Privacy and security – Performance in 2014/15

Respecting privacy, protecting security and putting customers in control of their information is critical to our continued success.

Our investment in security measures is more important than ever. Cyber-attacks are becoming more sophisticated. And wider use of social media is leading to an increase in identity theft and attempts by fraudsters to gain access to confidential information by posing as others online.

Government access to individuals’ private communications has come under increased scrutiny. Our Law Enforcement Disclosure report aims to increase transparency and improve understanding of this issue.

Putting customers in control

We put customer needs at the heart of our approach to privacy. We see huge potential to differentiate our brand by offering products and services designed to support customers in improving their privacy and security.

A new approach to transparency

Personal data belongs to our customers. We are building tools that put them in control by enabling them to easily view and update the permissions they grant to use their data. We believe the best way to address our customers’ concerns is to make a clear and bold promise to them. We want to make sure that when we talk to our customers about privacy it is not confusing or hidden in legal small print.

To assess and understand customer concerns and awareness of privacy issues, we surveyed 11,000 customers across 11 European markets in 2014/15. This research helped us understand and quantify the commercial benefits of a customer-centric approach to privacy and permissions. We also conducted in-depth conversations with customers about their needs and their desire to manage their information.

Based on this research, we are rolling out improved tools for our customers that will enable them to take control of their personal information so that they can easily see the type of information Vodafone holds about them, find out how this information is used and consent or withdraw their permission for its use. We intend for these tools to be accompanied by a clear promise to our customers which details how we will treat their data, written in terms they can understand.

Privacy and security by design and by default

We build privacy into our products and services from the outset. Please see the case study below.

In focus: Vodafone Net Perform demonstrates privacy by design

The Vodafone Net Perform application, introduced in 14 local markets in 2014/15, demonstrates privacy by design in practice. Net Perform is a device analytics application that gives customers the ability to monitor their data usage, WiFi usage, mobile performance and test network speeds. Customers can see how much data their apps are using and which ones use the most data on their devices.

Vodafone Net Perform also helps us improve our service by capturing detailed insights into the quality of service that our networks and devices provide for our customers. Privacy is protected by anonymising the data on the device, reporting it only as aggregated statistics and providing interactive features to help customers intuitively understand and control how their data is collected and used, rather than relying solely on legalistic privacy disclosures.

Several of our products demonstrate the potential of privacy and security as a business opportunity for Vodafone. In 2014/15, we introduced Secure Net in six local markets. This service helps protect customers and their families from harmful content, including phishing sites and malware, when using the Vodafone network. A complementary service, Secure Net Companion, offers customers end-to-end protection across our network and when they are using their device over Wi-Fi.

We have been investigating how to build privacy management capabilities into our Machine-to-Machine (M2M) platform and embed privacy features into the next generation of M2M technology (such as smart metering, connected cars and wearable technology). Our approach takes into account recent positions from regulators, such as the US Federal Trade Commission and the European Commission, and translates these positions into requirements for our business. We are also working with organisations like the GSMA to create a standard industry approach.

Strengthening our programmes

In 2014/15, we continued to address emerging privacy and security threats and vulnerabilities through ongoing monitoring and compliance programmes. Remediation plans have been put in place to address deficiencies identified through these programmes. We also recognise that if things do go wrong, we need to act quickly and openly to protect our customers. We piloted a new customer privacy impact service to ensure that when incidents occur they are managed effectively and that we always put the customer first.

Our internal audit teams conducted in-depth assessments in 2014/15 to test how effectively our global privacy risk management systems are working in the Czech Republic, Germany and Spain. No major non-compliance issues were found. We also undertook an audit of three Vodafone service centres, which provide internal technology and process support for our employees, where some non-compliance issues were identified. We are reviewing the findings and will follow up with these centres.

Our local markets conducted a total of 425 privacy risk impact assessments for new products and services in 2014/15. In addition, we conducted an internal strategic review of our cloud services to ensure a consistent global approach to cloud privacy and security, whether for our internal use or for our customers. As countries around the world move towards requirements for local hosting of essential data, we monitor these developments and ensure that our global platforms and centralised services can comply and compete.

