Maintaining trust

Working in The Digital Vodafone Way

Our Code of Conduct sets out what we expect from every single person working for and with Vodafone. It also underlines our responsibilities to our people, partners and shareholders. The Code of Conduct helps us all make informed decisions and tells us where to go for more information. (Need to add code of conduct PDF)

The Vodafone Code of Conduct

Reporting concerns
All employees and contractors have a duty to report any breaches of our Code of Conduct, which is known as our "Speak Up" policy. We have launched a global external reporting scheme which allows employees and contractors to report through a third party. This new process enables us to consolidate existing whistle blowing practice in local markets, increases visibility and ensures consistency of approach in responding to concerns raised from across the organisation. Concerns may be reported anonymously and the protection of innocent people is our priority at all times. People can identify themselves to our external partner using a PIN and receive feedback. Vodafone has a non-retaliation policy and will not take any action against anyone reporting a genuine concern, even if this is proven not to result in a breach of compliance.

At Vodafone, we connect for a better future. We recognise that we have a significant role to play in a digital society. We believe that wherever we operate, we contribute to the wealth and development of countries, regions and local communities in a way that advances the protection and promotion of a number of fundamental human rights and freedoms and supports the full realisation of socio-economic development.

Scope

The Group Human Rights Policy sets out the minimum requirements that every single person working for and with Vodafone must comply with. This Policy applies to all Vodafone companies in which Vodafone Group hold an interest of 50.1%, or more, or management control. We expect our suppliers and business partners to uphold the same standards, as enshrined in our Code of Ethical Purchasing.

Our Commitment

We seek ways to honour the principles of internationally recognised human rights, even when faced with conflicting requirements. We aim to ensure that we are not, directly or indirectly, in any way complicit in human rights abuses.

Policy Alignment Our Group

Human Rights Policy is informed by the following international instruments:

• Universal Declaration of Human Rights
• International Covenant on Civil and Political Rights
• International Covenant on Social, Economic and Cultural Rights
• United Nations Guiding Principles for Business and Human Rights
• United Nations Global Compact Principles
•  ILO Declaration on Fundamental Principles and Rights at Work
• Global Network Initiative Principles

Our Operations, Products and Services

Right to Privacy and Freedom of Expression Vodafone is committed to process personal data honestly, ethically, with integrity, and in a manner which is always consistent with applicable laws and our values. Our objective is to be open and transparent about the way we process personal data, to provide fair choices on how such data is processed, to manage personal data responsibly and to offer secure services to our customers and employees.

We respect and seek to protect our customers’ lawful rights to hold and express opinions and share information and ideas without interference. Law enforcement authorities sometimes require licensed operators to comply with requests to provide information on individual users’ data or limit selected services in their networks. These requests often serve a legitimate need to protect the public, investigate criminal activity, safeguard the economy or protect critical national infrastructure.

We aim to balance our responsibility to respect our customers’ right to privacy and freedom of expression with our obligations to comply with the law in each of the countries in which we operate. We assist authorities only under certain carefully prescribed circumstances and may seek to challenge demands that appear to us to be overly broad, insufficiently targeted or disproportionate in nature. We process all assistance requests using a robust governance framework defined in our Group Law Enforcement Assistance Policy.

If faced with requests to restrict services or block content, we do not block access to services or content beyond measures that are:

• specified in a lawful demand from an agency or authority;
• undertaken under the Internet Watch Foundation or equivalent schemes that are designed to prevent access to illegal online child abuse material;
• defined and implemented by the customer directly through parental controls software or other user-defined filters, with simple and transparent opt-in and opt-out mechanisms; or
• undertaken to protect the integrity of our customers’ data, manage traffic or prevent network degradation, for example blocking spam or malware or taking action to prevent denial of service hacker attacks.

Human Rights

by Design We believe it is critical to ensure that the new technologies we create and employ fully respect the privacy and security of customers. We seek to minimise the risk of any inadvertent or adverse human rights impact associated with the development of our products and services, including new technologies such as Artificial Intelligence and Internet of Things. We engage with industry peers and other relevant experts (e.g. academics and civil society) in the development of emerging technologies in a way that enables users to fully exercise and enjoy their individual rights and freedoms.

Rights of the Child

We recognise that children can be a particularly vulnerable group in today’s digital world. We are committed to upholding the rights of the child at all stages of our business operations and seek to support children and their parents to become responsible digital citizens. We will continue to provide knowledge, tools, controls and resources to help our customers keep pace with the rapid advances in technology, devices, apps and the ways this technology is used. We are a founding signatory of the GSMA Mobile Alliance Against Child Sexual Abuse Content, which commits to the removal of such content or, where this is not possible, the disruption of the sharing of or access to this material.

