Privacy and security

Our robust security measures and privacy management programmes help us give customers confidence that we are safeguarding their personal data and respecting their privacy

Privacy and security – Our approach

The way we handle privacy and security is a vital part of our responsibility to our customers and essential to the success of our business.

Privacy and security are often viewed by organisations merely as compliance or risk management responsibilities, but we see significant opportunities for Vodafone to differentiate what we offer and strengthen our reputation through our efforts in these areas.

Our customers trust us with their personal information and their privacy. Protecting that information and respecting their privacy is fundamental to maintaining that trust. Our privacy and security programmes govern how we collect, use and manage customers’ information – from ensuring the confidentiality of their personal communications and respecting their permissions and preferences, to protecting and securing their information.

Personal data also has enormous potential to create economic and social value, both for the individuals concerned and for the businesses who serve them. In order to ensure this opportunity is executed well, we are using technology to make it easier and more intuitive for customers to take control of how their data is used.

Read on to find out more about our approach. Or go to Performance to read about our progress in 2013/14.

Law Enforcement Disclosure Report

The issue of government surveillance has come under increased scrutiny. For the first time, we have published a Law Enforcement Disclosure Report which details Vodafone’s approach to responding to government demands for access to customer information, along with a breakdown of the legal powers governments hold. We also publish statistics on the number of law enforcement demands we received on a country-by-country basis, where it is legal to do so and the government does not already publish such information.

Vodafone is one of the first communications operators in the world to provide this kind of country-by-country analysis of law enforcement demands, based on data gathered from our local licensed communications operators. We have committed to update the information disclosed in this report annually. We expect the contents and focus of the report to evolve over time and we will be working with key stakeholders on the best way to do this.

The report is intended to:

  • explain the principles, policies and processes we follow when responding to demands from agencies and authorities that we are required to assist with their law enforcement and intelligence-gathering activities
  • explain the nature of some of the most important legal powers invoked by agencies and authorities in our countries of operation
  • disclose the aggregate number of demands we received over the last year in each of our countries of operation unless prohibited from doing so or unless a government or other public body already discloses such information
  • cite the relevant legislation which prevents us from publishing this information in certain countries.

Read our Law Enforcement Disclosure Report.

Understanding customers’ concerns about how communications technology can impact privacy and security

We understand that customers may be concerned about the privacy and security of their personal information as they use communications technology more often and for different purposes. We help customers manage a wide range of privacy and security risks that may impact them when using mobile and other devices.

The confidentiality of customers’ personal and private communications is a fundamentally important requirement for any communications company as the company will manage a great deal of sensitive information including customers’ personal communications, their location and how they use the internet. The complexity of technology, threats from hackers and the potential for human error can lead to information being lost or deleted or getting into the wrong hands.

As more services use mobile and communications related data for an ever-expanding range of uses, customers need to be able to understand and be able to control how information about them is used. Smartphones, tablets, e-readers, apps and new technologies using the ‘internet of things’ (such as connected cars, smart grids and mHealth) offer many economic and social benefits, but also raise some complex privacy issues. For example, mHealth services may enable physicians to monitor patients round the clock by having remote access to their health devices and data, but by doing so sensitive health data may need to be transmitted across communications networks, hosted in the cloud, and processed by a range of applications used by medical staff.

Governments also have legal powers to demand access to customer communications and data. See our new Law Enforcement Disclosure Report for more information.

Creating the right culture

Everyone at Vodafone must have a clear understanding of how important protecting and respecting our customers’ information is to our business. We continue to create a strong internal culture where our employees understand the critical nature of privacy and security risks and know how to manage them. This focus helps us to retain the trust of our customers and the respect of our colleagues, stakeholders and peers.

We have set out our commitment to privacy and security at the highest level in our global Code of Conduct, which all Vodafone employees are bound by. Our Privacy Commitments, which are part of our Code of Conduct, set out the principles that govern our approach to privacy (see feature below).

These Privacy Commitments encapsulate three key elements of building customer trust:

  • Transparency: Being more open about what we do (Commitment 2: Openness and Honesty)
  • Empowerment: Using our technology to empower our customers and give them control over their personal information (Commitment 3: Choice)
  • Reassurance: Making sure that we do what we promise to and that we are doing what’s right (Commitment 7: Accountability).

