The laws defining Personally Identifiable Information, and how PII can be controlled and processed are different in different countries, states, and provinces… and unfortunately, there is not much legal precedence for how these laws are to be interpreted.
When handling PII originating from a specific jurisdiction, the laws of that jurisdiction and the advice of legal counsel take precedence over what is written here, but since you continually handle PII and there is no single clear set of laws, here is a practical guide for how you should define, control, and process PII.
So what is PII?
- Information identifying one’s private persona is PII, an example is one’s home address (pretty obvious)
- As a surprise to many, information identifying one’s business persona is also PII, information like corporate email address.
- It is also possible that information identifying a device can be considered PII if there is a strong association between the device and the person who uses that device
- Reaching into the area of statistics, PII might consist of multiple pieces of data where no one piece uniquely identifies a person, but taken altogether they have a high enough statistical probability of identifying a person. For example, there is a surprisingly high probability that no one but you has the same birth date, birth year, postal code, and gender. A voter registration system uses birth date, birth year, postal code, and house number without street name to uniquely identify an individual.
Regular PII includes contact information, sensitive PII associates that contact information with attributes like medical condition, financial account information, sexual orientation, religious or political views, etc.
Responsibilities for data privacy are not because of business relationships. Even if one of your customer’s purchasing department or legal department doesn’t show concern over how you handle the PII of their employees, laws require you to accept the same data privacy responsibilities for their employees as companies who show greater concern. This is the case even if the customer says otherwise; for example, if a customer says it is OK to use their employees’ PII in a product demo, data privacy laws say it is NOT OK unless it is done legally.
So how can you legally process PII?
If you follow all these requirements, you will satisfy many jurisdictional requirements:
- You must state to the individual:
- what PII you intend to collect about the them
- why your are collecting their PII
- what you will do with their PII (this is also known as the stated purpose)
- Before collecting the PII, you must receive explicit consent from the individual to do so; that is, you must assume the individual will not allow the collection, and only collect if they allow it; not the other way around
- Once collected, you and all of your affiliates must process the PII only for the stated purpose
- When the stated purpose has been completed, you and your affiliates must delete the PII
- Upon request from the individual, you and your affiliates must correct or delete the PII
- You must encrypt PII in transit (that is, when it is transferred)
- If the PII is sensitive, you must also encrypt it at rest (that is, when it is stored)
Some jurisdictions like the EU, Canada, and the state of Massachusetts are particularly concerned about the PII of their citizens, but even more concerned when that PII is transferred outside of their jurisdiction. You usually have to provide citizens from these jurisdictions additional assurances that you will keep their information private after it has crossed their jurisdictional boundary.