Identifying Personal Information
What constitutes “personal information” and why protecting it is important
Personal Information: What It Is and How to Protect It
Personal Information is something most of us likely didn’t think much about before the digital era. Today, it’s at the heart of privacy debates the world over.
The Oil of the Digital Era
Modern businesses rely on collecting, organizing, and analyzing ever-greater volumes of data, frequently from multiple different sources.
The most obvious examples are companies like Google and Facebook, who process not only data that users directly input on their sites, but also user IP addresses, location data, device data, data from third parties and more. These corporate behemoths are just two of thousands of companies that make their money off consumer information.
Now, consumers are demanding accountability from the organizations that collect and process this copious personal information.
That makes understanding the significance of personal information and what gets done with it more important than ever.
What Is Personal Information?
The legal definition of “Personal information (PI)” (also referred to as “Personal Data” and “Personally Identifiable Information”) varies slightly in different countries.
At its core, PI is simply any information that relates to an identified or identifiable person. What varies country to country, or even in the U.S. by state to state, is which specific PI legally qualifies for data protection.
PI includes typical data like names, address/email addresses, phone numbers, and many other identifiers. Some kinds of PI are deemed sensitive. According to the International Association of Privacy Professionals (IAPP), sensitive data includes information for which the subject has a “reasonable expectation of privacy, such as medical or financial information.”
Why Is it Important to Protect Personal Information?
There are many reasons. As already noted, some laws require it.
Beyond that, almost everyone has come to expect it. With the number of data privacy scandals making headlines, consumers are more sensitive about use of their personal information. This leads to confusion and concern about just how businesses are using it.
While societal attitudes about the right to privacy vary by culture, people inherently know when something violates their boundaries. No one likes “creepy” behavior or feeling stalked. So, businesses will benefit from actively protecting their customers’ information and their privacy.
Security is another important reason. The compromise of secure information is a “lose-lose” for everyone involved. Customers and even employees whose data is compromised or stolen by cybercriminals are subject to identity theft, monetary theft, fraud, public embarrassment, and other harms.
Customers can feel frustrated or even betrayed. The employee whose actions caused the breach feels embarrassed. They could even lose their job. And businesses who are found negligent in their efforts to protect customer data can face significant penalties and market backlash.
Remember that trust, reputation, loyalty, brand value, and individuals’ rights and freedoms are at stake when it comes to appropriately handling sensitive data.
We’ve built this toolkit to make it easy for you to share bite-sized bits of information concerning data privacy best practices and the value everyone should place on their personal data.Download Toolkit
What Are Some Important Data Privacy Principles?
Observing privacy principles can ensure that your organization respects the rights and preferences of the people whose information you collect.
Here are seven important principles to inform discussions, policies, and procedures regarding personal data. Variations of these are baked into today’s existing and emerging data privacy and consumer information laws.
Notice – requires that individuals be informed about:
- Why their information is being collected and how it will be used
- Whom they can reach out to for complaints
- The types of third-party organizations their information will be shared with and the circumstances under which such sharing may occur
Companies should provide notice before people are asked to provide any personal information. Notice should again be given before that information is used for any reason other than the original declared purpose.
Choice – requires that individuals can opt out of the collection, use, and transfer of their data to third parties.
Data should only be processed or shared in a way that’s compatible with the purpose declared when it was collected. When sensitive information will be shared in some other way, or with a third party, individuals must give their explicit consent.
Onward Transfer – requires that transfers of data to third parties occur only to other organizations that have established privacy principles substantially similar to the company that collected it.
To disclose information to a third party:
- Apply the Notice and Choice principles.
- Ensure the third party adheres to your privacy principles.
Access – ensures that individuals preserve the right to confirm that their data is being processed and obtain access to it. This empowers them to know which of their personal data a company processes and verify that it’s done so lawfully.
Rectification and Erasure – ensures that individuals may make updates to their personal information if it is inaccurate or incomplete.
Additionally, individuals have the “right to be forgotten,” allowing them (in most circumstances) to delete or remove their personal data when there is no reason for its continued processing.
