I am not the one making the rules. I was not the person who decided that all personally identifiable information (PII data) must be protected. What the heck is personally identifiable information anyway? Do we really need to change the way we live or operate our business to protect this stuff? Who really cares about it and who is making a fuss?
This is not a conversation I just had with a client. But it could have been. Protecting PII data is at the top of many organizations “to-do” list. I will tell you why.
TechTarget.com says that PII data is “any data that could potentially identify a specific individual.” That can be a lot of different types of data. Name, address, social security number, account number, phone number, what you bought, what you sold, who you did business with… Holy cow… PII can be many types of data.
Food for thought – Your health data also contains PII data, but believe-it-or-not, there is a separate type of data known as Personal Health Information (PHI) that has its own protection rules. Everything that is stated about PII data in this column most likely applies for PHI data as well.
Where is your PII data kept? Who has responsibility for that data? Who can access that data? Who can companies share that data with? I am certain you have seen the notifications that come with your credit cards or any other mailed statements about how they will and will not share your PII data. You may have even been asked if you give them permission to share your PII data. You may not care. But then again you might.
There are rules associated with how companies and organizations must protect the PII data that they define, produce, and use. Data Governance is a discipline that organizations are putting in place in part to help them protect their PII data. The US GSA has completed rules of behavior for handling PII data that can be found by clicking here.
Do you care about your PII data? Do you care if people protect your PII data? Do you think there should be rules associated with how your PII data is shared and how it is used? Probably so. Do you pay attention to how much PII data there is about you and where that data is? If you are like the vast majority, probably not.
I am guessing that you do not want your purchase history to be shared and you most likely don’t want your location known at every point in time. I’m just saying. This is information and data about you that you probably don’t think is anybody else’s business. The problem is that there are businesses, legitimate and less so, that feed on PII data. If you carry a cellular phone, consider for a moment how much PII data you generate just by walking down the street. You can see how PII data can become a big problem very quickly—and we are just talking about YOUR PII data.
It’s a good thing there are rules for governing PII data. Whew! I didn’t want to scare you.
There are two types of PII data —since some PII is more sensitive than others. There is non-sensitive PII data that can be transmitted without being encrypted and that can be found in any public system of record such as a phone book or on the web. Then there is sensitive PII data. This is data that could cause harm to the individual that has had their PII data shared inappropriately or privacy violated. This information includes account numbers, social security numbers, passport numbers, bio metrics, and potentially every type of data that relates something to a person. Organization’s survive and thrive on sensitive PII data about their staff, partners, and specifically, their customers.
We live in the information age and the age of Big Data so nobody is questioning the increased volume of data that is being collected about us and our behaviors and habits; and we have only scratched the surface here.
There is data from your phone, from your car, from your internet behavior; purchases, and sales. There is data about your health, wealth, and stealth, all managed by somebody else… Which brings us to managing PII data from your organization’s perspective. Does your organization concern itself with PII data? Or even better… Do you govern your PII data? That is the real question.
I can hear you saying – “how should I know?” Believe me. You would know if your organization formally governed their PII data. The PII data that you can see, print, store, share, and even talk about as part of your job would all be scrutinized. Maybe not by you – but by somebody and actively. You may be asked to sign something that says that you understand and will follow the rules associated with handling PII data.
More food for thought – It’s not just PII and PHI data that needs to be protected. There is something known as Intellectual Property – or trade secrets / data about what separates your company from its competitor – that your company likely has somebody thinking about protecting every day. 60 Minutes on CBS just did a detailed segment on the increasing problem of hackers stealing intellectual property.
At some point, all sensitive PII data held within your organization will be strictly protected. There will be formal accountability for the PII data you access, share, print, store, and retain. This data will be controlled using a combination of formal disciplined behavior (aka governance), and the technologies that are entering the marketplace – including encryption, secured-printing, marking documents, and immediately verifiable authorization assurance.
The government will not just ask you to follow the rules to protect your data. They will force you. And they will kindly ask you for audit-able proof that you are protecting the data to whatever extent necessary to follow their rules. You will be expected to have an answer.
Data Governance to protect your PII data does not have to be difficult. Data Governance requires three things: 1) Somebody must actively have DG as their responsibility; 2) Senior Leadership must know how governance is being handled; and 3) an approach must be taken that suits the culture of the organization.
The governance and protection of Personally Identifiable Information (PII data), Personal Health Information (PHI data), and Intellectual Property (IP data) will be in your future. I can guarantee it; but please remember that this is not just coming from me.