Our Employees

Diversity and Inclusion

We believe that achieving greater equality of opportunity is critical to ensuring a strong corporate culture while also providing us a better understanding of the needs of our customers. We do not tolerate any form of discrimination especially related to but not limited to age, gender, disability, gender identity, sexual orientation, cultural background or belief. We base relationships with employees on respect for individuals and their human rights. We encourage our employees to challenge discriminatory behaviour, and want everyone to feel they are able to raise any concerns without fear of retaliation.

Our commitment to an Inclusion for All culture is enshrined in our global initiatives focusing on breaking the barriers around Gender, LGBT+, and Disability. The global adoption of our initiatives such as the Maternity and Parental Leave Policy, Domestic Violence and Abuse Policy and LGBT+ Friends Network, enables us to support our employees whatever their background and wherever they are.

Health and Safety

The health, safety and wellbeing of our employees is one of our most fundamental responsibilities. Everyone working for or on behalf of Vodafone must behave in a safe and responsible manner at all times. Our commitment to safety does not differentiate between our own employees and contractors and our suppliers’ employees and contractors. We expect our suppliers to be accountable for managing health and safety risks in their operations and meet our high standards as set out in the Code of Ethical Purchasing. We want everyone working for or with Vodafone to return home safe every day.

Freedom of Association, Collective Bargaining and the Employee Voice

We recognise the rights of employees to join trade unions and engage in collective bargaining in accordance with local law. We also recognise the importance of employees having a robust channel for raising matters of importance to management. In Europe, we consult with our employees through the Vodafone European Employee Consultative Council, which meets twice a year and gives employee representatives an opportunity to raise any concerns with our Our Employees executive management team. Similarly in South Africa, we consult with our employees through the National Consultative Committee. Our Senior Independent Director annually attends meetings with both the European and the South African bodies, and feeds back commentary from them to the Vodafone Board as part of our engagement with the “employee voice”, in compliance with the UK Corporate Governance Code.

Slavery and Human Trafficking

We do not tolerate forced, bonded or compulsory labour, human trafficking, child labour and other kinds of slavery and servitude within our own operations or within our supply chain, and are committed to taking appropriate steps to ensure that everyone who works for Vodafone – in any capacity, anywhere in the world – benefits from a working environment in which their fundamental rights and freedoms are respected.

Our Suppliers

Ethical Purchasing

Our businesses rely on international supply chains that span multiple tiers. We work with our suppliers, partners and peers to drive responsible and ethical behaviour and high standards across our supply chain, and do our utmost to keep everyone working in our operations safe from harm. We have robust systems and standards, based on our values, which we expect our suppliers to share. These standards set out our minimum expectations on our suppliers, and are enshrined in our Code of Ethical Purchasing.

Engaging directly with suppliers is one of the most effective ways of improving performance in our supply chains. From monitoring non[1]compliance to carrying out assessments and employee surveys, we work to help suppliers strengthen their own compliance and processes. We also work to encourage our suppliers to cascade our requirements to their suppliers and subcontractors.

Responsible Sourcing of Minerals

We recognise the risks associated with “conflict minerals” – the term used to describe some of the raw materials (tin, tantalum, tungsten and gold, also called 3TG metals) and cobalt used throughout the global electronics industry. While our ability to influence the manufacturing of materials, parts, ingredients or components of electronic equipment in our supply chain remains limited, we expect our suppliers to take steps to ensure conflict minerals are not used in any of the equipment related to our supply chain. We also continue to monitor the extent of human rights risks relating to conflict minerals and cobalt within our supply chain.

Our Communities

Digital Inclusion

We believe that the opportunities of a digital future should be accessible to all. Our goal is to democratise digitalisation, making technology truly accessible to everyone, leaving no one behind. Through our technology, we contribute to the work to bridge the divides that exist and help people to enjoy and exercise their fundamental rights in full, while contributing equally and fully to society.

Anti-Bribery and Corruption

Corruption and bribery can have a significant negative impact on the enjoyment of human rights. We act with honesty, integrity and fairness in our dealings both internally and externally. We do not tolerate any form of bribery, including improper offers of payments or gifts to or from employees. We avoid any contracts that might lead to, or suggest, a conflict of interest between personal activities and the business. We neither give nor accept hospitality or gifts that might appear to incur an obligation. We monitor implementation of our anti-bribery policy and take action to investigate when issues are raised.

Community Consultation and Land Rights

Communications networks are infrastructure intensive and where relevant, we remain committed to transparent consultation and active engagement with landowners, community leaders and municipal authorities. This engagement is undertaken in compliance with our anti-bribery policy that makes it clear that we never offer any form of inducement to secure a permit, lease or access to a site.

