Securing personal data is a key component of most data privacy legislation.
Telling people how you secure their data is often necessary to comply with the letter of the law. It is also vital for following the spirit of such laws, helping people make informed decisions about their data.
Here's what you need to know about clauses that help inform your users about how you keep their information safe. We'll break down what your clause needs to include and show practical examples of such clauses, as well as where and how to display your own for maximum effectiveness.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
- 1. Why Include a How Do We Keep Your Information Safe Clause
- 2. Getting Ready to Write Your Security Clause
- 3. What to Include in Your Security Clause
- 3.1. Disclaimers for Security Issues and Liability
- 4. Use Clear Language
- 6. Summary
Why Include a How Do We Keep Your Information Safe Clause
While many data laws say you must take particular measures to protect personal data, some go a step further and require you to tell users about the measures you take.
In the former case, it makes sense to tell users about the measures even though you aren't specifically required to do so. Indeed, failing to detail your security measures could raise questions among customers and potential customers.
Some of the relevant laws include the following:
- Brazil's Lei Geral de Proteção de Dados (LGPD) says you must detail your responsibilities when processing data, specifically including the security measures you take to reduce and mitigate data breaches.
- Europe's General Data Protection Act (GDPR) requires security measures providing data protection and privacy by design).
- Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires you to protect personal information in a way appropriate to its level of sensitivity.
- The California Consumer Privacy Act (CCPA) and Virginia's Consumer Data Protection Act (CDPA) both say you may have to pay damages if you don't protect personal data and you then suffer a breach.
- South Africa's Protection of Personal Information (POPI) says consent for data processing must be "voluntary, specific and informed." Knowing how you secure data will help people give informed consent.
- New York's Stop Hacks and Improve Electronic Data Security Act (SHIELD) requires reasonable safeguards including administrative, technical and physical measures.
- Australia's Privacy Act requires reasonable steps to protect against unauthorized access, alteration or disclosure.
Almost every data protection law has a key aim of letting people make informed decisions about their data. This is often expressed in the text of the law itself, in an introduction, or in the debate that led to the legislation.
Knowing what you do with their data helps people decide whether to provide it or, in extreme measures, whether to give you their business. They need to know a host of details about what information you collect, how you use it, and whether you share it with anyone else.
One point easily overlooked in this list is how you protect their personal information against misuse or inappropriate access.
If somebody isn't confident you'll do enough to protect your data, they may choose not to provide it. Alternatively, if you can give that confidence, they'll be more likely to provide the data or even choose to be a customer in the first place.
Getting Ready to Write Your Security Clause
Before writing your clause about keeping information safe, it's worth reviewing your security practices. This brings two benefits:
- You know exactly what you can include in the security clause, making it easier to write clearly and avoid any false claims.
- You may reveal some gaps in your security practices that you can fix before you write the clause.
What to Include in Your Security Clause
When deciding what to mention in your security clause and how you want to word it, you need to perform two balancing acts:
- You need to provide enough detail to make the information meaningful, without overwhelming the reader with technical information they won't understand, and
- You need to provide enough detail to give maximum reassurance, without giving away information that could help attackers
Some of the security measures you could mention include:
- Technical measures (such as password protection, encryption and scanning for attacks)
- Organizational measures (such as limiting access to particular staff)
- Physical measures (such as keeping secure data on servers in a locked or restricted room)
You could mention if you follow any standards or programs for data security such as ISO 27001. If so, you could link to an external website that explains what these are and how they work.
It can be useful to detail any security principles you follow. For example, you could say if you have a policy of minimum access where only people who strictly need to see or alter specific data can do so.
Remember that data security isn't just about unauthorized access to data. Security also means preventing unauthorized (or accidental) alteration or deletion of personal data. This means you could mention if you use backups or data redundancy.
You should explain if you take any measures to make sure personal data remains secure when you transfer it to a third party. For example, you may have contract terms with suppliers and subcontractors that require them to adopt the same level of security that you use.
The Scottish Biometrics Commissioner uses a good balance of principles and specific examples, and also lets users know they can reach out for more information and specifics:
Dropbox gives specific examples of security measures it uses:
Disclaimers for Security Issues and Liability
Businesses often use the security clause as an opportunity for a disclaimer. This usually involves making several points clear:
- Your security practices are not a 100 percent guarantee that nobody will be able to access, steal or alter the personal data you hold.
- Data could be intercepted as it passes electronically between the user and you, or vice versa.
- Users transmit personal data at their own risk.
The last of these points in particular is a practical rather than legal warning. The fact that you've made this disclaimer does not override your legal obligations under the relevant privacy laws to protect data.
The Vintage Art Gallery uses disclaimer language that addresses this:
Use Clear Language
Several privacy laws explicitly require that you use clear language when telling people about your privacy setup, including the way you protect and secure data.
For example, in Article 12 the GDPR says you must use "concise, transparent, intelligible and easily accessible form, using clear and plain language."
And PIPEDA says the information must be "clear and easy to understand" and that "individuals should not be expected to decipher complex legal language."
Using clear language makes it easier for customers to make a meaningful decision of whether to provide personal data and consent to processing.
When writing about the way you secure data, look for a balance of accuracy and simplicity.
For example, instead of saying you use "pseudonymised data" you could say you "store it in a way that means it can't be linked to an individual by itself."
Just make sure that you don't simplify anything in a way that creates a misleading impression of your security practices.
Informa uses clear, everyday language for most of the clause. When it uses specific technical language, it explains how users will experience the feature in question:
After you have your security clause drafted, it's time to display it for your users to see.
Glass House London uses a dedicated clause with a direct menu link:
Let's recap what you need to know about How Do We Keep Your Information Safe clauses:
- Many privacy laws explicitly say you must take reasonable steps to secure any personal data you handle.
- Most privacy laws explicitly or implicitly say you should tell people about these security measures. This helps them decide whether to provide data or consent to processing.
- When you tell people about security measures, you need to provide enough detail to help them make an informed choice but not overwhelm them with technical detail. You may want to avoid giving too much away to potential hackers.
- One way to achieve this balance is to describe the types of measures you take but without specific technical detail. You could also describe any general security principles that you follow.
- You can include a disclaimer to say you can't guarantee personal data is 100 percent safe, but remember such disclaimers don't override your legal obligations.
- Use clear language to help people make an informed decision.