We also assessed compliance with our Global Policy Standard on permissions and audited the permissions we capture from customers to hold and use their data across all our local markets for products and services in areas like marketing, analytics and advertising. This helped us understand how well we are implementing our guidelines on being transparent with customers about choosing which information to share and how it is used. We continue to work with our local privacy teams to ensure our global policy on the permissions required to use customer information is integrated in our processes across the business.

Our acquisition of Cobra Automotive Technologies (now called Vodafone Automotive) brought with it the development of new capabilities in M2M technology for the automotive field. We will publish a white paper in 2015/16 on how we are designing privacy into our connected car proposition. This will include recommendations for establishing industry standards around privacy for the emerging connected car and usage-based insurance sectors.

Nurturing a culture of privacy and security

Raising awareness of privacy and security issues among employees is critical to our efforts and we use a wide range of tools to communicate effectively on this issue across the business. Our global privacy and security awareness online portals contain policies and guidance, for example on how to work securely at home, in the office and on the move.

Training on the importance of privacy and security is included in our Doing What’s Right e-learning course for all employees (see Ethics). In 2014/15, we launched global e-learning modules on privacy and security for employees in high-risk roles around the world, including those who make decisions about product design, respond to government requests or deal with highly confidential information on a daily basis. In the 14 months since its launch, more than 83,000 employees (around 82% of our workforce) have completed the Privacy Basics module.

In December 2014, we ran our fifth annual global Privacy Summit – a week-long series of virtual events, focused on navigating emerging challenges in privacy, including our competitive environment, new technologies and changing legal frameworks governing privacy and data protection around the world. Over 600 people from across Vodafone visited the website to watch videos, read articles and participate in interactive features.

Contributing to policy and debate

In 2014/15, we continued to participate in dialogue and debate about appropriate data regulatory regimes around the world, including the EU General Data Protection Regulation, ePrivacy Directive review, Big Data strategies, Cybersecurity Strategy and the European Commission’s proposal for a Directive on Network and Information Security.

Government surveillance remains a topic of public scrutiny and debate. In 2014/15, we engaged extensively on this issue with stakeholders in government and across civil society and the media, including through our participation in the Telecommunications’ Industry Dialogue on Freedom of Expression and Privacy (see below). Our pioneering Law Enforcement Disclosure report was recognised in the 2014 Public Relations Consultants Association (PRCA) Awards for its impact on the dialogue around government surveillance, winning the best international campaign award. We are committed to promoting better transparency, clarity, consistency and due process in government assistance requests. We have engaged in discussions on this topic with governments in markets where we operate, including Australia, Germany, Malta, the Netherlands, Portugal, Spain and the UK.

Ubiquitous connectivity, big data and the Internet of Things have huge implications for our business, the wider industry and society as whole. In 2014/15, we advocated for appropriate privacy protocols and industry standards in these areas that will allow us to effectively manage privacy and security risks, while enabling consumers and businesses to realise the benefits of these global trends.

Vodafone participates in external programmes to strengthen cyber security standards and define minimum standards that industry and nation states should be expected to adhere to. These include government programmes in the EU, US and the Commonwealth and those run by NGOs such as the Internet Security Alliance. Through these external programmes, we promote a Cyber Social Contract between industry and government, working collaboratively to identify effective standards and practices in response to cyber threats. However, minimum universal standards can only go so far. It is critical for Vodafone and other businesses to build on these standards to suit the unique risk profile of their organisations and keep pace with continually evolving threats.

Implementing industry principles on freedom of expression and privacy

Vodafone is a founding member of the Telecommunications Industry Dialogue on Freedom of Expression and Privacy to advance freedom of expression and privacy rights in the telecoms industry. Vodafone was the chair of the Industry Dialogue between April and October 2014. Find out more about the work of the Industry Dialogue in its second annual report (pdf, 1.6 MB).

