Third party collection agencies maintain clean desk policies to protect the confidential, personal or sensitive information belonging to agency clients and consumers. A component of compliance management systems (CMS), clean desk policies work in concert with secure controls over networks, file transfer protocols, data storage, backup systems, employee training programs, authorized access to buildings and call centers, payment processing systems, and vendor management policies and procedures. Clean desk policies at agencies are often designed by legal teams and audited by compliance and quality assurance departments.
The policies (aka clear desk policies) became a necessity with the passage of federal laws such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Gramm-Leach-Bliley Act (1999), and Red Flags Rule (2008). Some states augment the federal laws to provide greater levels of protection. Best-in-class agencies are fully compliant with the standards established by these laws and often take them one step further to provide even greater security.
Debt collectors, in particular, must follow the policies because they represent the front lines of communication with consumers. Collector workstations or cubicles — an office design feature introduced in the 1960s — are at the core of clean desk policies implemented by collection agencies and a variety of public and private institutions including banks, hospitals, universities and government offices.
Article Summary
- What is the purpose of clean desk policies?
- What factors are addressed in clean desk policies?
- What are the related security measures?
- How are clean desk policies enforced?
- What are the takeaways from clean desk policies?
What is the purpose of clean desk policies?
These policies protect and restrict the use of client and consumer data in three specific forms (paper, electronic and spoken word) while collectors are at their work stations.
Client and consumer information is defined as account numbers from financial institutions (e.g. banks, lenders and credit card companies), government-issued identification numbers (e.g. drivers licenses and social security cards), personal contact information, account balances, medical and legal records, passwords, PINs and more.
Furthermore, collection agency staff may not remove this information from their work stations without proper authorization, and are prohibited from transcribing it or transmitting it via email.
What factors are addressed in clean desk policies?
Clean desk policies include the setup of call center work stations, the handling of consumer data while collectors are at their work stations, and lists of items that are approved for or prohibited from use at work stations.
Approved work stations items may include company hardware (computer, monitor, keyboard, mouse, phone and headset), agency reference materials, and a white board and dry erase marker. All other items are prohibited from cubicles, including:
- Pens, pencils or any type of writing device other than dry erase markers.
- Any type of writing medium such as paper, note pads or post-it pads other than a white board.
- Cell phones, tablets, smart watches, cameras, video recorders or any device capable of capturing data or images.
- Personal belongings including handbags, backpacks, shopping bags, lunchboxes, or coolers with the exception of keys.
Collection agencies typically provide lockers for storing personal items outside the call center while collectors are on duty.
What are the related security measures?
Some agencies also implement additional measures to protect consumer data. For example, electronic consumer information is only accessed if and when it is needed by collectors to conduct collection activities. Otherwise, consumer data is stored securely when not in use.
Related security measures at compliant agencies include the following rules:
- Collectors may not discuss consumer accounts with anyone outside the company.
- Consumer information may not be removed from the agency premises.
- Consumer payment information may not be stored at work stations.
- Hard copies of consumer information are placed in secure shredding bins instead of trash cans.
- White boards are erased after every consumer interaction.
- Hard copies of consumer information are immediately removed from printers and fax machines.
How are clean desk policies enforced?
Agency compliance departments are generally responsible for implementing and enforcing clean desk policies. Compliance officers and operations managers often conduct monthly audits of work stations and other areas of the call center such as training areas. Violations are recorded (including specific non-compliant items or practices) and disciplinary action is levied proportionately if necessary. For example, three or more violations in a six-week period could result in termination.
What are the takeaways of clean desk policies?
Clean desk policies help agencies instill a culture of responsibility and a sense of respect among collectors for consumers and their personal information. These policies also help agencies maintain an organized, efficient environment at individual work stations and throughout the call center.
In addition, implementing and enforcing clean desk policies is evaluated by clients during call center audits, furthering the need for a comprehensive approach.
Furthermore, many agencies require vendors to sign agreements acknowledging their compliance with the protection of consumer data that they handle.
The Clear Desk Policy at Optio Solutions is part of a grand approach to providing data security on multiple levels of internal and external systems. These measures cover human interactions as well as systems such as secure networks, file transfer protocols, data storage and backup, authorized access to buildings and call centers, and payment processing.
Finally, Optio security measures are documented in client audits and are part of the qualification process for obtaining certifications such as Professional Practice Management System (PPMS) from ACA International, PCI DSS 3.2, SOC 1 Type II, and SOC 2 Type II.
Contact us today to learn how Optio’s foundation of financial services experience, compliance, certification, data security and collections technology provides clients with a favorable return on investment, brand protection and customer retention.