Privacy and security – Our approach

The way we handle privacy and security is a vital part of our responsibility to customers and essential to the success of our business.

Our customers trust us with their personal information and their privacy. Protecting that information and respecting their privacy is fundamental to maintaining their trust. Our privacy and security programmes govern how we collect, use and manage customers’ information – from ensuring the confidentiality of their personal communications and respecting their permissions and preferences, to protecting and securing their information.

Read on to find out more about our approach. Or go to Performance to read about our progress in 2012/13.

In focus: How can mobile technology affect customers’ privacy and security?

We understand that customers may be concerned about the privacy and security of their personal information as they use their mobile phones more and more and for different purposes. We help customers manage a wide range of privacy and security risks that may affect them when using mobile and other communications services.

Risks include:

  • Confidentiality of their personal and private communications – a basic issue for a communications company

  • Collection of their personal information – mobile operators have access to a lot of sensitive information including customers’ personal communications, their location and how they use the internet

  • Security of their personal information – the complexity of technology, threats from hackers and the potential for human error can lead to information being lost or deleted or getting into the wrong hands

  • Use of their personal information – as more services use mobile data for advertising and analytics, customers need to be able to control how information is used and provide consent

  • Additional privacy issues from smart phones, apps and new technologies (such as connected cars, smart grids and mHealth) – for example, mHealth services may mean that patient health records are transmitted across mobile networks and individual apps often require their own privacy permissions to collect and use data

Creating the right culture

Everyone at Vodafone must have a clear understanding of how important protecting and respecting our customers’ information is to our business. We continue to create a strong culture where our employees display an intuitive awareness of privacy and security risks and know how to manage them. This will help us retain the trust of our customers and the respect of our colleagues, as well as the admiration of our stakeholders and peers.

We have set out our commitment to privacy and security at the highest level, in our global Code of Conduct, which all Vodafone employees are bound by.

Our Privacy Commitments, which are part of our Code of Conduct, set out the principles that govern our approach to privacy (see feature below).

In focus: Privacy Commitments

Respect: We value privacy because of its value to people. It’s about more than legal compliance – it’s about building a culture that respects privacy and justifies the trust placed in us.

Openness and honesty: We communicate clearly about actions we take that may impact privacy, we ensure our actions reflect our words, and we are open to feedback about our actions.

Choice: We give people the ability to make simple and meaningful choices about their privacy.

Privacy-by-design: Respect for privacy is a key component in the design, development and delivery of our products and services.

Balance: When we are required to balance the right to privacy against other obligations necessary to a free and secure society, we work to minimise privacy impacts.

Laws and standards: We comply with privacy laws, and we will work with governments, regulators, policy makers and opinion formers for better and more meaningful privacy laws and standards.

Accountability: We are accountable for living up to these principles throughout our corporate family, including when working with our partners and suppliers.

We can only ensure customers’ privacy if we first ensure the security of their information and communications. Information security is therefore an essential foundation for our programme. Our Key Principles on Information Security (see feature below) set out how we securely create, use, store or dispose of all information we manage so that it cannot be lost, stolen, manipulated or used without Vodafone’s authorisation. We expect our employees to know how to protect customer information and to challenge others who fail to do so.

In focus: Key Principles on Information Security

Customer information is one of the greatest assets we are entrusted with and must be protected appropriately. We handle vast amounts of customer information in a variety of forms – written and spoken, electronic and on paper – on a daily basis. It is vital that we secure and manage this information and can ensure its:

  • Confidentiality: Customer information must not be disclosed to, or accessed by, unauthorised people

  • Integrity: Customer information and software must be accurate, complete and authentic so that it can be relied upon

  • Availability: Customer information must be available when needed – including to our customers – and information systems and networks must function when required

Understanding and responding to risks

Risk management is at the heart of Vodafone’s approach to privacy and security. Scanning the horizon for emerging issues – and opportunities (see Performance) – is essential to help us understand and manage strategic risks. We do this by examining the implications of our business strategy, new technologies and business models, areas of concern for customers, and industry developments within our own and related markets.

Many of the latest developments in the ICT sector raise privacy and security issues, concerns and opportunities. These include ‘big data’ analytics (see below), connected cars, smart cities, smart metering (see Low carbon solutions), mHealth, mobile payments and smart working.

