Ever Hear of Pii? What You Need to Know About Its Life Cycle in Business
In high school you learned about pi, remember? Pi is the the ratio of a circle's circumference to its diameter, commonly approximated as 3.14159. All well and good. But now it’s time to learn about pii.
PII stands for "personally identifiable information." And personally identifiable information can mean an assortment of things, such as name, address, social security number and biometric data, like voice and fingerprint identifiers.
As such, pII isn’t always private information, but often it is sensitive. Think: passport number, health information and medical records -- all part of the concept of “privacy” you hear so much about, in terms of personal information and cyberspace. Companies, such as banks and health plans, which store private, personal information about people should allow those same people to determine how their pII is used or revealed.
And that brings up the matter of the pii life cycle. At birth, pii is rounded up and collected because the need exists for this data, for various small business transactions. At death, if you want to call it that, the cycle is finished: Pii data is no longer needed.
What are the in-between stages? After pii is gathered, it’s stored and maintained in a computer system. It’s ready for use -- the next stage of the life cycle. Along with that exists the need to share the pii, as in disclosure or transfer or even sales/marketing. In a business, when the pii is no longer needed, there are policies that determine when the time period for holding on to the data has expired.
As mentioned, pii is usually of a sensitive nature, though not always, and includes such items as email addresses and birthdates. A business’ responsibility is to handle sensitive data with lots of TLC, keeping it protected from theft and private, based on the terms set forth by the business that collects it and the client who agreed to those terms.
In fact, businesses have a lot of heavy responsibility when it comes to handling pii:
- Proper management of the entire life cycle
- Protection of data, in offline form as well.
- Prompt reporting of any violations of privacy
The end of the life cycle may be referred to as disposition. Proper disposition is a must. This entails thorough shredding of sensitive documents. It does not mean tossing out an old computer that still has its hard drive into a rubbish can (where dumpster divers can retrieve it, take out the hard drive and see what kind of juicy data is on it, like bank account numbers and social security numbers).
Businesses need to watch out: Punishment for privacy violation is no picnic and includes the possibility of criminal charges.
The Laws of Privacy
You’ve probably seen “HIPPA” and heard people say “Hippa.” The abbreviation is actually HIPAA, short for the Health Insurance Portability and Accountability Act. This means that your mother’s cardiologist isn’t going to tell you what’s going on with her heart unless your mother “puts you on her HIPAA.”
Translation: She authorizes the doctor to share information. HIPAA also bars, for example, nurses telling a reporter why a movie star was treated in the emergency room. HIPAA further makes it possible for patients to access their own records.
Ever hear of COPPA? The Children’s Online Privacy Protection Act requires that parental consent be obtained for websites that gather personal information on kids under the age of 13. Here is a brief rundown of other pii elements to be aware of:
- The Privacy Act of 1974 is a primer for the gathering, use and sharing of personal data.
- The Office of Management and Budget Mandate M-07-16 requires protection for pii in cyber and offline form.
- The E-Government Act of 2002, titles II and III, makes it necessary for federal agencies to analyze the influence of privacy for systems that gather public data.
- Policy Number HHS-OCIO-2008-0001.003: When suspicious things occur relating to pii, action must be taken, and that’s where this policy comes in.
- The National Institutes of Standards and Technology (NIST) Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Check out the information about privacy controls in Appendix J.
If you're unaware of these items, you need to start learning about them now. Security for privacy requires a very systematic, strategic approach on the part of businesses. And the advent of online data has only complicated matters, raising the bar for security and protection.
What do you still need to learn?
Robert Siciliano, CEO of IDTheftSecurity.com, is committed to informing, educating and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds.