Privacy and security

Our robust security measures and privacy management programmes help give customers confidence that we are safeguarding their personal data and respecting their privacy

Privacy and security – Our approach

Protecting our customers’ personal information and respecting their privacy are essential to maintain their trust. Managing privacy and security risks effectively and putting customers in control of their data is core to our approach.

People are increasingly concerned about the privacy and security of their personal information as they use communications technology more and more. We aim to make it easier and more intuitive for our customers to understand and take control of how their data is used.

The complexity of technology, cyber threats and the potential for human error can lead to information being lost, deleted or getting into the wrong hands. Our policies and programmes are designed to ensure the privacy and security of customer information across Vodafone. We offer a range of apps and network services that help consumers and enterprise customers enhance their privacy and security.

Governments also have legal powers to demand access to customer communications and data and we manage these challenging issues through the policies and procedures covered in detail in our Law Enforcement Disclosure report.

There is enormous potential to use personal data to create economic and social value for individuals and businesses. To realise this potential, people need to give businesses access to their data and they need to know that it will be used responsibly. We help put our customers in control of their data and how it is used with tools that enable them to manage privacy and permissions for their devices, apps and interactions with Vodafone.

Read on to find out more about our approach. Or go to Performance to read about our progress in 2014/15.

In focus: Law Enforcement Disclosure report

The issue of government surveillance has come under increased scrutiny. Our Law Enforcement Disclosure report details Vodafone’s approach to responding to government demands for access to customer information, along with a breakdown of the legal powers governments hold. We also publish statistics on the number of law enforcement demands we receive on a country-by-country basis, where it is legal to do so and the government does not already publish such information.

Vodafone is one of the first communications operators in the world to provide this kind of country-by-country analysis of law enforcement demands, based on data gathered from our local licensed communications operators. We have committed to update the information disclosed in this report annually. We expect the contents and focus of the report to evolve over time and we will work with key stakeholders on the best way to do this.

Through the Law Enforcement Disclosure report, we:

  • explain the principles, policies and processes we follow when responding to law enforcement and intelligence gathering demands from agencies and authorities
  • explain the nature of some of the most important legal powers invoked by agencies and authorities in our countries of operation
  • disclose the aggregate number of demands we received over the last year in each of our countries of operation, unless prohibited from doing so, or if a government or other public body already discloses such information
  • cite the relevant legislation which prevents us from publishing this information in certain countries.

Read our first Law Enforcement Disclosure report, published in June 2014.

In February 2015, we updated the Legal Annexe to the Law Enforcement Disclosure report to provide, on a country-by-country basis, an overview of three further categories of legal power which may be used by government authorities – this time in the area of censorship. Those categories are: the shutdown of network or communication services; the blocking of access to URLs and IP addresses; and the powers enabling government agencies and authorities to take control of a telecommunication network.

The next full report will be available from mid July 2015.

Creating the right culture

Our privacy and security programmes govern how we collect, use and manage customers’ information – ensuring the confidentiality of their personal communications, respecting their permissions and protecting and securing their information.

We promote a strong internal culture where our employees understand the critical nature of privacy and security risks and know how to manage them. Privacy and security are fundamental to our global Code of Conduct, by which all Vodafone employees are bound.

Our Privacy Commitments set out the principles that govern our approach to privacy and build customer trust through transparency, empowerment and reassurance (see feature below).

In focus: Privacy Commitments

  1. Respect: We value privacy because of its value to people. It’s about more than legal compliance – it’s about building a culture that respects privacy and justifies the trust placed in us.
  2. Openness and honesty: We communicate clearly about actions we take that may impact privacy, we ensure our actions reflect our words and we are open to feedback about our actions.
  3. Choice: We give people the ability to make simple and meaningful choices about their privacy.
  4. Privacy-by-design: Respect for privacy is a key component in the design, development and delivery of our products and services.
  5. Balance: When we are required to balance the right to privacy against other obligations necessary to a free and secure society, we work to minimise privacy impacts.
  6. Laws and standards: We comply with privacy laws and we will work with governments, regulators, policy makers and opinion formers for better and more meaningful privacy laws and standards.
  7. Accountability: We are accountable for living up to these principles throughout our corporate family, including when working with our partners and suppliers.