We are a signatory to the Industry Dialogue’s Guiding Principles on Freedom of Expression and Privacy (pdf, 754 KB). These set out a common approach to dealing with privacy and freedom of expression in a principled, coherent and systematic way across the industry. They are closely aligned with Vodafone’s own existing Global Policy Standard on Law Enforcement Assistance. We continue to work to embed this policy and its guiding principles and drive continuous improvement. The table below sets out Vodafone’s status and activities on each of the principles.

Our Law Enforcement Disclosure report provides more detail on our approach to responding to law enforcement demands. The second edition will be published in mid-July 2015.

Vodafone’s alignment with the Industry Dialogue’s Guiding Principles on Freedom of Expression and Privacy

Telecommunications companies should, to the fullest extent that does not place them in violation of domestic laws and regulations, including licence requirements and legal restrictions on disclosure:

Guiding Principle Vodafone’s alignment
1. Create relevant policies, with Board oversight or equivalent, outlining commitment to prevent, assess and mitigate to the best of their ability the risks to freedom of expression and privacy associated with designing, selling and operating telecommunications technology and telecommunications services. We closely manage and monitor compliance with legal obligations and our relationship with law enforcement authorities to address respect for human rights. Our Privacy Commitments and Global Policy Standard on Law Enforcement Assistance, with Executive Committee (ExCo) sponsorship, set out the requirements for balancing the potentially conflicting requirements of respecting privacy and assisting law enforcement. These outline that accountability is held at the most senior level. We carried out a global audit of compliance with the policy in 2013/14. It included detailed on-site reviews of the operational management of law enforcement assistance and compliance with our policy standard in certain markets.
2. Conduct regular human rights impact assessments and use due diligence processes, as appropriate to the company, to identify, mitigate and manage risks to freedom of expression and privacy – whether in relation to particular technologies, products, services, or countries – in accordance with the Guiding Principles for the implementation of the UN Protect, Respect and Remedy framework.

A range of due diligence processes are in place. These include:

  • regular formal reviews of the most significant privacy and security risks affecting our business at Group, and strategies to respond to the most critical risks (see Our approach)
  • a due diligence process undertaken before entering new markets, acquiring businesses or establishing new partnerships. This process incorporates human rights issues such as corruption, respect for privacy, internet freedom and freedom of expression. It assesses and highlights the potential impacts or risks associated with entering new markets. Our human rights impact assessment process for potential new markets identified as high risk was further strengthened in 2013/14
  • our Global Advisory Forum brings together a cross-functional group of experts from across Vodafone Group to provide input on potential new products, services and technologies, ensuring that privacy and freedom of expression are taken into account at the earliest stage of the design process. We conduct privacy impact assessments, require compliance with the law and evaluate the potential impact on the customer, so that they can be avoided or minimised. Privacy impact assessments for products and services developed by our local markets are also a key part of our Privacy Risk Management System.
3. Create operational processes and routines to evaluate and handle government requests that may have an impact on freedom of expression and privacy. Our Global Policy Standard on Law Enforcement Assistance includes guidance for evaluating and, where necessary, escalating demands from law enforcement agencies. Governance controls in our Policy Compliance Review measure how our local markets adhere to the global standard. As part of the 2014 review, the governance controls were tested across all our markets and the majority were found to be compliant. Seven markets strengthened their controls in this area as a result. Only one market had a remedial action outstanding by the end of 2014/15 and that action has since been completed.
4. Adopt, where feasible, strategies to anticipate, respond and minimise the potential impact on freedom of expression and privacy in the event that a government demand or request is received that is unlawful or where governments are believed to be misusing products or technology for illegitimate purposes. The Global Policy Standard on Law Enforcement Assistance provides requirements on challenging law enforcement where we have reasonable grounds to believe the demand is not legally mandated or is unlawful. It requires operating companies to bring together the right people to consider the possible impacts and actions and use their judgement.
5. Always seek to ensure the safety and liberty of company personnel who may be placed at risk. Vodafone’s Code of Conduct includes a high-level commitment to protect the health, safety and well-being of our employees. The Global Policy Standard on Law Enforcement Assistance requires potential personal risk to individuals to be considered in any decision to challenge law enforcement demands.
6. Raise awareness and train relevant employees in related policies and processes.

