Uber Technologies Inc. should expand its privacy program to improve disclosures, training and employee accountability, according to an internal review that the company commissioned after a customer-data controversy.

The assessment, conducted by law firm Hogan Lovells and released Friday, said Uber has invested significantly in privacy and laid out 10 recommendations for the company to enhance its privacy practices. Those include more strictly regulating how employees of the mobile car-booking company access customer data, creating mandatory job training on data privacy for workers, deleting inactive accounts and setting up a whistleblower hotline to handle customer complaints.

“Keeping the program evolving and keeping up with the evolution of the company is going to be the most challenging,” said Harriet Pearson, a privacy and cybersecurity lawyer at Hogan Lovells who led the review.

The report caps a controversial episode for Uber. In November, a top executive of the San Francisco-based company, Emil Michael, suggested Uber was willing to spend a million dollars to look into journalists’ personal lives. The company also began an investigation into a manager who tracked a reporter’s whereabouts on Uber without her permission.

The revelations caused a backlash. U.S. Senator Al Franken, a Minnesota Democrat who chairs the Senate subcommittee on privacy, technology and the law, sent Uber Chief Executive Officer Travis Kalanick letters questioning the company’s privacy policies, including which employees can access a tool called “God View” that shows customer information.

Large Ambitions

The brouhaha was a black eye for Uber, which is the most valuable privately held U.S. technology company, with a valuation of $40 billion. The startup is rapidly raising money as it works to expand globally. Uber garnered more than $2.4 billion in equity last year and another $1.6 billion in convertible debt earlier this month. It operates in more than 277 cities in 54 countries.

In an interview, Pearson said Uber is focused on privacy and has many appropriate policies in place.

“They need to be more transparent and they need to formalize some aspects of their privacy program,” she added.

In a blog post, Uber said it realizes that with its fast growth, “we haven’t always gotten it right.”

The report provides “a roadmap to do even better going forward,” Uber said. The company said its leadership team has accepted the 10 recommendations and is now in the process of implementing all of them.

The report doesn’t alleviate privacy concerns about the mobile application, said Bruce Schneier, a fellow at Harvard University’s Berkman Center for Internet & Society.

“Uber has been scarily egregious in their violations of privacy,” he said, adding that the internal review isn’t enough to protect customers’ data privacy.