Privacy and security – Performance in 2013/14

Ensuring privacy and security and putting customers in control of their information is critical. Gaining our customers’ trust is essential to unlock the potential benefits of using customer data to help grow our business in areas such as mobile commerce and analytics.

At the same time, our continued investment in security measures is becoming more critical as the threat of targeted cyber attacks to businesses and their customers’ information increases, as have social engineering attacks as a result of wider use of social media.

Government access to individuals’ private communications has come under increased scrutiny. Our policy on law enforcement assistance has been in place since 2010 and we published our Law Enforcement Disclosure Report to increase transparency and improve understanding on this issue.

Putting customers in control

Research tells us customers are increasingly concerned that their information is being misused or sold to third parties. The most strongly stated concern is a lack of control and transparency1. In 2013/14, we continued our programme of research to improve our understanding of what our customers expect from us in relation to privacy and how we can meet their expectations. We surveyed over 6,500 consumers, 1,500 opinion formers and 150 stakeholders, such as politicians and regulators, across Europe, Africa and Asia to understand their views, attitudes and expectations.

Our research revealed that stakeholders believe companies are abusing their position by taking advantage of consumer ignorance and apathy and that many existing initiatives are seen by stakeholders as companies putting their own interests ahead of consumers. However, consumers conveyed a sense that as the scale of information use changes, they will increasingly trust and use companies that are willing to offer them greater control through tools that are easy to use.

In the UK, a survey of over 1,600 consumers on their attitudes to receiving targeted offers and their views on apps and services that use their data found that customers are comfortable with internet companies, social media and some smartphone apps using their information to target personalised offers and adverts, but are concerned that companies are using their data for more than was initially agreed. While they see value in location services, or services which take into account their gender and age, they dislike sharing information about calling patterns and are more likely to share data in exchange for services which they perceive as valuable.

Our research feeds into our business strategy and is particularly important in shaping our efforts to provide customers with effective tools to manage their personal data. In 2013/14, we developed new tools and capabilities to empower our customers to take more control over their personal information and provide greater transparency. We ran focus groups across five European markets to help us refine these tools to better meet the needs of our customers, and they will be rolled out during 2014/15.

The tools will enable our customers to set their permissions and indicate their preferences across all touch points, including smartphone apps, tablets, online and in store. Bringing all the different choices and information together into a single tool will improve customers’ experiences by increasing visibility about how their information is used and shared and putting them in control. It will also help us prepare for the European reform of data protection law by building our technical capability to comply with the anticipated new regulation regarding the way permission to use information is sought from customers.

In addition, we have been investigating how to build privacy management capabilities into our machine-to-machine (M2M) platform and embed privacy features into the next generation of M2M technology (also known as the ‘internet of things’). This is forming the foundation of many of the most important developments in our industry, including smart metering, connected cars and wearable technology.

Recognising opportunities, not just obligations

Privacy and security can pose risks to our customers and our business, but we also see potential to differentiate our brand not just by managing these risks but by offering products and services designed to support customers in improving their privacy and security.

In 2013/14, we launched and expanded a number of products that demonstrate the potential of privacy and security as a business opportunity:

  • Secure Call: Vodafone has developed a high-level security app, in partnership with Secusmart, called Secure Call, which uses government-level encryption to help companies of all sizes protect the confidentiality and privacy of their voice calls
  • Secure SIM Data: Vodafone is the first telecommunications company to introduce a SIM card-based, end-to-end encryption solution for the mobile workplace. Developed in collaboration with Giesecke & Devrient, a leading provider of SIM cards and mobile security solutions, Secure SIM Data encrypts and signs e-mails, documents, data media and VPN connections, offering companies and other organisations enhanced security in their mobile data communications
  • Secure Family: Vodafone has introduced a new service which helps parents manage their children’s access to the internet by, for example, blocking access to certain websites, allocating ‘quiet times’ when children cannot access the internet at all and alerting parents when children download new apps. This product was carefully designed to prevent it being misused to covertly monitor the online activities of another person. It has launched in Italy and will be introduced in other markets during 2014.

We also continued to explore the economic potential of the vast amount of data that flows across our networks. In March 2014, we publicly outlined the key actions that support Vodafone’s overall strategy on big data and analytics at the Cebit industry trade conference. Our privacy and permissions programme (outlined above) is central to this strategy. We believe that putting our customers in control of their personal data is not only essential to ensuring that Vodafone is trusted by our customers, but that we are trusted and respected by potential partners in big data and analytics.

Strengthening our programmes

In 2013/14, we introduced a series of new metrics to measure the maturity of our privacy approach across the Group, extending beyond compliance controls in our Privacy Risk Management Framework (see Our approach) to include employee engagement activities, new research carried out and external engagement with stakeholders. We also introduced a new requirement for local markets to report any major events in ‘real time’ as part of our commitment to implement the Guiding Principles of the Telecommunications’ Industry Dialogue on Freedom of Expression and Privacy (see below).

