![12
[Write your points for the presentation here:]
• Points
• Points
• Points
• Points
Lessons from Practitioners](https://image.slidesharecdn.com/principle6-privacyofclientdatatopost-101130114532-phpapp02/85/Principle-6-privacy-of-client-data-to-post-12-320.jpg)
Principle #6 privacy of client data to post
- 1. Principle #6 – Privacy of Client Data This presentation is made possible by the Smart Campaign www.smartcampaign.org
- 2. 2 1. Client protection principles 2. Principle #6 in practice 3. Two components of protecting client data 4. Participant feedback 5. Practitioner lessons and good practices 6. Conclusion and call to action Agenda
- 3. 3 1. Avoidance of over-indebtedness 2. Transparent and responsible pricing 3. Appropriate collections practices 4. Ethical staff behavior 5. Mechanisms for redress of grievances 6. Privacy of client data Client Protection Principles
- 4. 4 1. Client protection principles 2. Principle #6 in practice 3. Two components of protecting client data 4. Participant feedback 5. Practitioner lessons and good practices 6. Conclusion and call to action Agenda
- 5. 5 Privacy of Client Data: Principle in Practice A financial institution achieves this principle by respecting the privacy of client data and ensuring both the integrity and the security of the data.
- 6. 6 1. Client protection principles 2. Principle #6 in practice 3. Two components of protecting client data 4. Participant feedback 5. Practitioner lessons and good practices 6. Conclusion and call to action Agenda
- 7. 7 Privacy •Clients know how the institution will use their information. •Confidentiality policies govern the processes, use, and distribution of client data to third parties. •The institution ensures that client data is correct before sharing it and gives clients the opportunity to correct it. •The institution asks for clients’ permission before sharing their data with credit bureaus or using it in marketing materials. •A rigorous system of checks prevents the unauthorized use of client data and protects access to accounts. •The information technology system is secure, protected by passwords, and several levels of authorized access. •The institution offers orientation sessions that show clients how to safeguard their PIN numbers and other sensitive information. Security Two Components to Protecting Client Data
- 8. 8 The Client Perspective: Can your clients agree with the following? I know the institution’s policy on sharing my personal and financial information with third parties. I have been informed that the institution will ask my permission before sharing my information with third parties, and before using my photo in any marketing materials. I know how to keep my PIN number safe. The institution has explained to me how they keep my data secure. The institution asked me before submitting my information to the credit bureau (if applicable).
- 9. 9 1. Client protection principles 2. Principle #6 in practice 3. Two components of protecting client data 4. Participant feedback 5. Practitioner lessons and good practices 6. Conclusion and call to action Agenda
- 10. 10 Feedback from Participants Have you been in a situation where the security/privacy of your personal or financial information was compromised? How did you respond to the situation? Is this an issue that your clients care about? If something went wrong and their personal or financial information was compromised, would it affect your business? Have data management practices and systems evolved at your institution since you have worked there? How so? Have you witnessed privacy or security lapses at your institution? How did your institution respond?
- 11. 11 1. Client protection principles 2. Principle #6 in practice 3. Two components of protecting client data 4. Participant feedback 5. Practitioner lessons and good practices 6. Conclusion and call to action Agenda
- 12. 12 [Write your points for the presentation here:] • Points • Points • Points • Points Lessons from Practitioners
- 13. 13 Privacy of Client Data: Indicators of Good Practice
- 14. 14 Privacy of Client Data: Indicators of Good Practice
- 15. 15 Good Practice: Using Technology to Protect Data One cooperative in Mexico developed a custom management information system (MIS) to store, update, and, manage member data. A customized MIS allows the cooperative to: Source: Caja Morelia Valladolid • Maintain the MIS using their own staff. • Establish a clearly defined “user access hierarchy” for staff accessing sensitive data. • Change passwords frequently. • Use an “internal hacker” whose role is to constantly test the integrity of the system by attempting to break into the system from outside the cooperative.