In focus: Privacy Commitments

    1. Respect: We value privacy because of its value to people. It’s about more than legal compliance – it’s about building a culture that respects privacy and justifies the trust placed in us.

    2. Openness and honesty: We communicate clearly about actions we take that may impact privacy, we ensure our actions reflect our words, and we are open to feedback about our actions.

    3. Choice: We give people the ability to make simple and meaningful choices about their privacy.

    4. Privacy-by-design: Respect for privacy is a key component in the design, development and delivery of our products and services.

    5. Balance: When we are required to balance the right to privacy against other obligations necessary to a free and secure society we work to minimise privacy impacts.

    6. Laws and standards: We comply with privacy laws, and we will work with governments, regulators, policy makers and opinion formers for better and more meaningful privacy laws and standards.

    7. Accountability: We are accountable for living up to these principles throughout our corporate family, including when working with our partners and suppliers.

We can only ensure our customers’ privacy if we first ensure the security of their information and communications. Information security is an essential part of our business. Our Key Principles on Information Security (see feature below) set out how we securely create, use, store or dispose of all information we manage, so that it cannot be lost, stolen or manipulated, or used without Vodafone’s authorisation. We expect our employees to know how to protect customer information and to challenge others who fail to do so. Our global awareness and transformation strategy, Protect and Secure, is further deepening our security culture at Vodafone, raising employee awareness of security risks and what they can do to mitigate them.

In focus: Key Principles on Information Security

Customer information is one of the greatest assets we are entrusted with and must be protected appropriately. We handle vast amounts of customer information in a variety of forms – written, spoken, electronic and on paper – on a daily basis. It is vital that we secure and manage this information and can ensure its:

  • Confidentiality: Customer information must not be disclosed to, or accessed by, unauthorised people
  • Integrity: Customer information and software must be accurate, complete and authentic so that it can be relied upon
  • Availability: Customer information must be available when needed – including to our customers – and information systems and networks must function when required.

Recognising opportunities, not just obligations

Not managing the privacy and security of our customer’s data appropriately can pose risks to our customers and our business. However, we also see the potential to differentiate our brand by managing these risks well and by offering products and services designed to support customers in improving control over their data.

These include free apps such as Vodafone Protect that keep consumers safer online by enabling them to lock and wipe their mobile remotely if it is lost or stolen, and Vodafone Guardian that helps parents keep children safer when using their mobile phones. We also support our enterprise customers with products such as Vodafone Device Manager and Vodafone Profile Manager, which enable employees to have separate work and personal areas on a single device, and our innovative Vodafone Locate tracking service which has privacy controls inbuilt.

We are developing tools that will enable our customers to set permissions and preferences for all their devices, apps and interactions with Vodafone in a single tool, to make it easier for them to see and control their settings.

See Performance for more on how we are putting customers in control.

Understanding and responding to risks

Risk management is at the heart of Vodafone’s approach to privacy and security. Identifying emerging issues and risks – as well as opportunities (see Performance) – is essential to help us understand and manage those risks. We do this by examining the implications of our business strategy, new technologies and business models, areas of concern for customers and industry developments within our own and related markets.

Many of the latest developments in the ICT sector raise privacy and security issues, concerns and opportunities. These include ‘big data’ analytics (see below), connected cars, smart cities, smart metering (see Low carbon solutions), mHealth, Mobile payments and Smart working.

We conduct regular formal reviews of the most significant privacy and security risks affecting our business at Group level. Based on these reviews, we develop strategies to respond to the most critical risks (see below), which may include developing new internal policies, investing in new capabilities, technologies and programmes, or influencing the positions of our industry peers and partners, through associations such as the GSMA.

To help shape our strategy on privacy and security and ensure robust responses to stakeholder concerns, we regularly engage with external stakeholders and draw on their expertise.

In focus: Vodafone Germany’s Ombudswoman for Data Protection – Ms Renate Schmidt

Vodafone Germany’s dedicated Data Ombudswoman acts as a trusted advisor to the business on the rights and interests of Vodafone Germany’s customers regarding privacy and data protection. Former federal minister Renate Schmidt, appointed in 2008, brings a wealth of knowledge and experience to the role. Her guidance and insight is also sought more widely for input on the Vodafone global privacy programme and specific privacy initiatives.

