Personally Identifiable information (PII) and Personal Data Protection

Image : libguides
Personally Identifiable information (PII) is defined as any data that could potentially identify a specific individual. In simple, PII is any information that can be used to distinguish one person from another.  The legal definition of PII may vary from jurisdiction to jurisdiction. However,  universally it refers to information that can be used to trace an individual identity, with by one or more information that is linkable to a person.

Following are personally identifiable information. 

  • name
  • address
  • email
  • race
  • ethnicity
  • telephone number
  • date of birth
  • passport number
  • fingerprint
  • facial image
  • mother's maiden name
  • driver's license number
  • credit or debit card number
  • Social Security number/ID no

The reasons to protect PII are :

Protecting PII is important to ensure personal privacy.

Personal data is collected, recorded, processed, tracked and used daily. They include names, IDs , biometric scans with fingerprints, facial recognition systems used to login to systems and unlock devices. Therefore it is essential to protect individuals' identity by protecting information unique to them.

Sensitive vs. insensitive PII

PII can be categorized as sensitive or insensitive. Insensitive PII can be  transmitted in an unencrypted form without resulting in harm to the individual. They are available in public records, phone books, business directories and websites.

If disclosed sensitive PII could result in harm to an individual. They often has legal, contractual or ethical requirements for restricted disclosure. Therefore sensitive PII should be encrypted during transmission. They include  biometric data, medical information and unique information such as passport or Social Security numbers. Tax IDs, passwords, bank account information, email addresses are included in PII.

Banks, health services organizations, government agencies, businesses  have experienced data breaches , which making people vulnerable to identity theft with exposed PII. Hackers and thieves can sell PII for a significant profit, or they can open new, separate accounts using their victims' information to engage in bigger scams.

PII laws and regulations are 

The European Union's (EU) General Data Protection Regulation (GDPR), has become a de facto standard worldwide. It applies to any organization that collects PII from citizens in the EU. Personal Data Protection Act No 9 of 2022,

There are 7 principals that governs lawful processing of personal data, with regards to collection, organization, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data. 

The 7 principals of GDPR are:

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimization
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

They aims to minimize data collection, ensure storage limitation, and accountability, and requiring specific categories of sensitive data to have extra protection. 

The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). The CCPA (California Consumer Privacy Act) is the US equivalent of GDPR. It is a comprehensive data privacy act which gives Californian residents greater transparency and control over how businesses collect and use their personal information.

United States data protection acts include The Health Insurance Portability and Accountability Act (HIPAA), a federal law to protect sensitive patient healthcare information. The Gramm-Leach-Bliley Act (GLBA, a law applicable to financial institutions to protect confidentiality and security of consumer data . The Federal Information Security Management Act (FISMA) law to regulate federal agencies on data protection. 

Personal Data Protection Act No. 9 of Sri Lanka enacted to establish a legal framework for protecting PII in Sri Lanka.

It aims to strengthen growth and innovation in the digital economy, ensuring the protection of personal data rights, strengthen cross-border co-operation personal data protection enforcement authorities,  and 

ensuring consumer trust and safeguarding privacy. 

Therefore it requires organizations to comply to new personal data protection laws, by establishing, policies, procedures and processes for data protection compliance.

Niranjan Meegammana 


Comments

Popular posts from this blog

ISO 27001 ISMS in a Nutshell

8 Domains of information Security for Your ISMS

Non-conformities in ISMS audit : Implementing Corrective Controls