Privacy Policy

Digital Communications

1. Parent Policy

Global Information Security Policy (MIP-29) states: In using Digital Communications provided by the Company, or from Company-owned computing devices, individuals must ensure:

  • All Digital Communications are conducted in an appropriate, legal, courteous, and businesslike manner, with due recognition of how broad-scale and public communications issued by an individual can reflect on the Company.
  • Company Confidential Information is not shared with unauthorized individuals or otherwise exposed to improper use or compromise.
  • Every effort must be made to ensure safe use of Digital Communications by verifying that: 1) Services used provide adequate controls to safeguard Company Information; and 2) Security and privacy features provided by the Service are effectively employed.

2. Standard Overview

This Standard addresses the use of Digital Communications services for both business and personal use that may affect the Company. In support of Global Information Security Policy (MIP 29), this Standard requires protecting Company Confidential Information from unauthorized release, misuse, or compromise, in both personal and business use of Digital Communications services. Third-parties’ confidential information must be afforded the same protection as Company Confidential Information.

Limited personal use of Company Assets is permitted with conditions described in this Standard. Company Confidential Information must be protected as required in Information Protection Standard (IT-SEC-002) by using Company-provided Digital Communications services enabled through Global Technology processes. These processes include privacy and security compliance checks to confirm regulatory compliance and information protection.


For the purpose of this Standard, the following terms as defined in Global Information Security Policy (MIP-29) apply:

“Digital Communications”
the viewing, accessing, uploading, downloading, storing, transmitting, creating, and using of all forms of information in electronic or digital format. Digital Communications services include without limitation:

  • services provided by the Company or by Company contracted vendors (“Company-provided”); and
  • Web-based consumer-facing services provided for public use (“External”) whenever External services are used from Company computing devices, the Company network, or are used to communicate Company Information. Examples include but are not limited to: email (Outlook/Exchange, Gmail, and others); text and instant messaging (Teams); social media, social networking, blog, wiki and other information or photo sharing sites (Facebook, Twitter, Pinterest, Instagram, SnapChat, Flickr, YouTube and others); collaboration and virtual meeting sites (TeamShare, Office 365 components including SharePoint, Teams and OneDrive, WebEx, Global Meet, AdobeConnect); IP Telephony and audio/video chat sites (Skype, ooVoo, Hangouts); and other sites that may be provided as Cloud Services and otherwise.

“Company Information”
information created, obtained, or used by the Company and includes proprietary information to which the Company owns or holds exclusive rights. ∙ “Company Confidential Information” – for the purpose of this Standard, ‘Company Confidential Information’ shall include both “Highly-Confidential/PCI" (Red) data and “Confidential" (Yellow) data in accordance with Asset Security Categorization & Data Classification Standard (IT-GIS-001).

"Company-provided” Digital Communications services are those provided by the Company directly or through Company-contracted third parties (for example, Outlook/Exchange, Teams, SharePoint, and others).

“Device” refers broadly to information technology equipment, includes but is not limited to computing devices (laptops, workstations); print, scan, fax and copier devices; network devices (firewalls, routers, switches); and internet of things (IoT) devices.

“External” Digital Communications services are web-based consumer-facing services made available to the general public (for example, Google mail, Facebook, and others). ∙ “Social Media” refers collectively to social networking, blog, wiki, and other information or photo sharing sites (Facebook, Twitter, Pinterest, Instagram, SnapChat, Flickr, YouTube, and others); collaboration and virtual meeting sites (Office 365 components including SharePoint, Microsoft Teams and OneDrive, Box, WebEx, Global Meet, AdobeConnect).

3. Standard Statement

All associates need to understand and follow Information Protection & Cybersecurity best practices to guard against phishing and other scams targeting Digital Communications services.

In accordance with Global Information Security Policy (MIP-29), before sharing Company Information through Digital Communications services:

Obtain the Data Owner’s (see MIP-29 for the definition of and requirements regarding Data Ownership) approval for planned information use and sharing. ∙ Confirm the data classification (see Asset Security Categorization & Data Classification Standard (IT-GIS-001)) of information to be used or released with the Data Owner and/or Marriott Global Privacy Office.

Engage Contract Management or Software Development Lifecycle Processes respectively for all new third party engagements in accordance with Technology Acquisition (MIP-34) to confirm:

  • All privacy requirements (privacy statements, terms and conditions, user consent, opt-in/opt-out and others) are met for Personal Data in accordance with Global Privacy Policy (MIP-91). (See Asset Security Categorization & Data Classification Appendix A for examples of Personal & Business Data classifications.)
  • All security requirements (access control, encryption, retention, malware protection, and others) are met to protect Company Information.

Note: Digital Communications services must provide malware protection and access controls for management of content, even if content is targeted for the public. Company Enterprise ID (EID) credentials, however, must not be replicated or used in third-party Digital Communications services that are not integrated with Marriott EID Services through an approved Global Technology integration pattern (see Enterprise Architecture (MIP-88)).

Consult the Marriott Global Privacy Office with questions concerning use of Digital Communications services. All use and implementation of Digital Communications services must comply with applicable laws, regulations, and internal Company Policies.