Accountability and Integrity – requires that a business has effective mechanisms to ensure compliance with its privacy principles. At a minimum, an organization ought to have in place:
- Readily available and affordable methods to investigate, resolve, and if appropriate award damages from complaints
- Procedures to verify that a company’s assertions about its privacy practices are true
- Obligations to remedy problems resulting from a company’s failure to comply with its principles
Security – requires that adequate efforts be made to protect the security of personal information from loss, misuse, unauthorized access or disclosure, alteration, destruction, and other risks.
How is Personal Information Regulated?
Different industries and regulations treat personal information differently. A wide variety of data protection and privacy regulations now exist in the United States and globally.
Depending on the business you’re in, your company may need to follow some of these regulations regarding how you manage the personal information you hold.
Note that many regulations define training requirements for employees who handle personal data, shifting training from good-to-have to mandated. Be sure to verify if that requirement exists in the regulations to which your company is subject to.
Some of the most impactful regulations currently in force include:
The U.S. Congress passed the Health Insurance Portability and Accountability Act in 1996. Among its many provisions, HIPAA requires the protection and confidential handling of individually identifiable health information that is transmitted or maintained by medical and health care service providers, health insurers, and payment clearinghouses.
HIPAA’s rules were strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) amendment that passed in 2009. Under HITECH, the maximum penalty for breach of healthcare patient information is now $1.5 million per violation. You can see how the consequences of healthcare security violations can really add up!
The Payment Card Industry Data Security Standard is a security standard for payment card (credit and debit card) data designed to reduce fraud.
While it may not be a legal requirement, payment card service providers, like VISA, MasterCard and others, hold merchants who use those cards to accept payments accountable to this standard.
PCI DSS sets 12 security control requirements for cardholder data. These include:
- Building and maintaining a secure network
- Protecting cardholder data
- Implementing a security awareness initiative to inform employees of their responsibilities
Merchant fines for non-compliance can range from $5,000 to $100,000 per month, enough to significantly impact a small or even a medium-sized business.
The General Data Protection Regulation, which took effect in May 2018, regulates data protection and privacy for citizens of the European Union (EU).
Along with transactions with the EU, the regulation covers the transfer of EU citizens’ personal data outside of the EU. Known as the strictest privacy law in the world, the GDPR reflects Europeans’ regard for privacy as a fundamental human right.
Consequently, potential fines for GDPR violations are intentionally steep. They can run as high as 4% of a company’s annual revenue (NOT just their profit) or €20 million, whichever is higher. If your company does business in the EU, it’s time to make sure you are fully GDPR compliant.
- Know what personal information is being collected about them and access it
- Know if their personal information is disclosed, and with whom
- Know if their personal information is sold and the right to opt out of the sale
- Receive equal service and price whether or not they exercise their privacy rights
The CCPA has been called “America’s GDPR,” with industry experts considering it the first of many to come in U.S. states. Fines for non-compliance can range from $2,500 to $7,500 per incident.
How is Personal Information Stored?
PI can be kept in electronic (digital) or physical form, or both.
- Digital records can include databases, emails, documents, spreadsheets or even social media sites. These records will exist within the internal network and may also be hosted in third-party systems, including cloud and as-a-service environments.
- Physical records can include paper documents, convenience copies, books, maps, photographs and images, essentially anything in a tangible medium.
These days, most business records are electronic. Still, both formats exist and must be protected to the same standards. All PI records should be maintained, stored, and disposed of properly.
To that end, it’s important to define and use a records management and retention policy that documents terms for creation, active use, storage, and disposal when the PI is no longer needed.
In today’s digital world, it’s easy to share information at the click of a button. As a result, standards for privacy protection continue to rise, which makes it harder to keep up with the changing laws that regulate our personal information.
But as the privacy landscape and associated trends and regulations shift, the end goal of privacy awareness training remains the same: helping your employees achieve a mindset where protection of personal data comes as second nature.
Learn how our Privacy Awareness TrainingPack can give your employees the tools to help make sure they're actively protecting sensitive data.Learn More
Explore the current state of employee knowledge in cybersecurity and data privacy with our 2020 State of Privacy and Security Awareness Report.
Watch this on-demand webinar to learn how to equip your employees with the knowledge to get and stay compliant with the CCPA and beyond.
Learn what the average U.S. employee knows about data privacy best practices with our 2019 Eye on Privacy Report.