How to identify and protect personal information

Personal information also referred to as personally identifiable information (PII) and Protected Personal Information (PPI), has a good and bad side for companies. All businesses record the personal information of their clients (names, debit/credit cards, address, etc.) to identify them and execute certain business operations. These business operations may range from meeting payrolls, to filling orders, and advertising. This makes the user and business operations run much faster and smoother.

However, when the personal information of a client isn’t properly secured and falls into the wrong hands, it could lead to a disaster for both the client and company. The information could be used for identity theft, fraud, ransomware, etc. Every organization that handles personal information need to understand regulations that apply to persona information in their custody and what protections are required.

What is personal information?

To start, let’s begin with “What is personal information”? It can simply be answered as “any information that can be used to identify an individual”. What constitutes personal information is defined the various Privacy Acts that govern it – which vary by country, and even state, so it’s important know what regulation(s) apply to your organization.

When something is deemed personal, it means that it should only be able to identify a single person. In some cases, information can actually have more than one subject matter. That is, a piece of information can be about an individual and another thing entirely such as a car, land, etc. So then, what is considered personal information? For information to be considered “personal”, it has to satisfy two criteria:

1. The information must be about a single individual.
2. The identity of the individual in question must be ascertainable from the information.

In addition, for information to be considered personal, it does not necessarily have to be true. The truthfulness of the information doesn’t make it less personal. Not only this, but personal information also doesn’t necessarily need to be written or recorded down like video, audio recordings or photographs. Instead, it can also be communicated in other forms, such as sign language.

Furthermore, information about a deceased person may no longer be considered personal information, depending on the law. The Australian Privacy Act defines personal information as information about a living entity, and not a person who is deceased. However, if information about a deceased person includes the information about a living person, such information could still be considered as personal information.  By contrast, the US HIPAA Privacy rule protects medical information for 50 years after the person’s death.

Additionally, according to the GDPR, religious beliefs, sexuality, health information, and a person’s criminal records is personal information.

In most cases, to access personal information such as a person’s date of birth, home address, contact information, etc. it must be for official purposes only (and only after your consent), as not everyone should be able to access this data.

What are the types of personal information?

Under the various Privacy Acts, there are several categories of personal information that should not be handled carelessly. Below are the types of the types of personal information generally covered:

1. Private information
2. Sensitive personal data information
3. Health information
4. Tax information
5. Employee information
6. Credit card information

Private personal information

Private information is simply information that is associated with a person’s or group’s life. They include data, facts and other restricted materials that define a person’s identity and behavior. It may or may not link directly to a person, but it is significant to their identity. Examples of private information include:

• Your phone password
• The pin to your bank ATM
• Voting choice, etc.

Sensitive personal information

Just as the name implies, sensitive personal information is a type of personal information that encompasses deep and delicate information about someone. Unsurprisingly, the level of privacy protection on sensitive data is more than other types of personal information. Examples of sensitive personal information about an individual may include:

• Racial origin
• Political affiliations
• An individual’s criminal records
• Sexual preferences or orientation
• Religious view or practices
• Genetic information
• Health information
• Biometric information such as your fingerprints, electronic signature, etc.

Health information

Health information is another type of personal information and includes individual health disabilities, allergies, injuries and more. Health information can also be considered as sensitive personal information.

Examples of health information include:

1. All types of test results
2. All types of medical reports
3. Medical history
4. Any forms of prescriptions
5. Information about an individual’s choice of organ donation
6. Dental records
7. Information about the genetics of an individual
8. Allergy information, etc.

Tax information

For every taxpayer, there are times where we have little or no choice but to divulge our financial “life” or activities. Tax information can be considered personal information and should only be divulged as required by a relevant agency dealing on your behalf and in your interest. Examples of tax information include tax returns, financial records, pay slips, claims etc.

Payment card information

Payment cards (credit and debit cards)are usually issued out by financial institutions such as banks to their customers for the purpose of transacting.  Credit card information is also personal information, as the information on it is identifiable to a living individual. Fraud and identity theft are the result of credit card data breaches exposing this personal data. Hence, all credit card information should be stored safely. In addition to this, an individual should also check out their card issuer’s privacy policy, in order to know the best ways to opt-out of any potential data sharing.

Examples of information in these credit cards that can be used to identify an individual include:

1. Cardholder name
2. An individuals location or address.
3. Phone number or other communication channels.
4. Primary Account Number (PAN)
5. Service code
6. PIN code
7. CVC2, CVV2, CID
8. Expiration date
9. Biometric information such as fingerprints and electronic signatures, etc.

Employee personal information

For every organization, irrespective of size, their employees’ information must remain protected. As such, this information must not be divulged or leaked to a third-party. The privacy act specifically mandates that information that is identifiable to each and every one of your employees must be handled with care. Examples of such information include:

1. Your employee’s contact information.
2. Their health information
3. Their sexual preferences
4. Religious views
5. Their political affiliation
6. Date of birth

Leakage of such information could attract a fine or other more serious penalties as stipulated by the various Privacy Acts.

Why personal information needs protection

Protecting personal information can be challenging at times. Here’s why it is important to put in the effort to protecting personal information:

1. To prevent identity theft. When personal information is leaked, the individual’s identity can be stolen
2. To protect financial information. When tax/financial information is leaked out to the wrong hands, especially cybercriminals, they could make unauthorized withdrawals or transfers from the individual’s bank account or file for tax returns on their behalf
3. To protect employment status. Most companies conduct screening for their new or existing recruits. Therefore, if you have incriminating information about yourself leaked online that goes against the company’s policies or requirements, you could lose your job in the process
4. Helps to maintain your business reputation. Data breaches can wreak havoc on a company’s reputation and bottom line from legal fees, fines and remediation steps.

How can you protect personal information?

Here’s a few tips to help protect personal information in your care, including your own:

• Always be on the lookout for impersonators. Be careful of who or where you are submitting personal information to.
• Use encryption for sensitive data. Doing this further protects personal information. Even if you a computer or mobile phone is lost, if the information is encrypted, there’s a high chance that it won’t be accessible to a third-party.
• Secure social security numbers. Ask the right questions when it’s requested, to determine if you should share it or not.
• Install antivirus/firewall on the company’s computer system to curb cyber attacks.
• Be vigilant about the kind of emails and websites employees access.
• Install data-centric security solutions to prevent data loss and accidental sharing with authorized parties.

Businesses that are unable to maintain the integrity of their clients’ personal information, will suffer losses if the information becomes compromised, leaked, or maliciously modified. The best way to prevent these outcomes is to implement proactive security tools that monitor and control interactions with personal data.

NC Protect addresses privacy issues including who can access data that contains personal and other sensitive information. Secure files and control how authorized users can share and utilize documents containing PII, while providing a clear audit trail of access and use. Fully integrated with Microsoft 365 apps including SharePoint® Online and on-premises, OneDrive, Teams, Outlook, and Yammer, Windows File Shares and Nutanix Files, NC Protect ensures data privacy compliance and information security by continuously monitoring and auditing content (files, chats, messages) against regulatory and corporate policies to protect against data breaches, unauthorized access and misuse.