- 16. 16 Good Practices to Safeguard Privacy Employees sign a confidentiality agreement at the same time as their employment contract. Clients give written permission before the institution can use their image and/or story in marketing materials. The institution has a periodic program for clients to update their data and incentivizes them to participate.
- 17. 17 Good Practices to Ensure Security Information about collections can only be accessed by the collections agent, branch manager, and the headquarters Collections Department. Physical copies of client data are secured in branch locations and digital information is in a secure database. The institution uses a power-sharing system: only the branch can change client information, while headquarters can access data from all branches. Institutional information available on the ‘intranet’ cannot be printed or downloaded for use outside the office.
- 18. 18 Good Practices from Around the World: Auditing Physical Security • One MFI requires its Internal Audit department to check the physical security of filing systems at headquarters, branches, and correspondent banking locations. These security audits ensure that client files are stored securely and that only authorized employees can access them. Maintaining Correct Information • One MFI assists clients who need to correct/update incorrect personal or financial information. This includes not only helping clients correct the MFI’s record, but also making sure that credit bureaus and government agencies have correct information about the client as well.
- 19. 19 1. Client protection principles 2. Principle #6 in practice 3. Two components of protecting client data 4. Participant feedback 5. Practitioner lessons and good practices 6. Conclusion and call to action Agenda
- 20. 20 Summary: • The Smart Campaign has developed six principles of client protection, one of which is privacy of client data. • Financial institutions satisfy this principle by respecting the privacy of client data and ensuring it is both secure and uncompromised. • Maintaining the privacy of client data requires implementing adequate safeguards, systems, and policies, but also informing the client about the use of their personal information and obtaining client consent before sharing it with a third party. Conclusion Call to action • What “next steps” can your organization take to institutionalize and/or improve systems for maintaining the privacy and security of client data?
- 21. 21 Join the Campaign and Endorse the Principles of Client Protection Have questions? Want more information? Contact the Smart Campaign Email: info@smartcampaign.org Thank you!
Editor's Notes
- #2: Principle #6- Privacy of Client Data [Introductions of facilitator(s) and participants] <number>
- #3: This is the agenda for today’s discussion. We will begin by reviewing a summary of the Six Principles of Client Protection.
- #4: [Each principle is listed, along with how the Smart Campaign defines the principle]. These are the Six Principles of Client Protection 1.Avoidance of Over-Indebtedness. Providers will take reasonable steps to ensure that credit will be extended only if borrowers have demonstrated an adequate ability to repay and loans will not put the borrowers at significant risk of over-indebtedness. Similarly, providers will take adequate care that only appropriate non-credit financial products (such as insurance) are extended to clients. 2.Transparent and Responsible Pricing. The pricing, terms and conditions of financial products (including interest charges, insurance premiums, all fees, etc.) will be transparent and will be adequately disclosed in a form understandable to clients. Responsible pricing means that pricing, terms, and conditions are set in a way that is both affordable to clients and sustainable for financial institutions. 3. Appropriate Collections Practices. Debt collection practices of providers will be neither abusive nor coercive. 4. Ethical Staff Behavior. Staff of financial service providers will comply with high ethical standards in their interactions with microfinance clients, and such providers will ensure that adequate safeguards are in place to detect and correct corruption or mistreatment of clients. 5. Mechanisms for Redress of Grievances. Providers will have in place timely and responsive mechanisms for complaints and problem resolution for their clients. 6. Privacy of Client Data. The privacy of individual client data will be respected in accordance with the laws and regulations of individual jurisdictions, and such data cannot be used for other purposes without the express permission of the client (while recognizing that providers of financial services can play an important role in helping clients achieve the benefits of establishing credit histories).
- #5: Now, let’s discuss how institutions put Principle #6 into practice.
- #6: This is the Campaign’s definition of the principle “Privacy of Client Data.” An institution puts the principle into practice by respecting the privacy of client data and ensuring both the integrity and the security of the data. <number>
- #7: Now, let’s discuss the two components of protecting client data—privacy and security.