We continued to focus on developing the competence and professional skills of privacy professionals within the business. In 2013/14, we launched the Vodafone Privacy Learning Centre for our privacy community, and we sponsored 10 privacy officers from our local markets to become Certified Information Privacy Managers through the International Association of Privacy Professionals (IAPP), an internationally recognised qualification in privacy management.

In 2013/14 we focused on strengthening our programme in a number of key areas:

  • Law enforcement and privacy – We carried out a global audit of compliance with our Law Enforcement Assistance Policy, which included detailed on-site reviews of operational management of law enforcement assistance and compliance with our policy standard, in certain markets. We also reviewed the powers governments have across our markets to order the disclosure of information about our customers, block access to services or prevent the publication of statistics on the number of orders we are subjected to. This review fed into our new Law Enforcement Disclosure Report.
  • Big data and analytics – We conducted privacy impact assessments for big data and analytics projects in various countries and issued further guidelines to our local markets on how to increase transparency and provide customers with meaningful choices about how their data is used. We engaged with privacy NGOs to explain our approach and seek their input on innovative ways to build consumer confidence in data analytics applications. We also worked with our local privacy teams to ensure our global policy on the permissions and transparency required to use customer information, adopted in 2013, is integrated in our processes across the business.
  • Connected car – Working closely with Vodafone’s machine-to-machine (M2M) team, we conducted an extensive privacy impact assessment which helped to shape the development and design of our connected car platform, Vodafone Vehicle Connect, and usage-based insurance proposition. We will publish a white paper in 2014 on how we designed privacy into our connected car proposition, including recommendations for establishing industry standards around privacy for the emerging connected car and usage-based insurance sectors.

In focus: Recognition for privacy leadership

Vodafone’s Chief Technology Security Officer in India, Burgess Cooper, received the 2013 Privacy Leader of the Year Award from the Data Security Council of India (DSCI), a not-for-profit organisation that develops and promotes security and privacy best practice. The DSCI stated that:

“Positioning privacy as a brand differentiator and having ensured that a few operating circles [telecoms regions] of Vodafone India are already certified against the BS10012 standard, Mr Burgess Cooper stands out as a leader in the privacy domain.”

Find out more about the 2013 DSCI Excellence Awards here.

Our efforts to ensure the privacy of our customers’ information would be meaningless without our measures to ensure the security of that information. In 2013/14, we continued to strengthen our information security controls and systems and emphasise the link between privacy and security functions at Group and local level. Senior Technology Security Heads improve oversight and mitigation of information security risks, reporting directly to the Chief Technology Security Officers in each local market and working closely with their local Head of Corporate Security.

In 2013/14, we continued to proactively address emerging threats and vulnerabilities through ongoing monitoring and compliance programmes. Remediation plans have been put in place to address deficiencies identified through these programmes. We also recognise that if things do go wrong, we need to act quickly and transparently to protect our customers. We piloted a new customer privacy impact service to ensure that we always put the customer first when incidents occur (see feature below).

In focus: Responding quickly and transparently to protect our customers

In September 2013, Vodafone Germany suffered a highly sophisticated and illegal intrusion into one of its servers in Germany, which resulted in the theft of a limited amount of our German customers’ data. In order to ensure that we had the best advice and information about the potential impact of this theft on our customers, we initiated a new rapid investigation service using a specialist independent security consultancy. Within eight hours of the details of the incident being obtained, we had received a report detailing the potential impact on our customers, including the risks of identity theft or fraud, and had received independent advice on the steps we could take to protect our customers. Our communications to our customers referenced this independent advice and we offered our customers free use of an identity theft service to minimise any risk of harm to them.

Creating a cultural shift

Creating awareness of privacy and security across Vodafone is vital to ensure that we provide the best experience for our customers and our global employee awareness campaign, Doing What’s Right, was extended across all markets in 2013/14.

We have launched a global security awareness online portal accessible to all employees, containing guidance, policies and procedures on how to work securely at home, in the office and on the move, building on our global security awareness strategy, Protect and Secure.

A series of e-learning courses were developed in 2013/14 and are being rolled out globally in 2014/15, including a course on security and three modules on privacy – Privacy Basics, Privacy-by-Design and Privacy and Human Rights.

In 2013/14, we provided tailored training for all employees in high risk roles, including those who deal with highly confidential information on a daily basis, with particular attention to employees working in call centres and retail stores, and senior leaders.

