Skip to content
Home » IT Policies » Screen Privacy Policy

Screen Privacy Policy

Document ID: SPP-001
Version: 1.0
Effective Date: ____________________
Approved By: ____________________
Last Review Date: ____________________
Next Review Date: ____________________

1. Purpose

The purpose of this Screen Privacy Policy is to establish requirements for protecting information displayed on computer screens, mobile devices, and other electronic displays from unauthorized viewing, disclosure, or observation.

This policy helps reduce the risk of visual data exposure (“shoulder surfing”), protects confidential and regulated information, and supports the organization’s overall information security program.

2. Scope

This policy applies to:

  • Employees
  • Contractors
  • Consultants
  • Temporary workers
  • Interns
  • Volunteers
  • Board members
  • Vendors
  • Third-party service providers
  • Managed Service Providers (MSPs)
  • Any individual authorized to access organizational information

This policy applies to:

  • Desktop computers
  • Laptop computers
  • Mobile devices
  • Tablets
  • Virtual desktops
  • Thin clients
  • Digital displays
  • Workstations
  • Point-of-sale systems
  • Kiosks (where applicable)
  • Any device displaying organizational information

This policy applies whether devices are used:

  • On-site
  • Remotely
  • At home
  • While traveling
  • At customer locations
  • In public locations

3. Policy Statement

Users shall take reasonable measures to prevent unauthorized individuals from viewing organizational information displayed on electronic screens.

Screen privacy controls shall be implemented based on the sensitivity of the information being displayed and the environment in which devices are used.

4. Guiding Principles

The organization follows these principles:

  • Need-to-Know
  • Least Privilege
  • Protection of Confidential Information
  • Security by Default
  • Individual Accountability
  • Defense in Depth
  • Privacy by Design

5. Screen Positioning

Users shall position screens to reduce the risk of unauthorized viewing.

Where practical:

  • Screens should not face public areas.
  • Sensitive information should not be visible from hallways or reception areas.
  • Workstations should be positioned away from windows where practical.
  • Privacy risks should be considered when selecting workspace locations.

6. Working in Public Locations

When working in:

  • Airports
  • Hotels
  • Cafés
  • Conference centers
  • Customer locations
  • Shared office spaces
  • Public transportation
  • Other public areas

Users shall:

  • Position screens to minimize visibility.
  • Be aware of nearby individuals.
  • Avoid displaying sensitive information unnecessarily.
  • Lock devices whenever unattended.
  • Maintain physical control of devices.

Highly sensitive information should be accessed only when appropriate safeguards are available.

7. Privacy Screens

Privacy screen filters should be used when:

  • Handling confidential or regulated information in public locations.
  • Traveling with organization-issued laptops.
  • Working in shared environments with increased privacy risks.
  • Required by business or regulatory obligations.

The use of privacy filters shall be determined through organizational risk assessments.

8. Screen Locking

Users shall:

  • Lock screens whenever leaving devices unattended.
  • Verify that devices require authentication after locking.
  • Follow the organization’s Device Locking Policy.

Automatic screen locking shall be managed in accordance with organizational security standards.

9. Display of Sensitive Information

Users shall minimize the display of sensitive information whenever practical.

Examples include:

  • Personally Identifiable Information (PII)
  • Financial information
  • Customer information
  • Protected Health Information (PHI)
  • Payment card information
  • Authentication credentials
  • Confidential business information
  • Security information

Sensitive information should not remain displayed longer than necessary.

10. Screen Sharing and Presentations

Before sharing screens during:

  • Video conferences
  • Webinars
  • Customer meetings
  • Presentations
  • Technical support sessions

Users shall:

  • Close unrelated applications.
  • Hide confidential information.
  • Verify what will be shared.
  • Disable unnecessary notifications where practical.
  • Share only the required screen or application when technically feasible.

11. Notifications

Where supported, devices should be configured to minimize the display of sensitive information within:

  • Lock screen notifications
  • Email previews
  • Messaging applications
  • Calendar reminders
  • Collaboration platforms

Notification settings shall balance usability with privacy.

12. Multi-Monitor Environments

Users with multiple monitors shall:

  • Consider visibility of each display.
  • Position monitors to reduce unauthorized viewing.
  • Lock all displays when leaving workstations.
  • Avoid displaying confidential information unnecessarily across multiple screens.

13. Photography and Recording

Users shall not:

  • Photograph confidential information displayed on organizational screens without authorization.
  • Record organizational screens containing sensitive information.
  • Permit unauthorized photography or recording of displayed organizational information.

Business-approved recording activities require appropriate authorization.

14. Remote Work

When working remotely, users shall:

  • Protect screens from family members, visitors, and unauthorized individuals.
  • Lock devices when not in use.
  • Position screens to minimize unauthorized viewing.
  • Follow organizational remote work security requirements.

15. Monitoring

The organization may monitor compliance with this policy through:

  • Security assessments
  • Physical security reviews
  • Compliance audits
  • Security awareness observations
  • Incident investigations

Monitoring shall comply with applicable laws and organizational policies.

16. Reporting Security Concerns

Users shall immediately report:

  • Suspected unauthorized viewing of confidential information
  • Privacy breaches
  • Lost privacy screen filters where required
  • Accidental information exposure
  • Security incidents involving displayed information

Incident handling shall follow the Incident Response Policy.

17. Exceptions

Exceptions require:

  • Documented business justification
  • Risk assessment
  • Management approval
  • Information Security approval where applicable
  • Compensating security controls
  • Periodic review

18. Responsibilities

Executive Management

  • Support information privacy initiatives
  • Allocate appropriate resources
  • Promote security awareness

Managers

  • Ensure employees understand this policy
  • Support compliance
  • Address privacy concerns

IT Department

  • Configure screen locking settings
  • Support privacy technologies
  • Assist with secure display configurations
  • Maintain endpoint security controls

Information Security

  • Define screen privacy standards
  • Conduct compliance assessments
  • Investigate privacy incidents
  • Provide user awareness training

Users

  • Protect displayed information
  • Position screens appropriately
  • Lock devices when unattended
  • Report privacy incidents promptly

19. Compliance

Compliance with this policy is mandatory.

Violations may result in:

  • Removal of system access
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

20. Policy Review

This policy shall be reviewed at least annually or following:

  • Significant technology changes
  • Security incidents
  • Regulatory updates
  • Organizational restructuring
  • Audit findings

21. Related Policies

  • Information Security Policy
  • Clean Desk Policy
  • Device Locking Policy
  • Endpoint Security Policy
  • Mobile Device Policy
  • Bring Your Own Device (BYOD) Policy
  • Company-Owned, Personally Enabled (COPE) Policy
  • Remote Work Security Policy
  • Physical Security Policy
  • Data Classification Policy
  • Data Protection Policy
  • Incident Response Policy

Document Objective

This Screen Privacy Policy establishes the organization’s requirements for protecting information displayed on electronic screens from unauthorized viewing and disclosure. It provides a vendor-neutral framework for reducing visual privacy risks through secure screen positioning, privacy filters, screen locking, secure screen sharing, notification management, and user awareness. This policy supports secure operations across on-premises, cloud, remote, and hybrid work environments and aligns with recognized security frameworks and standards, including NIST CSF, ISO/IEC 27001, CIS Controls, SOC 2, HIPAA, PCI DSS, CMMC, and the FTC Safeguards Rule.