To truly understand the potential impacts and scope of an incident or privacy issue, you must track back to the root cause. Take time to ensure that you have identified the correct root cause and that you understand the downstream impacts the issue may have. For example, if correspondence has been sent to the wrong party the root cause could be several different things. It could be the result of human error—an employee printing the letter and manually mailing it to the wrong person; it could be driven by a recent change to the system that generates all letters that was not thoroughly tested, or it could have been a data processing error where the address was keyed incorrectly. Understanding the true root cause is critical in fixing this issue and preventing it from recurring in the future.
Once you have identified the root cause, then you need to develop a corrective action plan. The corrective action plan must correlate directly to the root cause that you have identified. For instance, if we take a look at our example in the case of human error where an employee mailed the letter to the wrong recipient, the employee would need to be coached and counseled on quality-checking processes or quality-checking processes may need to be established or enhanced. In the second scenario, driven by a recent change to the system that generates all letters that was not thoroughly tested, testing protocols and full regression testing processes may need to be established or enhanced to ensure that testing occurs end to end. Or, in the data processing scenario where the address was keyed incorrectly, the employee would need to be advised of the error and retrained on quality-checking processes or those processes expanded to prevent recurrence. Whatever the scenario is, make sure that you formally document the root cause of the issue and the corrective action plan, including the names of responsible parties and timelines.
In a situation where an issue or incident was caused by an employee, formally document any sanctions taken with that employee. The documentation of sanctions should include all levels of sanctions, anything from coaching or counseling up to termination. If the employee was coached or counseled on the error and retrained on the quality process, have the manager formally document that and store that information in a place where you can to get it if and when needed, such as the associate’s HR file. The documentation of the sanctions taken is not to be punitive to the employee but rather to make sure that the privacy office has access to this information. If you do not include it in the employees file, you run the risk of the manager leaving the company or losing the ability to find the documented sanctions when needed. Often if regulators receive a complaint about a privacy incident/issue, they want to see the related documentation, including how you addressed the situation to prevent it from happening again.
Taking the time to identify and document the proper root cause of an incident or privacy issue, creating a formal corrective action plan, and documenting sanctions will save you time and frustration if this information is needed to respond to a regulatory inquiry. Even if the full corrective action plan has not been completed, you can show that you are aware of the issue and that you are taking the proper steps to address the issue.