Our Secure World Award, launched in 2013, gives our security teams from across the Group the opportunity to share inspirational stories on how we are protecting and securing our business, customers and the wider community. The winner of the 2013 award was Vodafone UK, which worked with our distribution partner to establish a new system to prevent the delivery of fraudulent orders, saving Vodafone £1.6 million.

In focus: Training employees on security in Turkey

Vodafone Turkey launched a new training app in 2013/14 that uses a game to raise employee awareness and understanding of information security practices.

Many security breaches are the result of human error. By training our people on security best practice, we can prevent these breaches and protect our customers and our business. With this in mind, Vodafone Turkey developed and launched a training app that can be accessed on any tablet device, which aims to promote and engage employees in our Five Simple Steps on information security.

In 2013, we ran a year-long Privacy Dialogue to raise awareness and help people across the business live up to the Vodafone Privacy Commitments (see Our approach). Using internal communications tools and social media, this featured a series of activities to bring privacy to life including a global competition inviting employees to respond and vote on a series of dilemmas, illustrating the importance of our commitment to choice, and a campaign that highlighted examples of how important good design is to solving problems, linking to our commitment to Privacy-by-Design.

We also held our fourth annual global Privacy Summit, a week-long series of events in London, Dusseldorf, Johannesburg and Mumbai with workshops and external speakers. The theme of the Summit this year was ‘Seizing the Opportunity’, emphasising the importance of our privacy programme to the long-term commercial success of the business. Over 500 people from across Vodafone participated in person or online.

Contributing to policy and debate

In 2013/14, we continued to participate in dialogue and debate about the proposed EU Data Protection Regulation and the EU’s Cyber security Strategy and the Commission’s proposal for a Directive on Network and Information Security.

Following intense public scrutiny, government surveillance has been a topic of much debate. We have a well established policy on assisting law enforcement authorities and throughout 2013/14, we have engaged extensively on this issue with stakeholders in government and across civil society and the media, including through our participation in the Telecommunications’ Industry Dialogue on Freedom of Expression and Privacy (see more below).

We participated in the first joint learning forum of the Telecommunications’ Industry Dialogue on Freedom of Expression and Privacy and the Global Network Initiative in December 2013. We also took part in workshops in London and Brussels, as part of the Center for Democracy & Technology’s project, examining Systematic Government Access to Private-Sector Data, which aims to improve understanding of the nature and scope of government legal powers to order access to data held by private sector organisations. Our inaugural Law Enforcement Disclosure Report, and accompanying legal annex, represents Vodafone’s latest contribution to this complex and controversial area.

Another emerging issue is the increasing concern about the risks and challenges to consumer privacy from the growth and popularity of mobile apps. Regulators around the world have issued a range of new guidelines to tackle the ‘applification’ of society. As one of the founder companies behind the GSMA’s Mobile Privacy Initiative in 2010, Vodafone has played a leading role in articulating appropriate standards and accountability mechanisms for mobile app deployment, including Vodafone’s Mobile Application Privacy Principles and the GSMA’s Privacy Design Guidelines for Mobile Apps.

In 2013/14, we worked with the Mobile Entertainment Forum, an industry association for companies seeking to monetise their products and services using mobile technology, to create a tool to help mobile app developers implement privacy-by-design requirements. The AppPrivacy tool is available to developers free of charge and includes an automated privacy policy generator that creates a short, simple, user-friendly statement explaining how the app uses personal data.

Vodafone also participates in external programmes to strengthen cyber security standards and define minimum standards that industry and nation states should be expected to adhere to, including government programmes in the EU and US and those run by NGOs such as the Internet Security Alliance.

Implementing industry principles on freedom of expression and privacy

Vodafone is a founding member of the Telecommunications’ Industry Dialogue on Freedom of Expression and Privacy, which was launched in March 2013, alongside a collaboration with the Global Network Initiative (GNI) to advance freedom of expression and privacy rights in the telecoms industry. Find out more about the work of the Industry Dialogue during its first year here (pdf, 335 KB).

In March 2013, we adopted the Guiding Principles on Freedom of Expression and Privacy (pdf, 736 KB), which set out a common approach to dealing with privacy and freedom of expression in a principled, coherent and systematic way across the industry.

The Guiding Principles are closely aligned with Vodafone’s own existing Global Law Enforcement Assistance Policy Standard. We continue to work to embed this and the table below sets out Vodafone’s status and activities on each of the principles.

Our Law Enforcement Disclosure Report also provides more detail on our approach to responding to law enforcement demands.

