieve this balance is to describe the types of measures you take but without specific technical detail. You could also describe any general security principles that you follow.
  • You can include a disclaimer to say you can't guarantee personal data is 100 percent safe, but remember such disclaimers don't override your legal obligations.
  • Use clear language to help people make an informed decision.
  • For maximum visibility, include the information in a dedicated Privacy Policy clause, highlighted with a subheading or internal link, and displayed on your website.