4. Requirements

4.1 Company Proprietary Rights and Privacy Conditions
  • Associates must not use Digital Communications services to send, receive, or store any messages or materials that they wish to keep private and should expect no right of privacy with respect to such Digital Communications, except as Company Policies and applicable laws may provide.
    • By using Company-provided Digital Communications services for personal use, individuals acknowledge Marriott rights, subject to applicable laws, to access, monitor, review, copy, and delete Digital Communications, and to disclose them to any party the Company deems appropriate for any purpose, with or without notifying the individual.
    • These proprietary rights apply for all Digital Communications from Company Devices, both on and off the Company Network, and for any personal or third party Devices connected to the Company Network.
  • Subject to applicable intellectual property rights of Company vendors, all Company provided Digital Communications services and Company computing environments are the sole and exclusive property of the Company.
  • Individuals must bear in mind: 1) their Digital Communications may be accessed by someone other than the addressee and may be disclosed to outside parties in connection with litigation, and 2) Digital Communications often can be retrieved even after having been "deleted."
    • Digital Communications may be subject to involuntary discovery or disclosure in a court of law.
    • The Company applies security measures to protect Company Digital Communications; however, the Company assumes no liability for personal communications.
4.2 Prohibited Use of Digital Communications
  • Do not send credit card information via Digital Communications services, even if encrypted.

    Note:When credit card information is sent, the data is retained within messaging systems, creating security risk to both the Company and the card owner.

    • Delete messages received that contain credit card information and immediately remove deleted messages from the mailbox. Advise senders that emailing credit card information is in violation of Company Policy and exposes them to financial risk.
  • Never solicit Personal Data from individuals without their informed and recorded consent (see Information Protection (IT-SEC-002)).
  • Do not post or publish content for associates, third parties, or the broader public that includes:
    • Information or statements which may purport to be or appear to be official statements of the Company.
    • Company Information, Confidential or Proprietary Information, or Personal Data concerning associates, guests, customers, vendors, or business partners. o Information or statements which may defame, disparage, or damage the goodwill or reputation of the Company, other associates, guests, customers, vendors, or business partners.
  • Do not share Company Confidential Information with unauthorized individuals or without execution of the required Company agreements.
  • Do not send, post or forward Company Confidential Information to personal email, social media, or other unapproved platforms or applications.

    Note:Communications between different messaging services (Company A and Company B email systems) commonly transmit in clear text over the internet and can be intercepted.

  • Do not share software or databases without authorization or in violation of licensing or terms of use; or with inadequate security (see Information Protection (IT-SEC-002)). ∙ Do not download or use unauthorized or un-vetted software on a Company Device, even if advertised from a third-party website for Company-provided service. Toolbars or other software may be malware-infected (see Software Use Standard (IT-TBM-002)). ∙ Obtain authorization to release or access the emails or other resources of another individual. Obtain the individual’s documented consent or approval through defined procedures:
    • For Associates: Email/PC Access for Business Continuity Request (IT-SEC-P02) (PDF)
    • For Franchise: Accessing a Franchisee’s Marriott Information Assets (IT-PRV P02) (PDF)

      Note: Distribution of summarized reports showing volume trends and network bandwidth usage does not require approval via the procedures listed above if no individual usage is disclosed in the reports.

  • Do not attempt to disable or circumvent security controls, either by tampering with the controls or using unapproved alternatives.
  • Never respond to or forward email messages that are suspicious in nature, including potential phishing messages and spam. Report all phishing and suspicious messages using the Report Phishing in Outlook (if available), or by sending the message as an attachment (do not forward) to [email protected].
4.3 External (Publicly Available) Digital Communications Services
  • Do not consider External Digital Communications services (personal email, instant messaging, social media, unapproved collaboration sites, and others) to be private or secure.
  • Do not use External Digital Communications as a substitute for communication or consummation of a Company transaction that should be formally documented (for example, a sales agreement or performance appraisal.)
  • Share Company Confidential Information (classified as Confidential) only through Company-provided Digital Communications services.
  • Obtain Data Owner and/or Marriott Privacy Office consent to share Company Information believed to be Public/Non-Confidential (see Asset Security Categorization & Data Classification Standard (IT-GIS-001)). Provide notice to users that the Service is to be used to share only Public Company Information.
  • Confirm, as needed with the Marriott Law Department, that External Service Provider’s terms of use are not in conflict with Marriott interests or Policies.
4.4 Social Media and Social Networking
  • Use Social Media for personal and business use in accordance with Company Social Media Rules of Conduct & Guidelines for Associates and related guidelines for the business application or brand.
  • Comply with Company Policies, Internal Communication (MIP-24) and Public Information for News Media and Other Parties (MIP-25) with respect to obtaining approval prior to the release of information using Social Media and Social Networking sites (including blogs, wikis and others) to employees, owners, business partners and others must comply with and as otherwise described.

    Note: These Policies must be followed for all proposed blog activities by individual hotels, departments or any other business unit or location.