Civil Society

We recognise the important role of civil society advocacy. We value constructive dialogue with civil society, including with human rights defenders, to advance the respect for human rights and will seek to engage where relevant and appropriate for both parties.

Controls and Governance

Human Rights Due Diligence

Our human rights due diligence approach is aligned with the United Nations Guiding Principles on Business and Human Rights. This includes policy controls, impact assessments, mitigation and monitoring, tracking our performance, employee training and stakeholder communication.

We assess the actual and the potential positive and adverse human rights impacts when:

• developing new products/services/ technologies or making substantial changes to existing offers;
• entering new markets or in anticipation of changes in our existing operating environments;
• considering new partnerships/ acquisitions; and • engaging with our suppliers.

Ensuring Access to Remedy

We encourage everyone to report any grievances as soon as possible. Our employees can do this through a confidential third-party hotline Speak Up, accessible in their local language online or by telephone. Speak Up operates under a non-retaliatory policy, meaning that everyone who raises a concern in good faith is treated fairly, with no negative consequence for their employment with Vodafone. Our customers can report grievances through a dedicated complaints line and Privacy Query Form. We believe that transparency is a key component to providing remedy. We continue to disclose information on our efforts to respect human rights and to provide remedy, and remain active in the overall stakeholder dialogue.

Roles and Responsibility

The Group Human Rights Policy is owned by the Group External Affairs Director. We have an established Human Rights team that works closely with relevant stakeholders across Group and across our local markets. The Group External Affairs Director, who sits on the Group Executive Committee, is the executive level sponsor on human rights issues at Vodafone.

This Policy Statement is signed by the Vodafone Group Plc Executive Committee and Group CEO. 12 December 2019

Millions of people communicate and share information over our networks, enabling them to connect, innovate and prosper. Customers trust us with their data and maintaining this trust is critical. We believe that everyone has a right to privacy, wherever they live in the world and our commitment to our customers’ privacy goes beyond legal compliance. As a result, our privacy programme applies globally, irrespective of whether there are local data protection or privacy laws. Our Privacy Management Policy is based on the European Union General Data Protection Regulation (‘GDPR’) and this is applied across Vodafone markets both inside and outside the European Economic Area. Our privacy management policy establishes a framework within which local data protection and privacy laws are respected and sets a baseline for those markets where there are no specific legal requirements.

We always seek to respect and protect the right to privacy, including our customers’ lawful rights to hold and express opinions and share information and ideas without interference. At the same time, as a licensed national operator, we are obliged to comply with lawful orders from national authorities and the judiciary, including law enforcement.

Managing privacy

As data volumes continue to grow and regulatory and customer scrutiny increases, it is important to be clear on the privacy risks we face, as well as how our policies and programmes can mitigate these risks.

To help us identify and manage evolving risks, we constantly evaluate our business strategy, new technologies, products and services as well as government policies and regulation.

We categorise data privacy risk into three main areas:

Collection

Collection of personal data without permissions or excessive collection of data.

Access and use

Use of personal data for unauthorised purposes, excessive data retention or poor data quality.

Sharing

Unauthorised disclosure of personal data, including supplier non-compliance.

Privacy principles

Our privacy programme governs how we collect, use and manage our customers’ personal data to ensure we respect the confidentiality of their communications and any choices that they have made regarding the use of their data.

Our privacy programme is based on the following principles:

Accountability

We are accountable for living up to our commitments throughout Vodafone and with our partners and suppliers.

Choice and access

We give people the ability to make simple and meaningful choices about their privacy and allow individuals, where appropriate, to access, update or delete their personal data.

Privacy by design

Respect for privacy is a key component in the design, development and delivery of our products and services.

Responsible data management

We apply appropriate data management practices to govern the processing of personal data. We carefully select external partners and we limit disclosure of personal data to what is described in our privacy notices or to what has been authorised by our customers. We also ensure that personal data is not stored for longer than what is necessary or as is required by applicable laws and to maintain accuracy of data.

Fairness and lawfulness

We comply with privacy laws and act with integrity and fairness. We also actively engage with stakeholders, including civil society, academic institutions, industry and government, in order to share our expertise, learn from others, and shape better, more meaningful privacy laws and standards.

Security safeguards

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, use, modification or loss.

Openness and honesty

We communicate clearly about our actions that may impact privacy, we ensure our actions reflect our words and we are open to feedback.

Balance

When we are required to balance the right to privacy against other obligations necessary for a free and secure society, we work to minimise privacy impacts.

