Safeguarding Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is any information about an individual kept by an organization, including data that can be used to distinguish or trace that person’s identity. Some PII is not sensitive, such as what can be found in a phone book or on a business card. Other PII is sensitive, which means that, if it is lost, compromised or disclosed without authorization, it could result in harm, both to the individual and to the company involved. Harm to an individual could mean identity theft, blackmail, embarrassment, or inconvenience. Organizational harm includes loss of public trust and reputation, legal liability or remediation costs.

Particularly since the dawn of the digital age, security breaches involving PII have contributed to the loss of millions of records. By law, all of us are required to protect privacy and to properly collect, access, use, share and dispose of the PII in our control or under the control of a third party, such as a contractor.

Some examples of PII include:

– Name

– Personal identification numbers, such as Social Security/taxpayer identification number, passport number, driver’s license number, financial account number or credit card number

– Address information (street address, email address)

– Telephone numbers (cell, home, business)

– Personal characteristics (facial photos, x-rays, fingerprints, and biometric data such as a retinal scan or voice signature)

– Information about personally owned property (e.g., vehicle registration number)

– Information that is or can be linked to the above (date/place of birth, race, religion, weight, activities, employment information, medical information, education information, financial information)

Privacy Laws

In the U.S., there is no single, overarching privacy law. Instead, the issue is regulated through many state and federal laws. For example, the Health Insurance Portability and Accountability Act (HIPAA) protects individually identifiable health data, and the Fair and Accurate Credit Transaction Act (FACTA) protects consumer’s credit information from risks of data theft.

In 1980, the 34-member Organisation for Economic Cooperation and Development (OECD) adopted Privacy Guidelines that form the basis for privacy laws in many other countries, including Sweden, Australia and Belgium. These guidelines reflect principles of limited collection and use of personal data; the collection of data that is related to a specific, stated purpose; security safeguards; openness; individual participation; and accountability.

Privacy law in the EU is governed by the Data Protection Directive of 1995, which specifies that personal data must be collected under strict conditions and for a legitimate purpose, for which the individual must be informed, and the e-Privacy Directive, which requires digital users to be noticed of any data security breach.

In 2016, the European Parliament adopted new EU data protection rules to ensure individuals protection of personal data. The General Data Protection Regulation is designed to help promote the Digital Single Market in the EU through the application of clear, uniform rules. Implementation of the new Directive remains in the future but companies that do business in Europe should be aware of the new regulation and is anticipated compliance requirements. Equally important, global companies should be aware of provisions contained in the evolving EU/US Privacy Shield which regulates the ways in which data between the US and EU is transferred, stored, transmitted onward and used. In addition to the US and EU, many countries have enacted laws regulating actions including the collection, storage, transmission and use of personally identifiable information.

Each organization may be subject to different laws, so be sure to consult our legal department with any questions. Also, since laws vary from country to country, we have a responsibility to apply the most stringent policies and procedures currently in force in order to be in compliance wherever we do business.

Our Responsibility for Protecting PII

– Physically secure PII in a locked drawer when not in use or otherwise under the control of a person with a “need to know.”

– Never leave PII unattended on a desk, printer, fax machine or copier.

– Use a privacy screen when in an unsecured area. Lock your computer when you leave your desk. Do not permit your computer to remember passwords.

– Avoid discussing PII in person or over the phone when you are within hearing of anyone who does not need to know the information (including in an airport, in a taxicab, or in a cubicle).

– Make sure all laptops, Blackberrys, USB flash drives and external hard drives are encrypted. Encryption protects the data on the device from being accessed by an unauthorized user if the device is lost or stolen.

– Do not leave your laptop in checked luggage, in your hotel room, or in a car overnight. Keep an eye on it at all times during the airport security process. Do not store it in a public locker.

– Don’t transfer files or forward emails containing PII to your home computer or personal email account.

– Do not post PII on the intranet, shared drives, multi-access calendars or on the Internet (including social networking sites) that can be accessed by anyone without a “need to know.”

– Be alert for phone calls or emails from individuals you do not know attempting to obtain personal or non-public information from or about you.

– Never share computer logins or passwords with anyone.

– When possible, customize or recreate reports or lists to redact sensitive information that is not required for the immediate use of the project.

You must report all suspected or confirmed privacy incidents to your supervisor or the compliance officer immediately. Do not further compromise the information by forwarding it when reporting an incident.

Q&A

Recently I discovered extensive files on former customers who haven’t done business with us in more than a decade. Should something be done with these files?

While it appears that this data may no longer by necessary or relevant, there may be a business purpose for the files to be kept. Check with the legal department to determine the safe and proper disposition of the data according to our records retention policy.

I’m leaving my position to work in another department and my laptop will be transferred to my replacement. What steps should I take to make sure the data is cleared?

Ask the IT help desk to wipe sensitive PII from your drives according to our company’s data security standards.