  • Engage Social Media providers through Contract Management for any consumer marketing or analytics efforts, including those involving integration or exchanging information with Marriott. All such engagements must be covered under Company contract for the duration and extent of their use.
4.5 Email and Messaging
  • Follow Company Email Guidelines and use Company-provided Digital Communications services (such as Microsoft Office 365 and Microsoft Teams) for all Company business communications. Limited use of personal or External Digital Communications services is acceptable for non-Confidential communications, for example: sending time and date of a meeting to targeted recipients but not the purpose or agenda for the meeting.
  • Include the following footer in all Company email communications so the recipient knows to protect the contents from disclosure:
    This communication contains information from Marriott International, Inc. that may be confidential. Except for personal use by the intended recipient, or as expressly authorized by the sender, any person who receives this information is prohibited from disclosing, copying, distributing, and/or using it. If you have received this communication in error, please immediately delete it and all copies, and promptly notify the sender. Nothing in this communication is intended to operate as an electronic signature under applicable law.
  • Label message attachments with the footer defined in Information Protection (IT-SEC 002) section 4.10.
  • Comply with eCommerce Marriott Corporate Email Compliance Policies for direct marketing via emails and or other Digital Communications.

    Note: Marketing messages must not expose recipients’ addresses to anyone other than the targeted recipient.

  • Confirm pre-defined distribution lists include only recipients authorized to receive the information and that recipients are not included in an opt-out list.
  • BCC (Blind Copy) large groups of individuals’ emails to avoid unnecessarily exposing recipients’ email addresses unless there is a business need to show recipients by CC (Copy).
4.6 Collaborative and Information Sharing Services
  • Designate individuals to monitor use of collaboration and information sharing services and be responsible for ensuring information security and privacy requirements are met with ongoing use.
4.7 Photo Sharing and Recording of Audio and Video conferencing

In some jurisdictions, photographs or recordings of individuals are considered personal information and require auditable records of the consent of individuals before a photograph or recording of them can be captured or shared. Legal requirements must be considered before sharing photos, sharing videos, or recording audio or video conferences.

  • Photo and Video Sharing. Obtain consent from individuals prior to sharing or distributing photographs or videos of individuals. Consult your local Marriott Law Department representative if there are questions about this requirement.
  • Recording of Audio and Video Conferencing. Company-approved videoconferencing services provided for enterprise use (e.g., Microsoft Teams) must not be used by associates or others to record online calls or meetings. Video and audio recordings of meetings including but not limited to regular team or project meetings, strategy sessions, fireside chats, brainstorming sessions, Q&A sessions, meetings involving outside vendors or other third parties, or other business-as-usual meetings may capture ad-hoc, unintended, or Company Confidential discussions and raise legal and privacy concerns, and therefore must not be recorded. This limitation does not preclude the creation or dissemination of scripted training or presentation material that has been prepared in advance and complies with this standard and other Company Policies. 4.8 Voice, IP Telephony (IPT) Services, and Text Messaging
  • ∙ Use Company-provided IP Telephony Services (e.g., Microsoft Teams) as available for all audio and video communications and conferencing.
  • In situations where External Services must be used:
    • Ensure the computer is running with up-to-date Company Tier 0 security software and patches to protect it. See End-User Computing (EUC) (IT-SEC-017) and Tier 0 Security (IT-SEC-033).
    • Login with credentials that are different from the Company EID or any account used to access Company systems and services. Share username and presence with known parties only; never broadcast this information broadly.
    • Alert recipients or participants in the communications if information is confidential so that they can take adequate precautions to maintain confidentiality and delete any recordings (such as voicemails).
4.9 Company Internet Content Filtering

The Company’s Web Security Services filters Internet access for all Company EUC Devices, on and off the Company network to, block: 1) malware-infected content, sources of phishing attacks, and other malicious code; and 2) Identify inappropriate or unlawful content. The Services may also block new and unrecognized websites.

  • Request changes to block or unblock web sites by submitting an Internet Web Site Access Block Request in Identity Center.

    Note: Web content filtering is used globally across the Company network and provides a control required for PCI DSS, which prohibits PCI-subject systems from directly accessing the Internet (see PCI DSS Compliance Standard (IT-SEC-001)).

5. Compliance

Compliance with the requirements in this Standard is mandatory. Non-compliance with this Standard exposes Marriott to an unacceptable level of operational and financial risk. Non compliance with this Standard may be considered a violation of the governing Policy and “could result in corrective action up to and including termination” as stated in MIP-29 Global Information Security Policy.

Compliance with this Standard shall be monitored through verified implementations of the applicable controls from Marriott’s Common Controls Framework as identified during Marriott GIS Security Engagement and Accreditation processes, to include but not limited to Marriott Global Technology processes, Software Development Lifecycle (SDLC) projects, Contract Management requirements, vendor assessments (MIP-34), and other GIS assurance processes. Ongoing monitoring can also be performed via security monitoring tools, Company audits or business process owner reviews.

*in case a private account, BLAK will be sending a request

DISCLAIMER: BLAK by sunburn is members only club. All applications must be backed by referral of an existing member etc.


Thank You for registering with us. Someone from our team will get in touch with you shortly.

View Rules & Regulations