One of the basic privacy principles is to limit the collection of personally identifiable information (PII) to only that which is necessary for the business purpose for which it is being collected. These privacy principles, built largely around the OECD privacy principles, are the basis for most data protection and privacy laws throughout the world.
However, most businesses continue to do what they have been doing for the past several decades, often at the urging of the marketing areas; collect as much PII as possible when the opportunity persents itself.
I’ve talked to many marketing folks who indicate gathering extraneous PII is necessary to develop new products, services, and launch new marketing campaigns. Most of these same marketing folks do not even realize that laws exist requiring the restriction of PII collection.
A story published today, “How much personal information is too much?” highlights this continuing problem most businesses have with collecting more PII than is necessary.
It is important for information security and privacy practitioners to keep in close touch with the marketing, customer relationship management and sales areas to ensure they are abiding by this edict to limit PII collection. You cannot expect that these areas will inherently know that they cannot collect extraneous amounts of PII.
With new customer relationship management (CRM) systems, many of the marketing and sales areas are using all the full functionality without realizing that the information requested from customers and consumers is against not only the privacy principles, but also breaking many data protection laws worldwide.
(FYI, very generally, a “customer” is someone who has actually purchased a product or service from an organization and has established a relationship with the business, and a “consumer” is very generally someone who is a potential customer of a business, and may have provided PII to request information or for other purposes. Customers are a subset of consumers.)
Information security and privacy practitioners must communicate with and make marketing and sales areas aware of the restrictions on the uses of PII. Do not assume your legal counsel has or will do this.
Many corporate lawyers are too swamped to keep up with all the data protection and privacy requirements, and many do not have the technical background to understand how technologies are being used to collect, handle, store and share the PII.
Marketing, sales and CRM areas must receive customized information security and privacy training based upon how they gather, use, store and share PII, and they must also receive ongoing awareness communications to keep the issues in the forefront of their business thinking and daily activities.
Look at the forms your organization uses to collect PII from consumers, customers and even employees. For what business purpose do you need to collect that social security number (SSN)? For what business purpose do you need to collect that birthdate? Is it because it has always been done that way? Or, because it is easier than using something else?
In this day and age, with hundreds of data protection and privacy laws that exist, collecting information because it’s most convenient or because “we’ve always done it that” is no longer a good reason. The regulatory oversight agencies and courts will quickly tell you that as they hand you a substantial fine or penalty, or rule in favor of an employee, customer or consumer who is suing you for the way in which you used their PII.
This is a big topic, and a privacy impact assessment (PIA) can show you where you are collecting extraneous PII. However, here are a few quick checks you can use to see if your organization is a) collecting too much PII than necessary, or b) is using PII in inappropriate ways.
1) Are you using SSNs (or other country IDs) as account numbers or primary identifiers for customers to access their accounts?
2) Are you using SSNs, birth dates, drivers license numbers, credit card numbers, or other types of PII that can be used for identity fraud and theft, as identity verification items?
3) Do you collect extra PII from consumers and customers primarily for marketing purposes? If so, do you clearly communicate this to the customer/consumer and allow the individual the opportunity to NOT provide this information?
4) For what purposes are you using the PII that you collect, store and share with business partners? Are you using it for more purposes beyond the ones for which you collected it?
5) When was the last time you updated your applications, sales forms, invoices and other forms? Are you still using them? Are you collecting PII within them that you don’t really need to collect to process the business transaction?
Of course there are many more questions you can, and should, ask, but these will help to highlight where you may be needlessly collecting PII and, as a result, be in noncompliance with applicable data protection and privacy laws, regulations and industry standards such as PCI DSS.
It is important to point out to your business leaders that the less PII you collect, the less data you have for which computer crime and identity fraud and theft can occur.
Besides, why have more PII than you really need to do business? It just creates more liability for your organization.
Tags: awareness and training, ID theft, identity theft, Information Security, IT compliance, OECD, PCI DSS, policies and procedures, privacy, privacy principles, privacy training, risk management, security training, SSN