Personally Identifiable Information (PII data) is “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
Collecting PII is necessary for many companies; they need to accurately identify an individual and distinguish that individual from other people to reduce the risk of fraud, money laundering and other criminal acts. However, as PII is so valuable, it’s unwarranted disclosure or outright breach is a major concern to the organizations compliance and reputation as well as for the individual involved.
Companies entrusted with PII data are accountable for safeguarding the information and consumers trust that they will follow the necessary procedures to do so. Failure to do so can erode a companies hard-earned reputation and have bottom-line repercussions.
PII protections are enshrined in many jurisdictions around the world and, in many cases, are increasing in their scope, powers and penalties. With a world where information collection, processing and sharing is on the rise, these PII laws are the bulwark guarding privacy rights and ensuring our personal data is handled safely, securely and properly.
In the EU, the General Data Protection Regulation (GDPR) entered into force and application on May 25, 2018. Containing wide-spread implications, GDPR had companies throughout the world performing data audits, updating policies and, in many cases, actually changing the nature of how they collect and process user data.
In California, the California Consumer Privacy Act was passed in late June. In that act, PII refers to data far beyond the usual identifiers such as Name, Date of Birth, Address, and Social Security Number. Types of the data covered include:
1798.140. (o) (1)
(D) Commercial information, including records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
(E) Biometric information.
(F) Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.
(G) Geolocation data.
(H) Audio, electronic, visual, thermal, olfactory, or similar information.
(I) Professional or employment-related information.
India has just proposed the Personal Data Protection Bill 2018, the countries first data protection law. These three recent examples are just a sample of the range of laws that provide privacy protections in this modern era.
PII Best Practices
For companies operating across borders, the variety and conflict of different laws covering PII makes compliance difficult, costly and a source of risk. For example, many countries demand the data of their citizens remain within the country, limiting cross-border data flows. This adds costs, limits opportunities to the larger players and adds an aspect of protectionism to the selling of digital products and services.
Requiring a company operating in another jurisdiction to meet the necessary data practice standards and enforceability is one thing. However, creating rules that force data localization often doesn’t serve the needs of citizens, hinders growth and undermines competitiveness and productivity. As the Information Technology and Innovation Foundation (ITIF) states in their report about cross-border data flows, “data needs to flow to maximize value, which means policies that limit such flows across borders will reduce economic growth and social value.”
With that said, companies need to operate according to the rules of the jurisdiction they want to do business in. Beyond that, best practice is about meeting the highest PII standards. With one set of robust data policies, procedures and processes, companies that meet the highest regulated standards can best protect their customers data and build valuable trust that is crucial to operations and growth.
Many experts point to the standards required by GDPR as the benchmark when it comes to privacy regulatory frameworks. Consider, legal firm Alston and Bird in a note to their clients stated “GDPR presents a dramatic shift in expectations for data security and data privacy compliance for U.S.-based entities that will be subject to its application.”
- Who is collecting the data?
- What data is being collected?
- What is the legal basis for processing the data?
- Will the data be shared with any third parties?
- How will the information be used?
- How long will the data be stored for?
- What rights does the data subject have?
- How can the data subject raise a complaint?
When it comes to digital identity and authentication, Canada is well known for having sophisticated privacy guidelines. As noted by legal firm McCarthy Tétrault, “the US approach mirrors Canadian developments in digital identity in many aspects.”
The goal of Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is to balance “the right to privacy and protection of personal information with the need of organizations to collect, use and disclose personal information for legitimate purposes.” Some of its guidelines include:
- Only identify when necessary
- Determine what identity attributes are necessary to authorize a transaction
- Inform individuals and obtain the appropriate form of consent before identification
- Only authenticate when necessary
- Ensure the level of authentication is commensurate with risks
- Ensure employees are properly trained
- Maintain appropriate transaction records
- Continually assess threats and mitigate risks
- Protect personal information
- Rely on trusted identity documents or credentials
- Rely on trusted parties when outsourcing identity management
- Permit individuals to control their identification and authentication information
- Consider the use of biometrics carefully
Note the guidelines often offer generalities, as opposed to specifics. When necessary, appropriate, commensurate, properly, trusted, consider – these are all words open to interpretation. That points to the need to carefully assess the requirements that pertain to your business. Different industries, information uses, vendors, and locations will all significantly impact your approach to PII.
Crafting an effective PII policy is the first step to ensuring that you are treating the information properly and legally. Each stage of information from collection and storage on through to deletion requires consideration on who/what/where and how explicitly stated.
While, in this era of big data, it might seem advantage to collect as much information as possible, the more you collect the higher your risk and the higher the protection costs become. One suggestion is to minimize your data risk; collecting as little information you need and purge it as quick as you can.
Another important consideration is how are you securing the data? How can you maximize data safety? With ever-changing technology, the threats and defenses against those threats are a moving target. Threats need assessing, systems need updating, security operations job is never done.
Security is not only about technology; people are often the weakest link in any security scheme. Proper training for all employees and ingraining ongoing vigilance into the company culture is an imperative.
The Future of PII
Does balancing the needs of collecting PII to effectively run and grow businesses against the right of individuals to control and privacy of their information always be a matter of trade-offs? Perhaps a new model can develop which will provide all parties what they desire from PII without giving up anything?
Consider data anonymization. By encrypting data, or by stripping out PII from data sets, data anonymization enables various analyses without the need for private information.
Recital 26 of GDPR
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
While data anonymization makes sense for general reports, there’s still a need for specificity for precise targeting. Developments in AI may offer a way forward for these use-cases. As described in TechCrunch,
“today, GDPR-compliant companies offer users the binary choice of allowing full, effectively unrestricted use of their data or no access at all. In the future, product designers may want to build more granular data access permissions. For example, before choosing to delete Facebook altogether, a user can refuse companies access to specific sets of information, such as their network of friends or their location data.”
Another model is self-sovereign identity, a decentralized approach wherein the individual determines exactly who and how PII is shared. Many prognosticators point to identity on blockchain as a potential technology that will enable people to provide accurate identity to those that need it, while still controlling the underlying information. The effectiveness and usability of these systems will take years to determine as these models are still in the early-formation stage.
Offering consumers more control over their data, in a manner that is easy to control, is a powerful model for PII; offering transparency and precise control allows consumers to determine the exact level of trust that works for them. While it remains to be seen if consumers will want to actively monitor their PII, giving consumers a choice in the matter is always a good idea. Better tools for building trust, that improve the interface of PII data handling, requires further exploration as that offers a potential roadmap to deliver both the privacy and control that all parties desire.