- #8: Privacy and Security are two equally important components of protecting client data. An institution maintains data privacy by following the practices listed on the LEFT (“Privacy”). An institution maintains the security of client data by following the practices listed on the RIGHT (“Security”). <number>
- #9: Maintaining the privacy of client data includes more than just putting safeguards, systems, and policies in place within an institution. It also requires an institution to inform the client about the use of their data and obtain permission before sharing their personal and financial information. This checklist will help participants think about how well they communicate with their clients about data security and privacy. [Ask participants: Do you think your clients would agree with all of the following statements?] If there are statements here that your clients wouldn’t agree with, your institution should examine how they communicate with their clients about data security and privacy. <number>
- #10: Now, we would like to hear from YOU.
- #11: At this point in the presentation, asks participants for their feedback on the information presented so far. Use these questions (or others that have come up during the presentation) to stimulate discussion. <number>
- #12: Now, we will discuss our own experiences, as well as good practice examples from around the world.
- #13: Two microfinance practitioners will discuss their experiences confronting client over-indebtedness. Suggested Format: 1. One presenter discusses prevention of client over-indebtedness (how to design and sell financial products that avoid over-indebting clients). 2. The other presenter talks about mitigation (his or her experiences facing pre-existing over-indebtedness problems and finding solutions that benefit MFIs and clients). <number>
- #14: This slide and the next slide present 5 indicators of good practice for this principle. [Read through the list and ask participants to think about which of these indicators their institution they are fulfilling, and which they could improve].
- #15: (Continued from previous slide)
- #16: This good practice example comes from Caja Morelia Valladolid, a cooperative in Mexico. (See: SmartNote on the Privacy and Security of Client Data for more details.) The cooperative built a custom management information system (MIS) to store, update, and, manage member data. A customized MIS allows the cooperative to: Maintain the MIS using the cooperative’s own staff. This lowers long-term cost by keeping maintenance in-house, and the cooperative has a more responsive technical support and faster issue resolution, resulting in less wasted staff time. Establish a clearly defined “user access hierarchy” for staff accessing sensitive data. This restricts access to the database, according to staff position. The database always requires that at least two people, and often more people from different departments, to authorize access or changes to client information data entry users and data modification users. Change passwords frequently. Each person who accesses the database uses an individual user name and password. Users must change their passwords every four months and cannot repeat previous passwords. Whenever an employee logs into the database, their name, the information they query,, and the time when the request is made, are all recorded in a query log. Headquarters employees enter and leave the main office using a thumbprint scanner and sign in process to prevent unauthorized access to the client information stored there. Use an “internal hacker” whose role is to constantly test the integrity of the system by attempting to break into the system from outside the cooperative. By constantly testing its systems, the bank stays one step ahead of external hackers. (Note: Starting in 2008, the Center for Financial Inclusion carried out a fourteen month-long research project called Beyond Codes. In this project, fourteen MFIs piloted the implementation of pro-client policies and practices. Their experience revealed good practice examples of client protection. The good practice examples used in this presentation come from the Beyond Codes project.) <number>
- #17: These are example good practices for participants to consider when designing policies and systems for ensuring privacy of client data. <number>
- #18: These are example good practices for participants to consider when designing policies and systems for ensuring security of client data. <number>
- #19: These are two more good practice examples for maintaining the privacy and security of client data.
- #20: Now, let’s conclude with a summary of what we’ve discussed, and a call to action.
- #21: [Read the summary on this slide] [Use the Call to action question, and any of the questions below, to stimulate discussion among participants]. How could a particular action be implemented in your institution? What other solutions have you seen (or would like to see)? Have you seen a similar (or different) practice in your institutions or elsewhere? Does your institution typically receive complaints about the privacy and security of client data? What are the costs of implementing robust mechanisms for protecting client data? What are the benefits? How do you think respecting client privacy and safeguarding client information can make your institution more competitive? Do you feel comfortable proposing that your institution change the way it handles client data? Why or why not?
- #22: <number> Thank you!