Our Global Policy Standard on Law Enforcement Assistance includes a requirement on training and awareness, and we continually raise awareness as part of our wider privacy communications campaigns (see Our approach).

In 2014/15, we rolled out a global e-learning course on Privacy and Human Rights. The course is designed for those who make decisions about government and law enforcement requests, but is available to employees in almost all markets. By the end of March 2015, it had been completed by more than 12,000 employees worldwide. This topic is also incorporated into our general internal privacy awareness campaigns (see Our approach).

7. Share knowledge and insights, where relevant, with all relevant and interested stakeholders to improve understanding of the applicable legal framework and the effectiveness of these principles in practice, and to provide support for the implementation and further development of the principles.

We regularly share knowledge and engage with stakeholders on these issues, for example through the stakeholder engagement activities of the Telecommunications Industry Dialogue (pdf, 1.6 MB). In 2014, Vodafone joined the panel of one of the two GNI/Industry Dialogue joint learning forum events, which were attended by a total of approximately 120 participants from industry, academia, government and non-governmental organisations. The forums focused on the theme of Transparency and Human Rights in the Digital Age.

Since April 2014, the Industry Dialogue’s quarterly meetings have been extended to include a roundtable discussion with stakeholders including investors, government officials, members of civil society and academia and other companies. During these meetings, Industry Dialogue companies have shared the challenges they face and progress they have made in implementing the Industry Dialogue’s Guiding Principles.

Vodafone has shared knowledge and engaged with stakeholders through a number of forums. For example, we participated in the Big Brother Watch Events, Civil Liberties in a digital age, at the three main UK political party conferences in 2014.

We provide information through this Group sustainability report, our online Privacy centre and in our Law Enforcement Disclosure report.

In February 2015, we updated the Legal Annexe to the Law Enforcement Disclosure report to include a review of three further categories of legal power that may be used by government agencies and authorities to restrict the use of communication networks or to restrict access to certain content or services. The three categories relate to:

  • shutdown of networks or communication services
  • blocking of URLs and IP addresses
  • taking control of a telecommunications network.
8. Report externally on an annual basis, and whenever circumstances make it relevant, on their progress in implementing the principles, and on major events occurring in this regard.

The Law Enforcement Disclosure report and this Privacy and security section of our Group sustainability report cover Vodafone’s approach and activities on these issues.

During 2014/15, we continued to communicate guidance on the definition and reporting process for major events to our local markets.

9. Help to inform the development of policy and regulations to support freedom of expression and privacy, including, alone or in cooperation with other entities, using its leverage to seek to mitigate potential negative impacts from policies or regulations.

The Global Policy Standard on Law Enforcement Assistance covers engagement with governments on these issues and we regularly contribute to the dialogue on the development of policies on a national and international level. We seek to ensure that legal provisions governing the use of powers to access information about customers or users of our services contain adequate protection for human rights. We are committed to working for better transparency, clarity, consistency and due diligence processes in government demands for assistance. We have engaged on this topic with governments where we operate including in Australia (our joint venture), Germany, Malta, the Netherlands, Portugal, Spain and the UK. For example, in 2014 Vodafone provided input to the independent review of the UK’s terrorism legislation.

We also contribute to the dialogue on the development of policies at a national and international level through the Telecommunications Industry Dialogue. A number of inputs on these issues are available on the Telecommunications Industry Dialogue website.

10. Examine, as a group, options for implementing relevant grievance mechanisms, as outlined in Principle 31 of the UN Guiding Principles for Business and Human Rights.

During 2014/15, the Industry Dialogue companies have continued to share ideas on how to implement operational-level grievance mechanisms and reviewed examples and guidance from other sectors.

Vodafone has a number of mechanisms whereby grievances can be raised. Employees and contractors in all local markets can use our global external reporting scheme, Speak Up, to report concerns (see Ethics). Customers can raise complaints or concerns through established contact channels, which vary in the countries where we operate. They include direct communication with Privacy or Data Protection Officers, or complaints through third-party mechanisms such as rating and certification organisations.