Using customer data

Our mission is to enable our customers to get the most out of our products and services. In order to provide these services, we need to use our customers’ personal information. We are committed to looking after our customers’ data, using it for its stated purpose, and we are always open about what we collect.

Learn How We Use Customer Data

Operating model

We have an experienced team of privacy specialists dedicated to ensuring compliance with data protection laws and our policies in the countries where we operate.

We apply a process-based approach to managing privacy risks across the data lifecycle and work closely with Cyber and Corporate Security, Products, IT & Digital, Networks, HR, Finance, Supply Chain and other teams to ensure end-to-end coverage. Dedicated security teams ensure appropriate technical and organisational information security measures are applied to protect personal data against unauthorised access, disclosure, loss or use during transit and at rest.

A privacy first approach

All products, services and processes are subject to privacy impact assessments as part of their development and throughout their lifecycle. We maintain Personal Data Processing Records, Supplier Privacy Compliance, Data Breach Management and Individual Rights processes, as well as Internal and International Data Transfer compliance frameworks and training and awareness programmes.

Our teams monitor and influence regulatory and industry developments and work to build and maintain relationships with local data protection authorities and other key stakeholders.

Privacy training for all

Our privacy control frameworks are subject to continuous risk-based improvements. In addition to introducing updates to our global privacy controls, we have also introduced an updated privacy module that is part of our mandatory ‘Doing What’s Right’ training. Every employee and non-employee must complete the training within six weeks of joining Vodafone and then every two years. We have also refined training for high-risk roles aimed at teams with a key role in personal data processing. With the updated approach we aim to achieve 90% completion rate on both types of training across all target groups across our global footprint.

The effectiveness of control implementation is subject to regular reporting and testing by the privacy teams and internal audit. Any findings are subject to remedial actions by the responsible control operator, and completion is monitored.

Governance

Privacy Policy management

The Group General Counsel and Company Secretary, a member of the Group Executive Committee, oversees the global privacy programme. The Group Privacy Officer, reporting to the Group General Counsel, is responsible for managing and overseeing the privacy programme on a day to day basis across the markets and provides regular status reports to Group General Counsel and an annual update to the Group Audit and Risk Committee.

Key roles and responsibilities

Whilst each employee is responsible for protecting personal data they are trusted with, accountability for compliance sits with each operating company. A member of the local executive committee oversees the local implementation of our privacy programme. Each operating company also has a dedicated privacy officer, privacy legal counsel and their privacy specialists. Local privacy officers report to Group Privacy Officer throughout the year.

Working in partnership

The Privacy Leadership Team approves new standards and guidelines and monitors the implementation of global privacy plans. Operating companies also maintain privacy steering committees that bring together privacy and security teams and senior management from relevant business functions.

Monitoring and response

Vodafone monitors compliance with privacy controls and has an experienced team to manage incidents.

Our privacy controls are subject to rigorous and regular evidence based testing by our Privacy Governance, Risk and Compliance team. In addition, our Internal Audit teams performs audit on selected privacy controls and business activities with particular privacy relevance. Possible findings are subject to mitigation plans and heightened monitoring, as the case may be.

Our processes ensure that any identified incidents are contained and steps will be taken to mitigate any negative effects. Where required, we will notify regulators as well as our customers.

To learn about how we have dealt with privacy incidents please view our annual report.

Permissions management

At Vodafone we give control to our customers when it comes to use of their data. Each Vodafone local market has a centralised permissions platform to help customers manage their preferences in near real-time.

Our Purpose is to enable connectivity in society and as a provider of critical national infrastructure, we recognise the importance of cyber and information security. No organisation, government or person will ever be fully immune to cyber-attacks and the telecommunications industry is faced with a unique set of risks as we provide connectivity services and handle private communication data.

Our networks connect millions of people, homes, businesses and things to each other and the internet. The security of our networks, systems and customers is a top priority and a fundamental part of our company Purpose. Our customers use Vodafone products and services because of our next-generation connectivity, but also because they trust that their information is secure.

Operating model

We have implemented an operating model based on the leading industry security standards published by the US Department of Commerce, specifically the National Institute of Standards and Technology. We have an international team of over 800 employees who are focused on constantly monitoring, protecting and defending our systems and our customers’ data.

We also work with third party experts and consultants, to maintain specialist skills and continue to follow leading practice. Our scale means we benefit from global collaboration, technology sharing, deep expertise and ultimately have greater visibility of emerging threats. Although the Cyber team leads on detect, respond and recover, preventative and protective controls are embedded across all our technology and throughout the entire business.

