# Data Privacy*

# Glossary

Any information relating to an identified or identifiable natural personal data subject; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural, or social identity.

The protection of PII.

Processing is any manipulation of the data, to include security or destroying it, in electronic or hard-copy form. Viewing data is not considered processing.

The owner's right to determine to whom information is disclosed. Security protects privacy.

# Direct and Indirect Identifiers

Direct identifiers and indirect identifiers form the two primary components for identification of individuals, users, or personal information.

# Direct Identifiers

Legally defined PII elements are sometimes referred to as direct identifiers. Direct identifiers are those data elements that immediately reveal a specific individual (the person's name, Social Security or credit card number, and so on).

# Indirect Identifiers

Indirect identifiers are the characteristics and traits of an individual that when aggregated could reveal the identity of that person (the person's birthday, library ID card number, and so on).

# User Data Types

# Sensitive Data

Sexual orientation and religious affiliation fit within the sensitive data category. Other information include health information and political beliefs.

# Personal Data

Personal data includes address, phone number, date of birth, and gender. Personal data can usually be discovered with a minimal amount of investigation.

# Internet Data

Internet data includes browsing habits, cookies, and other information regarding an individual's internet usage.

# Biometric Data

Biometric data includes fingerprints, finger scans, retina scans, and other biometric data that would need to be captured using a biometric scanner or software.

# Contractual and Regulated PII

PII relates to information or data components that can be utilized by themselves or along with other information to identify, contact, or locate a living individual.

NIST SP 800-122 defines PII as any information about an individual...

...that can be used to distinguish or trace an individual's identity, such as name, Social Security Number, date and place of birth, mother's maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, education, financial, and employment information.

# Contractual PII

Where an organization or entity processes, transmits, or stores PII as part of its business services, this information is required to be adequately protected in line with relevant laws.

Failure to meet or satisfy contractual requirements may lead to penalties through to termination of contract at the discretion of the organization to which services are provided.

# Regulated PII

The key focus and distinct criteria to which the regulated PII must adhere is required under law and statutory requirements, as opposed to the contractual criteria that may be based on best practices or organizational security policies.

Key differentiators from a regulated perspective involve satisfying regulatory requirements (such as HIPAA and GLBA).

Failure to supply these can result in sizable and significant financial penalties and restrictions around processes, storing, and providing of services.

# Mandatory Breach Reporting

Another key component and differentiator related to regulated PII is mandatory breach reporting requirements.

Mandatory breach reporting requires both private and government entities to notify and inform individuals of any security breaches involving PII.

Security breaches should be reported immediately to customers; however, 72 hours is defined in the GDPR for informing the authorities.