Personally Identifiable Information

Assessment of risks on unauthorized access and use of PII

Factors to take into account are:

  • Identifiability.  How easy is it to identify a specific data subject given a set of data related to a larger group of individuals?
  • Quantity. How many individuals are effected by an illegitimate exposure of PII, e.g., to the public Internet?
  • Data Field Sensitivity. How sensitive is a certain data filed within a record of PII, and how sensitive are they in combination?
  • Context of Use. To which purpose are PII processed?
  • Regulatory Obligations. In addition to general data protection regulations, organisations processing specific classes of data that are subject to additional regulatory obligations that need to be taken into account.  
  • Access to and Location of PII. Who is authorized to access PII, and by what means? 
  • Geographic Location. The GDPR aims on a free flow of information within Europe. Transfer of PII to non-member states is possible under certain conditions.

Generic Operational Safeguards

The Generic operational safeguards include: 

  • Policy and Procedure Creation. Policies aim at providing guidance on the proper handling of PII; 
  • Awareness, Training, and Education: Awareness efforts are designed to change behaviour or reinforce desired PII practices.

Privacy-specific Safeguards

Privacy-specific safeguards include:

  • Minimizing the Use, Collection, and Retention of PII. Data minimisation or-if possible-avoidance is a basic privacy principle.
  • De-identification. Keeping complete data records is not always necessary.
  • Anonymizing PII. Data anonymisation involves the application of statistical disclosure limitation techniques to ensure the data cannot be re-identified

Security Controls

  • Access Enforcement. Organisations can control access to PII through access control policies and access enforcement mechanisms. 
  • Separation of Duties. Organisations can enforce separation of duties for duties involving access to PII. 
  • Least Privilege. Organisations can enforce the most restrictive set of rights/privileges or accesses needed by users for the performance of specified tasks. 
  • Remote Access. Organisations can choose to prohibit or strictly limit remote access to PII.
  • User-Based Collaboration and Information Sharing. Organisations can provide automated mechanisms to assist users in determining whether access authorizations match access restrictions.
  • Access Control for Mobile Devices. Organisations can choose to prohibit or strictly limit access to PII from portable and mobile devices. 
  • Auditable Events. Organisations can monitor events that affect the confidentiality of PII, such as unauthorized access to PII.  
  • Audit Review, Analysis, and Reporting. Organisations can regularly review and analyse information system audit records for indications of inappropriate or unusual activity affecting PII.
  • Identification and Authentication. Users can be uniquely identified and authenticated before accessing PII.
  • Transmission Confidentiality. Organisations can protect the confidentiality of transmitted PII.
  • Protection of Information at Rest. Organisations can protect the confidentiality of PII at rest. This is usually accomplished by encrypting the stored information.
  • Information System Monitoring. Organisations can employ automated tools to monitor PII internally or at network boundaries for unusual or suspicious transfers or events.

Metadata for Transparency and Data Subject Information

  • Obtaining an informed consent by the data subject on the processing of PII is one of the conditions for the their lawful processing. For this, data subjects need to now (Compare [EC 2012, Art. 14] for additional requirements and exceptions):
    • The purpose for which PII are collected and processed.
    • The categories for PII that are collected and processed.
    • The time frame in which the processing and storage takes place.
    • The geographic area where PII are stored.
    • The identities and contact details of the data controller and processor, and (if applicable) of the responsible data protection officer.
    • Recipients (or classes of recipients) different from the processors (in particular those in third countries) to which PII are transferred.

Effective Information and Rectification Mechanisms

  • Interfaces and Metadata. PII relating to a given data subject need to be identified if the data subject requests a copy of them. In addition, automated access mechanisms are desirable.
    Access Control and Identity Management. For access control, schemes more advanced than user name/password authentication should be considered, such as multi-factor authentication. Emphasis should be put on the use of standardised methods to ensure interoperability between technical clients (data subject) and provider (processor).

Effective Deletion Mechanisms

Similar to information mechanisms, mechanisms for data erasure require at first the identification of the data that are to be deleted, hence keeping track of the identity of data subjects PII relate to is required.

Data Portability

  • Standard formats and interfaces. Whenever possible, standardized interfaces, formats, and access protocols should be used. If this is not possible, it is a good practice to provide a comprehensive documentation of data formats and interfaces. 
  • Mass Data Transfer. If large amounts of data have to be transferred, the performance of the transmission mechanism becomes an issue.
  • Transfer Security. Data transfer should be secured against interception by unauthorized parties, hence, end-to-end encryption is mandatory

  • Proactive and preventative. Privacy by Design is characterized by proactive rather than reactive measures. 
  • Privacy as default setting. Privacy by Design aims at delivering the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or practice.
  • Privacy embedded into design. Privacy by Design is embedded into the design and architecture of IT systems and business practices.  
  • No functional degradation. Privacy by Design aims at providing full functionality of IT systems in the presence of effective PII protection.
  • End-to-end data lifecycle protection.  Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved.
  • Visibility and Transparency. Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved,
  • User centricity. Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.

6.4.4