We can only ensure our customers’ privacy if we first ensure the security of their information and communications. Our Key Principles on Information Security set out how we securely create, use, store or dispose of all the information we manage so that it cannot be lost, stolen or manipulated, or used without our authorisation (see feature below).

We expect our employees to know how to protect customer information and to challenge others who fail to do so. Our global strategy, Doing What’s Right, raises awareness of security risks throughout the business and deepens our security culture.

In focus: Key Principles on Information Security

Customer information is one of the greatest assets we are entrusted with and must be protected appropriately. We handle vast amounts of customer information in a variety of forms – written, spoken, electronic and on paper – on a daily basis. It is vital that we secure and manage this information and can ensure its:

  • confidentiality: customer information must not be disclosed to, or accessed by, unauthorised people
  • integrity: customer information and software must be accurate, complete and authentic so that it can be relied upon
  • availability: customer information must be available when needed – including to our customers – and information systems and networks must function when required.

Managing privacy and security risks

New technologies such as mHealth, smart working, big data analytics and the Internet of Things offer significant economic and social benefits to people and businesses around the world (see Transformational solutions). But their use of personal data raises complex privacy and security risks.

Risk management is central to our approach to privacy and security. To help us identify and manage emerging risks, we assess the implications of our business strategy, new technologies, customer concerns, cyber threats and relevant industry developments.

We conduct regular formal reviews of the most significant privacy and security risks affecting our business at Group and develop strategies to respond to the most critical risks (see table below).

Our response may include investing in new capabilities or technologies, revising policies or working through associations such as the GSMA to influence others in our industry. We engage regularly with external stakeholders and draw on their expertise to help shape our strategy and respond to their concerns.

Understanding and responding to privacy and security strategic risks

Issue Risk Vodafone’s approach
Cloud services and hosting Enterprise and consumer cloud-based services require the movement of data across international borders. Doing so helps us deliver faster services and reduce costs by avoiding duplication of infrastructure. This must be conducted lawfully, legitimately and securely, both within our own organisation and between Vodafone and its suppliers. As part of our supplier engagement process, cloud service providers are evaluated from a legal and data protection perspective by specialist teams, to understand where data will be stored, what security arrangements for personal information are provided, and what contractual controls apply. Our contracts require all suppliers to advise us of any change in location of data storage and any data security breach.
Network traffic management To deliver a high-quality network service, we need to manage the flow of telecommunications traffic across our network. For example, we may need to prioritise an uninterrupted video call over an email that is not so time critical. This requires us to examine some of the information, known as data packets, to identify the type of communication. The actual content, such as the text in a text message, is not inspected. This technique is sometimes referred to as deep packet inspection and can raise concerns about privacy. We have a policy and a set of specific requirements that govern how we manage telecommunications traffic. Other than for the lawful purpose of managing traffic across our networks, our policy prohibits the use of network technologies that inspect data packets without an in-depth privacy impact assessment. This assessment ensures compliance with the law and allows us to evaluate and avoid or minimise the potential impact on the customer. Use of these technologies must be authorised by a senior executive at Group.
Advertising, analytics and big data The vast amount of data generated by our customers has enormous potential value for mobile commerce and programmes with societal benefits, such as analysing traffic to support effective investment in transport infrastructure. The expansion of mobile connectivity into new fields means greater volumes of data. Even when anonymised and aggregated, concerns arise about how the value of big data can be unlocked while protecting individual privacy. We have policies, guidelines and design principles for applications and services that use personal data. These seek to ensure that we provide customers with clear choices about how their data is used. We also research consumer perceptions and concerns to inform our strategy and help develop techniques that can enhance privacy.
Law enforcement assistance and human rights

Everywhere Vodafone operates, governments retain law enforcement powers that can limit privacy and freedom of expression. These include legal powers that require telecommunications operators to provide information about customers or users, or to put in place the technical means to enable information to be obtained for law enforcement purposes, such as lawful interception. Governments also retain powers to limit network access, block access to certain sites and resources or even switch off entire networks or services.