Managing strategic risks

Based on our strategic risk review, some of the most critical privacy and security risks we face include:

Cloud services and hosting

As we deliver better services faster, expand our cloud-based services to enterprises and customers and reduce costs by avoiding duplication of infrastructure in different markets, we increasingly need to move data across international borders.

We must ensure that the movement of customer data across borders is conducted lawfully, legitimately and securely, both within our own organisation and between Vodafone and its suppliers.

We operate a global information governance system that enables us to track the flow of customer data and ensure we apply appropriate governance and legal processes. We have robust, standardised security processes within our own operations (see below) and employ specialist teams to evaluate the governance and controls of our suppliers.

As cloud-based solutions become increasingly widespread, we must continue to optimise the benefits of this technology, while effectively managing the risks. We are developing new tools to ensure the systematic management of all cloud capabilities and conformance to security and data management requirements.

Traffic management

To deliver the quality of service customers expect, we need to manage the flow of communications traffic across our network. For example, we may need to prioritise an uninterrupted video call over an email (which is not so time critical). To do this, we need to examine some of the information, or data packets, attached to the communication, in order to know what type of communication it is, although the actual ‘content’ of a communication (such as the text in a text message) is not inspected. This type of technique is sometimes referred to as deep packet inspection.

Knowing more about these data packets – and thus about the nature of our customers’ communications – naturally raises privacy concerns. We have clear, specified governance and policy requirements around the use and deployment of these types of techniques. Other than for the lawful purpose of managing traffic across our networks, our policy prohibits any application of network technologies involving the inspection of data packets until they have been subjected to an in-depth privacy impact assessment. As well as ensuring any use of deep packet inspection complies with the law, this assessment evaluates the potential impact on the customer and enables us to identify and develop solutions to avoid or minimise any impacts. Any use of these technologies must be authorised by a senior executive at Group level.

Advertising, analytics and ‘big data’

The vast amount of data generated by our customers on mobile devices, services and networks has enormous potential value for mobile commerce, as well as for programmes with societal benefits, such as analysing trends in public health. The expansion of mobile connectivity into new fields, such as connected cars, smart metering and mHealth, means ever greater volumes of data are being generated. Even when this information is anonymised and aggregated, concerns arise about how the value of such ‘big data’ can be unlocked while protecting individual privacy.

Our internal policies, guidelines and design principles for applications and services that make use of personal data help us to ensure that we provide customers with transparent information and clear choices about how their data are used. We also research consumer perceptions and concerns to inform our strategy and explore and develop techniques that can enhance privacy (see Performance).

In focus: Privacy-by-design

We are committed to building privacy considerations into our products and services from the outset, and using our influence to shape the technologies of our partners and peers.

Our series of privacy design principles guide product development teams in shaping and designing products. For instance, our Visible Privacy Design Principles provide a framework to make sure we give users control over how they manage their privacy and how their data is collected, used and shared.

We provide privacy resources and guidance to third party developers, which are published on our Developer Portal. We also work with industry organisations and application developers to create guidelines and policies, such as the GSMA’s Mobile Application Privacy Guidelines, to ensure our partners and suppliers build privacy into the products and services they design.

Law enforcement assistance and human rights

In every country where Vodafone operates, governments retain law enforcement powers that can limit privacy and freedom of expression. These include legal powers that require telecommunications operators to provide information about customers or users or to put in place the technical means to enable information to be obtained for law enforcement purposes, such as lawful interception. Governments also retain powers to limit network access, block access to certain sites and resources or even switch off entire networks or services.

These powers have many legitimate purposes, including fighting crime and terrorism, and protecting public safety. However, use of these powers must be balanced with the respect for civil liberties and freedoms, including individuals’ privacy and freedom of expression. We closely manage and monitor compliance with these legal obligations and our relationship with law enforcement authorities to ensure human rights are respected. We also engage with governments to seek to ensure that legal provisions governing use of these powers contain adequate protection for human rights.

Vodafone’s Global Policy Standard on Law Enforcement Assistance sets out our principles and standards on assisting law enforcement, including processes to ensure our actions are accountable at the most senior level.

