According to ISO, Personally Identifiable Information is defined as “any information that (a) can be used to establish a link between the information and the natural person to whom such information relates, or (b) is or can be directly or indirectly linked to a natural person.” The “natural person” in the definition is the PII principal . To determine whether a PII principal is identifiable, account should be taken of all the means which can reasonably be used by the privacy stakeholder holding the data, or by any other party, to establish the link between the set of PII and the natural person. A public cloud PII processor is typically not in a position to know explicitly whether information it processes falls into any specified category unless this is made transparent by the cloud service customer. ISO defines PII principal as “natural person to whom the personally identifiable information (PII) relates”. Depending on the jurisdiction and the particular PII protection and privacy legislation, the synonym “data subject” can also be used instead of the term “PII principal”. Personal Identifiable Information (PII) is any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. PII directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media. The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information.
Control
The organization should identify and meet the requirements regarding the preservation of privacy and protection of PII according to applicable laws and regulations and contractual requirements.
Purpose
To ensure compliance with legal, statutory, regulatory and contractual requirements related to the information security aspects of the protection of PII.
ISO 27002 Implementation Guidance
The organization should establish and communicate a topic-specific policy on privacy and protection of PII to all relevant interested parties. The organization should develop and implement procedures for the preservation of privacy and protection of PII. These procedures should be communicated to all relevant interested parties involved in the processing of personally identifiable information. Compliance with these procedures and all relevant legislation and regulations concerning the preservation of privacy and protection of PII requires appropriate roles, responsibilities and controls. Often this is best achieved by the appointment of a person responsible, such as a privacy officer, who should provide guidance to personnel, service providers and other interested parties on their individual responsibilities and the specific procedures that should be followed. Responsibility for handling PII should be dealt with taking into consideration relevant legislation and regulations. Appropriate technical and organizational measures to protect PII should be implemented.
Other information
A number of countries have introduced legislation placing controls on the collection, processing, transmission and deletion of PII. Depending on the respective national legislation, such controls can impose duties on those collecting, processing and disseminating PII and can also restrict the authority to transfer PII to other countries. ISO 29100 provides a high-level framework for the protection of PII within ICT systems. Further information on privacy information management systems can be found in ISO 27701. Specific information regarding privacy information management for public clouds acting as PII processors can be found in ISO 27018. ISO 29134 provides guidelines for privacy impact assessment (PIA) and gives an example of the structure and content of a PIA report. Compared with ISO 27005, this is focused on PII processing and relevant to those organizations that process PII. This can help identify privacy risks and possible mitigation to reduce these risks to acceptable levels.
PII forms a key part of an organisation’s data governance strategy, and carries a number of unique regulatory, legislative and contractual risks. A good control describes how privacy and protection of personally identifiable information is assured for relevant legislation and regulation. Any information handled that contains personally identifiable information (PII) is likely to be subject to the obligations of legislation and regulation. PII is especially likely to have high requirements for confidentiality and integrity, and in some cases availability as well (e.g. health information, financial information). This control deals with PII in three distinct ways Preservation, Privacy,Protection. Under some legislation (e.g. the GDPR) some types of PII are defined as additionally “sensitive” and require further controls to ensure compliance. It is important that awareness campaigns are used with staff and stakeholders to ensure a repeated understanding of individual responsibility for protecting PII and privacy. Organisations should treat PII as a topic-specific business function, and develop policies that are unique to their organisation, and the categories of PII that are most common to their day-to-day operation. First and foremost, the organisation should draft, develop and implement a series of policies that cater to the preservation, privacy and protection of PII, and ensure these are communicated to and used by all employees that process PII – not just those who are obligated to deal with it as part of their job roles. PII needs to be managed in a structured, clear and concise manner. To achieve this Control asks organisations to draft policies that consider individual roles, responsibilities and data controls throughout their organisation. The easiest and most efficient way to achieve this is to adopt a top-down approach that features a Privacy Officer, whose job it is to provide guidance to employees and third-party organisations on the subject of PII, and offer advice to senior management on how to remain compliant with the organisation’s obligations. Alongside regulatory, legislative and contractual guidelines, an organisation should also implement technical and operational measures that deal with the practical handling of PII as it’s stored by and flows through the business. The auditor will be looking to see how PII is handled, if the appropriate controls have been implemented, are being monitored, reviewed and where necessary improved. They will also be looking to check that handling requirements are being met and audited suitably. Additional responsibilities exist too, for example, GDPR will expect a regular audit for areas where personal data is at risk. Smart organizations will tie these audits up alongside their ISO 27001 audits and avoid duplication or gaps.
As organizations continuously collect, store and distribute PII and other sensitive data, employees, administrators and third-party contractors need to understand the repercussions of mishandled data and be held accountable.It is the responsibility of the individual employee to protect data to which they have access. Employee having access to personal information must respect the confidentiality of such information, and refrain from any conduct that would indicate a careless or negligent attitude toward such information. They must avoid office gossip and should not permit any unauthorized viewing of records containing PII. Only individuals who have a “need to know” in their official capacity shall have access to such systems of records.Predictive analytics and artificial intelligence (AI) are in use at organizations to sift through large data sets so that any data stored is compliant with all PII rules. Additionally, organizations establishing procedures for access control can prevent inadvertent disclosure of PII. Other best practices include using strong encryption, secure passwords, and two-factor (2FA) and multifactor authentication (MFA). Other recommendations for protecting PII are:
- encouraging employees to practice good data backup procedures;
- Safeguard information to which their employees have access at all times
- Obtain management’s written approval prior to taking any sensitive information away from the office. The manager’s approval must identify the business necessity for removing such information from the facility.
- safely destroying or removing old media with sensitive data
- installing software, application and mobile updates
- using secure wireless networks, rather than public Wi-Fi; and
- using virtual private networks (VPNs).