Keeping Our People’s Personal Data Safe
Extra precautions you need to be aware of.
Each day at work, we all strive to live Anglo American’s values, including treating people with care and respect. We apply the same care to our colleagues’ personal data, which should always be handled responsibly and treated with respect.
How IM helps to protect sensitive personal information
The IM data protection team does this by using tools to scan and audit our document storage platforms, like OneDrive, SharePoint and Box, to identify sensitive personal information in files that may have been shared too broadly (organisation-wide or publicly). And subsequently, the identified file’s permissions are changed to limit the number of people who can access the file.
Examples of overshared sensitive information
When a health record is copied to a folder that the entire organisation can access.
Instead share with intent – only when required and with people who have a valid reason to see it (authorised parties).
Sharing a credit card statement through an anonymous Box link.
Generate a Box link that can only be accessed by specified people – people you choose – as well as a password.
Sharing a spreadsheet of contact details that anyone can access, including external users.
Password protect the file, and restrict access to people who have a valid reason to access the information – both internal colleagues and external users.
So, how does this affect you?
Well, it shouldn’t. All you need to know is that you can continue to work as usual, knowing these safeguards are already in place.
But, if you’ve shared sensitive personal information too widely, you should expect the file’s permissions to be changed to restrict access and protect the contents. (So when you get a request to access a file you’ve previously shared, this could be why…) This will not stop you from accessing your file or sharing it with specific people who have a valid reason to access it.
What if I have a valid reason to share sensitive personal information with the entire organisation?
Please log a Request to share sensitive data via the IT self-service portal.
How do I share sensitive information responsibly?
More information
More guidance is available on the Data Protection Eureka page, including information about handling personal data, and the latest policies, procedures, and guidelines. And you can learn how to better protect our colleagues’ personal data by Labelling (classifying) your data (sharepoint.com).
Supporting material
What is sensitive information?
• Video
Important data privacy policies, procedures and guidelines
Our Group Data Privacy Policy explains the rules for handling personal data at Anglo American, aiming to raise awareness of privacy laws and set the standards we must follow.
Our Group Privacy Review Procedure ensures that any new or changed personal data project is reviewed to comply with our Data Privacy Policy and relevant privacy laws.
Our Group Data Retention Procedure requires that personal data is kept only as long as necessary. Once no longer needed, it must be disposed of or anonymised to protect individuals’ privacy.
Our Personal Data Retention Guidelines explain how Data Stewards and Process Owners should follow the Group Personal Data Retention Procedure and Group Data Policy to manage personal data retention and disposal and our Group Personal Data Retention Schedule lists recommended data retention periods for various business areas. Data Owners and Stewards should use it to follow retention and disposal rules, based on legal requirements, business needs, or industry standards.
Our Global IM Security Information classification standard explains the legal obligations we have as an organisation, and colleagues, to protect certain information as required by regulators in the countries we operate.