There is much debate about what specific types of items should be considered as personally identifiable information (PII). A common topic of debate is; if information can be found publicly does that mean it is not PII?
I answer with a resounding, “No!”
“But…but…if you can find information in a lot of places, then it doesn’t confidential and private, so it shouldn’t be considered as PII…!” exclaims a person who, in my mind resembles Dwight Shrute, or possibly even Sarah Palin (imagine her saying, “If I can see it from my front porch it isn’t PII!”… just had to get that out of my mind and put out loud.)
Here’s an important point about PII and privacy: PII goes beyond being information items that can only be see by a select few. PII is any type of information, or data item collections, that can point to a specific individual.
Is your full name considered to be PII? Of course! Even though I have my full name on my web site, blog and other public places, it still points specifically to me. Here is where you must consider privacy principles that go beyond just mantaining confidentiality (certainly an important privacy principle, but all principles must be considered):
- Organizations must clearly provide notice describing the purpose for the collection, use, retention, and sharing of PII. Eg., “You want to post my name on your site as being one of your customers? But you didn’t tell me you’d use my name in that way when I started doing business with you!“
- Organization must describe the choices available to individuals and obtain explicit consent if possible, or implied consent when this is not feasible, with respect to the collection, use and disclosure of their PII. Eg., “You want me to give you my name to get a copy of your ‘free’ report? Why?”
- Organizations must collect only the PII that is required to fulfill the stated purpose from individuals. Eg., “I only want to get a haircut, so you don’t need my mailing address to cut my hair!”
- Organizations should only be use or disclose PII for the purpose for which it was collected and the PII should only be divulged to those parties authorized to receive it. Eg., “I gave you my name to get a health insurance policy; but now your sales folks want to use it to market long term care insurance? You didn’t tell me you’d use my name for marketing purposes!”
- Organizations should provide a process to allow individuals to ask to see their corresponding PII and to request the correction of perceived inaccuracies. Eg., “You’ve spelled my name ‘Harold’…let me see all the PII you have about me so I can see what other mistakes you’ve made!”
- Organizations who have collected PII, including such publicly available items such as full name, must still use the PII only for he purposes for which it was obtained, and not disclose to any other parties outside of those identified in the notice. Eg., “I just got a sales call from Fantasy Island Vacations; they said they bought the list of your customers who had purchased your auto insurance; I didn’t give you my name and other PII so you can make more revenue from selling it to other companies for their marketing!”
- Organizations must protect PII in all forms from loss, theft and must prevent unauthorized access, disclosure, copying, use or modification. Eg, “Hey, you threw printed copies of all my letters to your company into the public dumpster and now someone found them and published them online; I don’t want any one else to know or see what I wrote to you!”
- Organizations must make appropriate efforts to ensure that the PII is accurate, complete and relevant for the purposes identified in the notice, and remains accurate throughout the life of the PII within the control of the organization. Eg., “You left the ‘O’ out of my name in my prescription; now the pharmacy won’t give me my medication!”
- Organizations must ensure someone is responsible for ensuring all privacy and security protections exist for PII. Eg., “I’m concerned about who has access to name and all the purchases I’ve made at your store; who’s responsible for the security and privacy of my information?“
- Organizations must make privacy policies available to PII data subjects. Eg., “How do I know you have privacy protections and safeguards in place? Let me see some evidence that you actually do have documented policies, and show me that they are consistently enforced.”
These privacy principles hit to the heart of privacy, and that is trust. Companies must use and protect PII in ways that protect their employees’ and customers’ privacy and maintain their trust.
Multiple laws support the fact that many items, often found in public, must be considered as PII and handle according to most, and in some cases call, of these privacy principles. Consider the information items, protected health in specified in HIPAA; many are often found in public places, but must still be protected according to the HIPAA safeguards:
(A) Names; <== OFTEN FOUND IN PUBLIC
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, (<== OFTEN FOUND IN PUBLIC) except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers; <== OFTEN FOUND IN PUBLIC
(E) Fax numbers; <== OFTEN FOUND IN PUBLIC
(F) Electronic mail addresses; <== OFTEN FOUND IN PUBLIC
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers; <== OFTEN FOUND IN PUBLIC
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs); <== OFTEN FOUND IN PUBLIC
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and <== OFTEN FOUND IN PUBLIC
(R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section;
Even though many of these HIPAA PHI items are widely found in public places, each covered entity, and now business associates under the HITECH Act, must still ensure all the PHI items are safeguarded, used, shared, retained, etc. according to the HIPAA requirements.
I also want to do a quick revisit to my IP address post from earlier this week…
My Twitter friend, @clarinette02, provides some wonderful research and reference list for the various world-wide laws and a few cases addressing the use of PII in her blog posting here.
Thank you for your great contribution to the PII / IP address discussion, Clarinette! 🙂
Tags: awareness and training, HIPAA, HITECH Act, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, security training