What is Personally Identifiable Information?
Personally identifiable information (PII), also called personal data in the European Union, is any information that, by itself or in combination with other information, can be used to determine someone’s identity. Of course, there is some information that, when known, can’t cause much harm all by itself, such as a person’s weight. Other details, like someone’s social security number, could cause great harm if it fell into the wrong hands: this type of information is appropriately called Sensitive Personally Identifiable Information (SPII).
Examples of Personally Identifiable Information
When you think about keeping data safe, it’s easy to think of items that fall into the SPII category, such as:
- Passport number
- Medical information
- Fingerprint or DNA profile
- Social Security Number
- Driver’s license or ID card
- Financial information
But depending on your business, the list of personally identifiable information is nearly endless. Think about the school system. It has unique information about their students, like test scores or family status. Consider the DMV. It knows your address, vehicle identification information and whether or not you wear glasses. Online shopping sites process information on one’s buying habits, payment details, address and more.
As a business it’s important to think through all the categories of information you process to determine which could be traced back to an individual. Consider:
- Forms of someone’s name
- Identification numbers of any type
- Address information
- Asset details
- Telephone numbers and IP addresses
- Physical characteristics
- Details about property owned
- Important dates and work history
- Family history
- Who and what interests the person
Any information that falls into one of these categories could be used as-is or in combination to identify an individual.
Businesses Need to Know
Protecting Personally Identifiable Information
It’s important to safeguard this type of information. Whether it’s simply to spare someone embarrassment or to literally save their lives, businesses need to take into account how data can affect the safety of those with whom they do business.
There are three key steps businesses can take to protect PII: evaluate and document processes, educate workers and invest in technical tools.
- Processes. Creating processes helps businesses break down their actions into small, easy-to-examine steps. This makes it clear what type of information might be handled at any point in a workflow, highlighting areas of concern and helping to identify when precautions should be taken. As work is done on developing processes, it is important to document these, so they are transparent to everyone involved. The next step is to automate the processes so data handling efforts are moved from one step in the process to another with as little human intervention as possible. This reduces the chance of error and speeds up work.
- Education. While technology-related issues can certainly arise, it is equally possible that human error could put personally identifiable information at risk. From passwords being left out on desks, to software updates not happening as frequently as needed, to doors being inappropriately propped open, people put data at risk. It is imperative that businesses talk to everyone within their organization – not just the IT team – on a regular basis to keep awareness about PII and its safety top-of-mind. And don’t simply reinforce preventative measures; also talk about how critical it is to report possible breaches quickly.
- Investment. Of course, despite processes and people, the actual acts of storing and processing data will happen through technology. All industry-standard tools and techniques must be applied: encryption tools, firewalls, anti-virus systems, intrusion detection systems, etc.
Audits and PII
Today’s consumers are smarter. They understand what’s at risk when they hand over their data, and they are asking for protection. You can see this happening with the rollout of GDPR in Europe, the California Consumer Privacy Act (CCPA) in the United States and the General Data Privacy Law in Brazil. Worldwide, people are paying attention, and with all of this legislation comes the need for businesses to prove that they are in compliance.
After putting processes and mechanisms in place, it’s important for organizations to continuously demonstrate that these are being followed. This is where documentation becomes critical. If you implement a data handling policy, gather signed copies of the policy from employees stating they understand it. If a data removal request is originated, document the steps taken to rid your systems of this data. Whether you use old-fashioned paper files or modern ticketing systems to accomplish this, be sure to write down everything!