What Is Personal Information?
As defined by Section 12 of the Information Privacy Act of 2009,
Personal information is information or an opinion, including information or an opinion forming part of a database, whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
In other words, personal information is data that can identify an individual. For the information to be classified as personal it must be about an individual and the individual’s identity must be reasonably matched from the information or opinion in question. Both of these criteria must be met. For example, a birthday without a name is not personal information—it would be just a date.
Some organizations have called it Personally Identifiable Information or PII and it is also referred to as Sensitive Personal Information or SPI by information security and privacy laws.
Knowing the laws and regulations related to personal information is extremely important for every entity. Companies collect information from their employees, customers, partners, and suppliers. They have an obligation to protect personal information from these individuals. Failure to do so can lead to legal consequences. They must protect the data from both malicious intent—like identity thieves—and from being shared without permission within the organization.
The loss or misuse of personal information could be harmful to your employees, customers, suppliers, and partners so it is important to address this very seriously. Regardless of the risks of managing personal information, requesting personal information is necessary. This information is needed to manage payroll, fill orders, and complete many other daily business operations. All that is required is an appropriate set of controls to manage the information.
Examples of Personal Information
Things like name, address, social security number, and phone number are within the top most-recognized examples of personal information. As personal information is any recorded information about an identifiable person there are many other things as well. Race, color, ethnicity, nationality, religion, political beliefs, age, sex, sexual orientation, a photograph, marital status, finger prints, blood type, disabilities, educational level, employment history, salary, bank account, opinions, and personal views are just some of the things considered personal information.
Examples of Controls for Personal Information
There are laws and regulations that everyone should follow regarding personal information. In most cases, a company must provide additional policies regarding how it wants to manage personal information. It is important for companies to be explicit about their expectations and to properly document those and communicate them to employees and others. There are certain laws that are specific to each industry. For example, the Health Information Protection and Portability Act (HIPAA) only pertains to the health industry. Meanwhile, any business that deals with payments has to comply with the Payment Card Industry Data Security Standards (PCI-DSS).
Some laws state that a company needs to have protection programs against identity theft. Different agreements with vendors and customers might require your organization to implement industry standard security procedures as part of the contract agreements between the parties.
The controls for personal information, however, go far beyond protection against external/identify theft reasons. Companies must understand how they collect the data, how this data is processed, how the data is used, how long the data is retained, and how to dispose of the data. These standards must also be communicated to employees, especially at the time the employee is sharing the information, so they are aware of these policies.
Some helpful steps a company should employ to have proper controls are: develop a data breach plan, train employees on security awareness, and delete all unnecessary data from the system.
The following set of five principles is a good methodology to implement controls. First, take an inventory of the personal information you have in your files. Second, define which information is important to retain. Third, protect the information you desire to maintain. Fourth, safely dispose of what you decide is not necessary. Fifth, create a plan for security incidents.
Examples of Recent Data Breaches
In 2013, over 3 billion Yahoo users had some information breached. Yahoo announced this in 2016 as the company was in negotiations with Verizon. The breach compromised the real names, email addresses, dates of birth, and telephone numbers of users. It is hard to estimate the monetary impact, as Yahoo can’t measure what the losses of individual users were. For Yahoo, the incident had an impact on the pricing the business was able to negotiate with Verizon. Verizon eventually paid $4.48 billion, at least $350 million less than the expected price before the breach.
In 2018, Marriott announced that cyber thieves had stolen data of approximately 500 million customers. The attackers had been stealing this data since 2016 but it was only discovered in 2018. For some victims, only their name and contact details were compromised but others also had their passport information stolen.
As you can see, even large and well-established companies can fall victim to data theft. This means we all need to keep high security standards and ensure that we only provide information to those organizations with high security standards as well.