(Cross-posted on the Public Policy and European Public Policy Blogs)
- First, people: we have appointed Alma Whitten as our director of privacy across both engineering and product management. Her focus will be to ensure that we build effective privacy controls into our products and internal practices. Alma is an internationally recognized expert in the computer science field of privacy and security. She has been our engineering lead on privacy for the last two years, and we will significantly increase the number of engineers and product managers working with her in this new role.
- Second, training: All our employees already receive orientation training on Google’s privacy principles and are required to sign Google’s Code of Conduct, which includes sections on privacy and the protection of user data. However, to ensure we do an even better job, we’re enhancing our core training for engineers and other important groups (such as product management and legal) with a particular focus on the responsible collection, use and handling of data. In addition, starting in December, all our employees will also be required to undertake a new information security awareness program, which will include clear guidance on both security and privacy.
- Third, compliance: While we’ve made important changes to our internal compliance procedures in the last few years, we need to make further changes to reflect the fact that we are now a larger company. So we’re adding a new process to our existing review system, in which every engineering project leader will be required to maintain a privacy design document for each initiative they are working on. This document will record how user data is handled and will be reviewed regularly by managers, as well as by an independent internal audit team.
Finally, I would like to take this opportunity to update one point in my May blog post. When I wrote it, no one inside Google had analyzed in detail the data we had mistakenly collected, so we did not know for sure what the disks contained. Since then a number of external regulators have inspected the data as part of their investigations (seven of which have now been concluded). It’s clear from those inspections that while most of the data is fragmentary, in some instances entire emails and URLs were captured, as well as passwords. We want to delete this data as soon as possible, and I would like to apologize again for the fact that we collected it in the first place. We are mortified by what happened, but confident that these changes to our processes and structure will significantly improve our internal privacy and security practices for the benefit of all our users.
Tidak ada komentar:
Posting Komentar