Vodafone Cyber Code

Every employee has responsibility for cyber security and must follow the Vodafone Cyber Code, be sensitive to threats and report suspicious activity. Embedded in our Code of Conduct, the Cyber Code is the cornerstone of how we expect all employees to behave when it comes to best practice in cyber security. It consists of seven areas where employees need to follow security good practice.

Read more on Vodafone’s Cyber Code (PDF required)

How we manage cyber security risks

Managing cyber security risks and threats is fundamental to maintaining the security of our services across every aspect of our business.

To help us identify and manage emerging and evolving risks, we constantly evaluate and challenge our business strategy, new technologies, government policies and regulation, and cyber threats. We conduct regular reviews of the most significant security risks affecting our business and develop strategies to detect, prevent and respond to them. Our cyber security approach focuses on minimising the risk of cyber incidents that affect our networks and services.

Understanding the threat landscape is key to managing cyber risk. Over the course of 2020, two of the biggest cyber security threats faced by all organisations significantly increased – phishing and ransomware attacks. Cyber criminals exploited the emotion and uncertainty associated with the pandemic to deceive users into engaging with malicious emails or pay a sum of money to regain access to systems. Cyber criminals also increasingly targeted smaller suppliers to large organisations as a way to more easily compromise their targets. Organisations across all industries also continued to experience other forms of threats, such as sophisticated espionage attempts and the exploitation of unpatched vulnerabilities.

Governance

The Group’s Chief Technology Officer is the Executive Committee member responsible for managing the risks associated with cyber threats and information security. The Vodafone Cyber Security Director is responsible for managing and overseeing the cyber security programme on a day-to-day basis and reports to the Chief Technology Officer.

Cyber threats and information security are a major area of focus for the Audit and Risk Committee and detailed updates including threat landscape, risk position and security programme progress are provided at least twice a year. The Board is also regularly updated on cyber security matters.

What security controls we have in place

Controls can prevent, detect or respond to risks. Most risks and threats are prevented from occurring or will be detected before they cause harm and need a response. A small minority will need recovery actions.

We use a common global framework called the Cyber Security Baseline and it is mandatory across the entire Group. The baseline includes key security controls which significantly reduce cyber security risk, by preventing, detecting or responding to events and attacks. Our framework was initially developed based on an international standard mapped to our key risks in the way that provides the most comprehensive protection. Each year, we review the framework in the light of changing threats and create new or enhanced controls to counter these threats.

A dedicated assurance team reviews and validates the effectiveness of our security controls, and our control environment is subject to regular internal audit. The security of our global networks is also independently tested every year to assure we are maintaining the highest standards and our controls are operating effectively. We maintain independently audited information security certifications, including ISO 27001, which cover our global technology function and 15 local markets. We comply with local requirements or certifications and actively contribute to consultations and debates with regard to laws and regulations that aim to improve and assure the security of communications networks.

New technologies

We adopt new technologies to better serve our customers and gain operational efficiency. For every technology programme, new or existing, we follow our Secure by Design process, evaluating suppliers' hardware and software, modelling threats and understanding the risks before designing and implementing the necessary security controls and testing them.

Every new mobile network generation has brought increased performance and capability, along with new opportunities in security. 5G improves existing security, with additional protection against threats such as location tracking, call or message interception and modification of network traffic. Similarly, 5G includes enhanced features to protect signalling between different operators' networks, which helps prevent tracking or interception while roaming. Vodafone is working at pace to embed these new security features into our 5G network deployments.

Getting the right security by design across all operators is vital as 5G and other mobile technologies will connect billions of devices. Vodafone has helped establish the GSMA IoT Security Guidelines, and the accompanying self-assessment scheme. Where we work with partners or third parties to build and deploy IoT solutions, we also advocate the approach co-developed between Vodafone and Consumers International, as seen in their publication of the Consumer IoT Trust by Design Guidelines.

We also track and monitor potential future threats to our networks, systems and customers, such as quantum computing and its effect on encryption. While such a risk is not specific to Vodafone, we have started work to address the potential negative effects and maintain a robust level of encryption that is quantum safe within our network and systems.

Cyber incidents

As a global connectivity provider, we are subject to cyber threats, the vast majority of which are identified, blocked or mitigated by our robust control environment without any impact. Where a security event occurs, we have a consistent incident management framework and an experienced team to manage our response. The focus of our incident responders is always fast risk mitigation and customer security.

We actively engage with stakeholders, including academic institutions, industry, and government, in order to protect Vodafone, respond to cyber threats and work together to share best practice. Given our expertise and extensive experience, we also engage with a wide range of organisations to help improve the understanding of cyber security thinking and practice, and contribute to public policy, technical standards, information sharing and analysis, risk assessment, and governance.