Showing posts with label personally identifiable information. Show all posts
Showing posts with label personally identifiable information. Show all posts

Wednesday, June 3, 2020

Personally Identifiable Information: avoid, avoid, avoid!

PII stands for Personally Identifiable Information, meaning data that can be used, either of itself or with other data, to identify an individual. It’s a huge deal in the data world and there are substantial fines for misusing PII as I’ll explain later. Before I say anything else, I want to give you some advice:
  • Don’t process PII without taking legal advice.
  • Don’t process PII unless there’s a compelling reason to do so.
  • Have processes in place for how the data is stored, who has access, and why.


(Image credit: Wikimedia Commons - public domain image)

In some cases it’s obvious what is PII, for example employee health records or customer contact details. But photographs of people can also be PII, as can mailing lists or other data that identifies people (for example, survey responses that include email addresses). Some jurisdictions (the EU) add an extra category of specially sensitive PII which are subject to further regulation or even prohibition, this sensitive data can include data on political beliefs, sexuality, genetic data and more [Bird & Bird]. Data on children requires special handling and is subject to extra regulation, but you should also be aware that the definition of what a child is can vary; different jurisdictions have different age-limits. The onus is on you to know if the data you’re collecting is legal.

Some surprising types of data can be considered PII. In a recent court case in the CJEU (Courts of Justice of the European Union), the court found that dynamic IP addresses of themselves could be considered PII [Breyer]. A German regional government website had been attacked by hackers, so they kept a log of visitors' IP addresses to protect themselves against attacks coming from certain IP addresses. A privacy campaigner named Patrick Breyer visited the site and believed that recording his (dynamic) IP address was a violation of data protection rules. He sued. The court found that although the government site had a legitimate reason for collecting dynamic IP addresses, Breyer's dynamic IP address was PII and therefore the site was in breach of the regulation. The court found in Breyer’s favor because there was another party, the ISP, who could link Breyer’s dynamic IP address to him [Whitecase]. This may seem like tortuous logic, but it’s the way courts work - you should not assume ‘common sense’ when defining PII.

The fines for non-compliance can be enormous; the fines for violating the GDPR can go to  €10,000,000 or 2% of global turnover, whichever is the higher [Bird & Bird]. The EU is also tightening up on regulation to prevent firms from choosing the most lenient regulator to be judged by. Of course, as well as fines, there's the reputational damage of a case too.

Although you might think you don't process PII, there is a backdoor way that your company can end up processing PII by accident and hence be liable. PII data from data breaches is sometime available on the web, for example the Ashley-Madison customer data set.  For analysts, these are interesting data sets to play with, so the temptation is to download them to a work computer and starting looking at them. This opens the door to legal problems because now the company is processing PII with no legitimate reason to do so. You should have corporate policies and training that lets employees know that these datasets are strictly off-limits and that they must never be downloaded onto company computers.

Sometimes, you do need to process PII data. Here's what you should do:
  • Encrypt the data at rest and in transit. Use a good encryption scheme.
  • Use pseudonominization. Use a good code scheme.
  • Restrict who has access to the data. This may mean restricting access to certain parts of a database.
  • Log who has access and why and maintain processes to authorize and deauthorize access.
  • Above all, have written process and follow them.
If you're breached, you need to act quickly, including informing your regulator. In the past, I've worked with a great law firm who have extensive experience in data privacy and helping companies after data breaches, DAC Beachcroft. If you need help, I recommend them.

Here's my advice:
  • Create a company policy for PII, including forbidding people from using work equipment to process non-work data.
  • Seek legal advice before processing data that might be PII - don't take advice from blogs, find real lawyers to advice you.
  • Create internal processes for managing the PII you do have to process. This should cover:
    • Encryption
    • Access
  • Continually revise your policies and practices. Ensure you follow your processes and document that you do so.
(Disclaimers:
  • Nothing in this blog post constitutes legal advice.
  • I am not a lawyer, don’t take legal advice from me.
  • All views expressed in this article are my own. I’m speaking on behalf of myself and not on behalf of my employer or anyone else.)
References

[Bird & Bird] https://www.twobirds.com/~/media/pdfs/gdpr-pdfs/bird--bird--guide-to-the-general-data-protection-regulation.pdf?la=en&hash=D7EC7D1FADB322CE5A05FF4C47A645D1E398E7C4
[Breyer] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A62014CJ0582
[Whitecase] https://www.whitecase.com/publications/alert/court-confirms-ip-addresses-are-personal-data-some-cases
Posted by at No comments:
Labels: , , , ,
Boston, MA Boston, MA, USA
Subscribe to: Posts (Atom)