We conduct regular formal reviews of the most significant privacy and security risks affecting our business at Group level. Based on these reviews, we develop strategies to respond to the most critical risks (see below). Responses may include developing new internal policies, investing in new capabilities, technologies and programmes, or influencing the positions of our industry peers and partners through associations such as the GSMA.

To help shape our strategy on privacy and security, and ensure our responses to stakeholder concerns are robust, we draw on the expertise of external advisors including Vodafone’s Sustainability Expert Advisory Panel (see Stakeholder engagement) which includes distinguished experts from a range of disciplines, including privacy and human rights.

In focus: Vodafone Germany’s Ombudswoman for Data Protection – Ms Renate Schmidt

Vodafone Germany’s dedicated Data Ombudswoman acts as a trusted advisor to the business on the rights and interests of Vodafone Germany’s customers regarding privacy and data protection. Former federal minister Renate Schmidt, appointed in 2008, brings a wealth of knowledge and experience to the role. Her guidance and insight is also sought more widely for input on the Vodafone global privacy programme and specific privacy initiatives.

Managing critical privacy risks

Based on our strategic risk review (see above), some of the most critical privacy risks we face include:

Global information flows and data management

As we deliver better services faster, increase our cloud-based services to enterprises and customers, and reduce costs by avoiding duplication of infrastructure in different markets, we increasingly need to move data across international borders.

We must ensure that the movement of customer data across borders is conducted lawfully, legitimately and securely, both within our own organisation and between Vodafone and its suppliers.

We operate a global information governance system that enables us to track the flow of customer data and ensure we apply appropriate governance and legal processes. We have robust, standardised security processes within our own operations (see below) and employ specialist teams to evaluate the governance and controls of our suppliers.

Traffic management

To deliver the quality of service customers expect, we need to manage the flow of communications traffic across our network. For example, we may need to prioritise an uninterrupted video call over an email (which is not so time critical). To do this, we need to examine some of the information, or data packets, attached to the communication. This type of technique is sometimes referred to as deep packet inspection.

Knowing more about these data packets – and thus about the nature of our customers’ communications – naturally raises privacy concerns. We have clear, specified governance and policy requirements around the use and deployment of these types of techniques. Any application of network technologies involving the inspection of data packets is subject to an in-depth privacy impact assessment – which enables us to identify and develop solutions to manage any risks – and must be authorised at senior Group executive level.

Advertising, analytics and ‘big data’

The vast amount of data generated by our customers on mobile devices, services and networks has enormous potential value for mobile commerce, as well as for programmes with societal benefits, such as analysing trends in public health. The expansion of mobile connectivity into new fields, such as connected cars, smart metering and mHealth, means ever greater volumes of data are being generated. Even when this information is anonymised and aggregated, concerns arise about how the value of such ‘big data’ can be unlocked while protecting individual privacy.

Our internal policies, guidelines and design principles for applications and services that make use of ‘big data’ help us ensure we provide customers with transparent information and clear choices about how their data is used. We also research consumer perceptions and concerns to inform our strategy and explore and develop techniques that can enhance privacy (see Performance).

In focus: Privacy-by-design

We are committed to building privacy considerations into our products and services from the outset, and using our influence to shape the technologies of our partners and peers.

Our series of privacy design principles guide product development teams in shaping and designing products. For instance, our Visible Privacy Design Principles provide a framework to make sure we give users control over how they manage their privacy and how their data is collected, used and shared.

We provide privacy resources and guidance to third party developers, which are published on our Developer Portal. And we also work with industry organisations and application developers to create guidelines and policies, such as the GSMA’s Mobile Application Privacy Guidelines, to ensure our partners and suppliers build privacy into the products and services they design.

Location services

The ability of mobile operators to identify the location of users has enormous potential to enrich services, applications and business offerings. For example, location-based services can help companies use field staff more efficiently and provide useful localised information for consumers. But the idea of being tracked without one’s knowledge or approval is frequently cited as a concern. Our policies on application and service design ensure we build privacy requirements into every location-based product we offer (see Performance for more on Vodafone Locate).