Vodafone’s alignment with the Industry Dialogue Guiding Principles on Freedom of Expression and Privacy

Guiding Principle Vodafone’s alignment
Telecommunications companies should, to the fullest extent that does not place them in violation of domestic laws and regulations, including licence requirements and legal restrictions on disclosure:  
1. Create relevant policies, with Board oversight or equivalent, outlining commitment to prevent, assess, and mitigate to the best of their ability the risks to freedom of expression and privacy associated with designing, selling, and operating telecommunications technology and telecommunications services. Our Privacy Commitments (see Our approach) and Global Policy Standard on Law Enforcement Assistance, with Executive Committee sponsorship, set out the requirements for balancing the potentially conflicting requirements of respecting privacy and assisting law enforcement. During 2013/14, we carried out a global audit of compliance with the policy, which included detailed on-site reviews of operational management of law enforcement assistance and compliance with our policy standard, in certain markets.
2. Conduct regular human rights impact assessments and use due diligence processes, as appropriate to the company, to identify, mitigate and manage risks to freedom of expression and privacy – whether in relation to particular technologies, products, services, or countries – in accordance with the Guiding Principles for the Implementation of the UN ‘Protect, Respect and Remedy’ framework.

A range of due diligence processes are in place. These include:

  • The Strategic Privacy Risk Register (see Our approach), which is at the centre of a formal review process used regularly to assess the most significant privacy risks affecting our business.
  • A due diligence process undertaken before entering new markets, acquiring businesses or establishing new partnerships. This process incorporates human rights issues such as corruption, respect for privacy, internet freedom, freedom of expression and workers’ rights, to assess and highlight the potential impacts or risks associated with entering new markets. In 2013/14, we further strengthened our human rights impact assessment process for potential new markets identified as high risk.
  • Our Global Advisory Forum brings together a cross-functional group of experts from across Vodafone Group to provide input on potential new products, services and technologies, ensuring that privacy and freedom of expression are taken into account at the earliest stage of the design process.
3. Create operational processes and routines to evaluate and handle government requests that may have an impact on freedom of expression and privacy. Our Global Policy Standard on Law Enforcement Assistance includes guidance for evaluating and, where necessary, escalating demands and requests from law enforcement agencies.
4. Adopt, where feasible, strategies to anticipate, respond and minimise the potential impact on freedom of expression and privacy in the event that a government demand or request is received that is unlawful or where governments are believed to be misusing products or technology for illegitimate purposes. The Global Policy Standard on Law Enforcement Assistance provides requirements on challenging law enforcement where we have reasonable grounds to believe the request is not legally mandated or is unlawful. It requires operating companies to bring together the right people to consider the possible impacts and actions and use their judgement.
5. Always seek to ensure the safety and liberty of company personnel who may be placed at risk. Vodafone’s Code of Conduct includes a high-level commitment to protect the health, safety and wellbeing of our employees, and the Global Policy Standard on Law Enforcement Assistance requires potential personal risk to individuals to be considered in any decision to challenge law enforcement demands.
6. Raise awareness and train relevant employees in related policies and processes.

Our Global Policy Standard on Law Enforcement Assistance includes a requirement on training and awareness and we continually raise awareness as part of our wider privacy communications campaigns (see above).

A series of e-learning courses were developed in 2013/14 including a module on Privacy and Human Rights. This is being rolled out globally in 2014/15.

7. Share knowledge and insights, where relevant, with all relevant and interested stakeholders to improve understanding of the applicable legal framework and the effectiveness of these principles in practice, and to provide support for the implementation and further development of the principles.

We regularly share knowledge and engage with stakeholders on these issues, for example through the stakeholder engagement activities of the Telecommunications Industry Dialogue. This included a GNI/Industry Dialogue joint learning forum involving approximately 100 participants from companies, government and non-governmental organisations held in Brussels in November 2013.

We also provide information through this Group Sustainability Report, our online Privacy Centre and in our new Law Enforcement Disclosure Report.

8. Report externally on an annual basis, and whenever circumstances make it relevant, on their progress in implementing the principles, and on major events occurring in this regard.

The Law Enforcement Disclosure Report and this Privacy and security section of our Group Sustainability Report covers Vodafone’s approach and activities on these issues.

During 2013/14, we developed and communicated to our operating companies, guidance on the definition and reporting process for major events. This process will continue to be rolled out during 2014.

9. Help to inform the development of policy and regulations to support freedom of expression and privacy including, alone or in cooperation with other entities, using its leverage to seek to mitigate potential negative impacts from policies or regulations. The Global Policy Standard on Law Enforcement Assistance covers engagement with government on these issues and we regularly contribute to dialogue on the development of policies on a national and international level.
10. Examine, as a group, options for implementing relevant grievance mechanisms, as outlined in Principle 31 of the UN Guiding Principles for Business and Human Rights. During 2013/14, the Industry Dialogue companies have shared ideas of how to implement operational-level grievance mechanisms and reviewed examples and guidance from other sectors.

Notes:

  1. ‘The Data Dialogue’ report from UK Think Tank DEMOS