We are a founding member of the Telecommunications Industry Dialogue on Freedom of Expression and Privacy, a group of global telecoms companies working together and in collaboration with the Global Network Initiative to address issues of privacy and freedom of expression. We are a signatory to the Industry Dialogue’s Guiding Principles on Freedom of Expression and Privacy (pdf, 728 KB), which define a common approach to dealing with demands from governments that may affect privacy and freedom of expression in a principled, coherent and systematic way across the industry.

Our Law Enforcement Disclosure Report details our approach to responding to law enforcement demands for access to customer information, along with a breakdown of the legal powers governments hold. We also publish statistics on the number of law enforcement demands we received on a country-by-country basis, where it is legal to do so and the government does not already publish such information.

Managing operational risks

Our network of privacy officers across the Group use our comprehensive Privacy Risk Management System (see box below) to help us live up to our Privacy Commitments in our day-to-day operations, while ensuring that we are prepared to respond to new privacy and security concerns and risks as they emerge. This system provides the flexibility to respond to local privacy concerns, legal requirements or stakeholder expectations, while providing a common framework to build and measure the maturity of our programme and implement improvements across all key areas of our business operations.

In focus: Vodafone Privacy Risk Management System

  • Supplier review: Process to review suppliers, such as outsourced call centres and companies that provide hosting platforms and customer data and ensure measures are in place to protect privacy
  • Product and service review: Processes for taking privacy into account when developing products and services (such as privacy-by-design in mobile applications)
  • Incident management: Process for managing incidents, such as data security incidents and losses of data
  • Disclosure: Processes for governing all disclosures of personal information, such as in response to legally mandated government requests and assisting law enforcement authorities
  • Data management and retention: Processes for managing the lifecycle of data, including destruction and retention of data
  • Privacy impact assessment: Processes for identifying, prioritising and conducting privacy impact assessments, such as for specific business units, technologies or products
  • Personal information location register: A register of personal information assets, enabling the effective management of all personal information
  • Critical privacy risk management: Processes for ensuring that strategies and policies developed to address critical privacy risks are effectively implemented
  • Review and reporting: Processes to ensure that all the above are reviewed and reported to executive management, with identified improvements included in business plans.

Our privacy programme is underpinned by extensive information and network security practices and technologies designed to secure the infrastructure and systems on which our business’ and our customers’ privacy is based. These include:

  • Advanced security monitoring systems to detect and respond to cyber security issues in real time (see feature below)
  • Physical controls including appropriate vetting of people to manage against misuse of access or privileges by our own staff, contractors or third parties
  • Significant investment in security technologies.

The robust information security policies, processes and procedures supporting these controls are regularly audited and tested.

Our approach is based on the principles outlined in ISO 27001, the international standard for information security management systems. Our core data centres in Germany, India, Ireland and Italy are certified to this standard. We require our external suppliers and partners to meet defined minimum security standards and we conduct risk assessments and due diligence exercises to provide assurance that these are being met in practice.

Operational risk management is as much about prevention as it is about detection and treatment. We continue to run a series of coordinated global awareness and engagement programmes designed to ensure our staff understand the vital importance of privacy to our customers, including the role that individual employees have in protecting the security of customers’ information.

Our Group Privacy and Security Governance Forum ensures coordination and alignment between our Group-level privacy and security functions, to provide end-to-end protection of customer information throughout its lifecycle within Vodafone’s business.

In focus: Taking action on global cyber security

Cyber security threats pose a significant risk to our business, infrastructure and customers’ information. Remaining vigilant in anticipating attacks, defending against them and planning for the future, are essential elements of our strategic risk management. The threats are posed by a range of agents, from nation states and commercial competitors through to ‘hacktivists’, cyber criminals and terrorists.

Risk management is at the centre of our approach. We analyse and review the most significant security risks affecting the business at Group level and based on this we develop strategies to respond to the most critical risks and determine future investment.

Vodafone’s Global Security Operations Centre (GSOC) is designed to detect attacks as they happen and minimise their impact. This centralised security centre monitors our IT systems 24 hours a day, seven days a week, to enable us to respond to cyber threats in real time and provide the highest level of protection. We identify and deal with tens of millions of IT security attacks every month, to protect the information of over 400 million customers and ensure the best network performance.

We recognise that some attacks may be successful and may result in data being compromised. The management of these incidents when they happen is as critical as their prevention. As a result we piloted a new customer privacy impact service this year to ensure that we always put the customer first when incidents occur.