These powers have many legitimate purposes, including fighting crime and terrorism and protecting public safety. However, their use must be balanced with the respect for civil liberties and freedoms, including individuals’ privacy and freedom of expression.

We closely manage compliance with legal obligations in respect to law enforcement assistance and our relationship with law enforcement authorities, in order to maintain our respect for human rights. We also engage with governments to seek to ensure that legal provisions governing the use of these powers contain adequate protection for human rights.

Our Law Enforcement Disclosure report details our approach to responding to law enforcement demands for access to customer information, along with a breakdown of the legal powers governments hold. We also publish statistics on the number of law enforcement demands we receive on a country-by-country basis, where it is legal to do so and the government does not already publish such information. This report will be updated in mid-July 2015.

Our Global Policy Standard on Law Enforcement Assistance sets out our principles and standards on assisting law enforcement, including processes to ensure our actions are accountable at the most senior level.

Vodafone is a founding member of the Telecommunications Industry Dialogue and a signatory to its Guiding Principles on Freedom of Expression and Privacy (pdf, 754 KB). These define a common approach to dealing with demands from governments that may affect privacy and freedom of expression in a principled, coherent and systematic way.

Managing operational risks

A network of privacy officers use our Privacy Risk Management System (see Privacy centre) to help meet our Privacy Commitments in all our local markets. This provides a common framework to assess and improve our privacy programmes across the Group, while allowing the flexibility to respond to local privacy concerns, legal requirements or stakeholder expectations.

Our information and network security policies, practices and technologies include physical controls and advanced security monitoring systems to detect and respond to cyber threats in real time. These are regularly audited and tested. We also conduct risk assessments and due diligence to ensure our suppliers and partners meet our security standards.

Vodafone’s approach to Information Security is based on the principles of the international ISO 27001 standard and our core data centres in Germany, Hungary, India, Ireland and Italy are certified to this standard.

Our security systems are continually updated and monitored to detect and block cyber threats. But technology is only part of the answer. We employ around 800 people worldwide whose roles are wholly or partly focused on protecting our customers’ privacy and personal data. We also run global awareness and engagement programmes designed to ensure that all of our employees understand their role in protecting customers’ information.

Cyber threats pose a growing risk as they become more pervasive and sophisticated. We support relevant industry alliances and collaborations to develop standardised international rules and governance systems for behaviour in cyberspace. For example, Vodafone is a founding member of the Global Forum on Cyber Expertise, whose core objective is to strengthen cooperation on cyber security by creating more opportunities for governments, businesses, civil society, citizens, technical experts and academics from across the world to engage on and develop innovative solutions. Read more about our efforts to tackle cyber security below.

In focus: Taking action on global cyber security

The risk of cyber-attacks is treated by many countries as a priority threat to national security. Cyber threats – from competitors, hacktivists, cyber criminals, terrorists or nation states – pose a significant risk to our business and our customers.

Anticipating and preventing these threats is essential to ensure the security of critical national infrastructure that is supported by our networks and to maintain trust in e-commerce. We analyse and review cyber security threats and develop strategies to respond to the most critical risks.

Vodafone’s Global Security Operations Centre is designed to detect attacks as they happen and minimise their impact. This centralised security centre monitors our IT systems 24 hours a day, seven days a week, to enable us to respond to cyber threats in real time and provide the highest level of protection. We identify and deal with tens of millions of IT security attacks every month, to protect the information of over 400 million customers and ensure the best network performance.

We recognise that some attacks may be successful and may result in data being compromised. We have a robust business continuity management programme across Vodafone to ensure an effective and timely response to any emergency or crisis involving critical business operations. We align our business continuity management with International Standards, such as ISO22301, and local legislation.