Assisting law enforcement

In every country where Vodafone operates, governments retain law enforcement powers that can limit privacy and freedom of expression. These include legal powers that require telecommunications operators to provide information about customers or users or to put in place the technical means to enable information to be obtained for law enforcement purposes, such as lawful interception. Governments also retain powers to limit network access, to block access to certain sites and resources or even switch off entire networks or services.

These powers have many legitimate purposes, including fighting crime and terrorism, and protecting public safety. However, these powers must be balanced with the respect for civil liberties and freedoms, including individuals’ privacy and freedom of expression. We closely manage and monitor compliance with these legal obligations and our relationship with law enforcement authorities to ensure human rights are respected.

Vodafone’s Global Policy Standard on Law Enforcement Assistance sets out our principles and standards on assisting law enforcement, including processes to ensure our actions are accountable at the most senior level.

Vodafone is also a founding member of the Telecommunications Industry Dialogue on Freedom of Expression and Privacy, a group of global telecoms companies working together and in collaboration with the Global Network Initiative to address issues of privacy and freedom of expression. Vodafone is signatory to the Industry Dialogue’s Guiding Principles on Freedom of Expression and Privacy (pdf, 728kb), which define a common approach to dealing with demands from governments that may affect privacy and freedom of expression in a principled, coherent and systematic way across the industry.

Managing operational risks

Our network of privacy officers across the Group use our comprehensive Privacy Risk Management System (see box below) to help us live up to our Privacy Commitments in our day-to-day operations, while ensuring that we are prepared to respond to new privacy and security concerns and risks as they emerge. This system provides the flexibility to respond to local privacy concerns, legal requirements or stakeholder expectations, while providing a common framework to build and measure the maturity of our programme and implement improvements across all key areas of our business operations.

In focus: Vodafone Privacy Risk Management System

Supplier review – Process to review suppliers, such as outsourced call centres and companies that provide hosting platforms and customer data, and ensure measures are in place to protect privacy

Product and service review – Processes for taking privacy into account when developing products and services (such as privacy-by-design in mobile applications)

Incident management – Process for managing incidents, such as data security incidents and losses of data

Disclosure – Processes for governing all disclosures of personal information, such as in response to legally mandated government requests and assisting law enforcement authorities

Data management and retention – Processes for managing the lifecycle of data, including destruction and retention of data

Privacy impact assessment – Processes for identifying, prioritising and conducting privacy impact assessments, such as for specific business units, technologies or products

Personal information location register – A register of personal information assets, enabling the effective management of all personal information

Critical privacy risk management – Processes for ensuring that strategies and policies developed to address critical privacy risks are effectively implemented

Review and reporting – Processes to ensure that all the above are reviewed and reported to executive management, with identified improvements included in business plans

Our privacy programme is underpinned by extensive information and network security practices and technologies designed to secure the infrastructure and systems on which our business and our customers’ privacy is based. These include advanced security monitoring systems to detect and respond to incidents and issues in real time (see box on our Global Security Operations Centre), physical controls including appropriate vetting of people to manage against misuse of access or privileges by our own staff, and significant investment in security technologies. The robust information security policies, processes and procedures supporting these controls are regularly audited and tested.

We follow industry best practices in line with ISO 27001, the international standard for information security management systems. Our core data centres in Germany, India, Ireland and Italy are certified to this standard. We require our external suppliers and partners to meet defined minimum security standards, and we conduct risk assessments and due diligence exercises to provide assurance that these are being met in practice.

Operational risk management is as much about prevention as it is about detection and treatment. We run a series of coordinated global awareness and engagement programmes designed to ensure our staff understand the vital importance of privacy to our customers, including the role that individual employees have in protecting the security of customers’ information.

Our Group Privacy and Security Governance Forum ensures coordination and alignment between our Group-level privacy and security functions to provide end-to-end protection of customer information.

Taking action on global cyber security

Organisations like Vodafone must use every tool they can to stay ahead of the constant threat of cyber-attacks by malicious hackers that, if successful, could have a huge impact on customer security and privacy.

To detect attacks as they happen and minimise their impact, Vodafone created the Global Security Operations Centre (GSOC). This centralised security centre monitors our IT systems 24 hours a day, seven days a week, to enable us to respond to cyber-threats in real time and provide the highest level of protection.