As tech advances, so does the need to protect sensitive data from unauthorised access. In this blog post, we’re breaking down the concept of personal information, why it's important, and the proven steps to safeguard it.
Defining Personal Information (PI)
The term “Personal Information” (PI) is often used interchangeably with “Personally Identifiable Information” (PII), but it’s important to note that PI is not a legal term. To ensure clarity and consistency, it’s recommended to use the term “personal information” as defined by the law. For instance, in New Zealand, the Privacy Act refers to “personal information,” while the GDPR in Europe uses the term “personal data.” These terms both have legal definitions that determine our obligations to protect and handle personal information appropriately.
The scope of personal information
Personal information encompasses any data related to an identifiable natural person. It goes beyond traditional identifiers like name, address, or contact details. Any information, regardless of its form, format, or platform, becomes personal information where it pertains to an individual.
This could include:
- Health and disability records
- Employee performance data
- Email communications
- Location information
- CCTV footage
- Biometric data (e.g. genetic information, fingerprints, etc.)
The breadth of personal information is extensive, and it exists across various mediums.
Identifiability and context
When determining whether information qualifies as personal information, both identifiability and context play important roles.
Identifiability refers to the ability to associate the information with a specific individual directly or indirectly. While some information may seem unrelated to an individual at first glance, it can still be considered personal information if it affects that individual’s legal rights or can be reasonably deduced to be about them.
Contextual factors, such as the purpose of the data, its relevance and its impact on the individual, contribute to whether it falls under the umbrella of personal information. It’s crucial to consider the broader implications of this data being identified, even if it may not appear directly linked to a specific person.
Safeguarding the personal information you hold
Given the risks associated with mishandling personal information, safeguarding measures should be at the forefront of your privacy program. Here are some proven methods to consider:
- Data Encryption: Encrypting sensitive data ensures that it remains secure during storage and transmission. By doing this, it is significantly harder for unauthorised access to information.
- Access Control: Implementing access controls ensures that only authorised individuals can access personal data. User authentication methods and role-based access control can help limit access to certain types of personal information based on roles and responsibilities.
- Regular Data Backups: Regularly backing up personal information mitigates the risk of data loss due to hardware failure, cyber attacks, or natural disasters.
- Employee Training and Awareness: Educating employees about the importance of protecting personal information helps build a security-conscious culture within the organisation.
- Incident Response and Recovery: Establishing an incident response plan allows for prompt and effective action in the event of a security breach where personal information may be involved.
Overall, protecting personal information should be a priority for your organisation. As tech continues to advance, the risks associated with unauthorised access and misuse of personal data become more complex. By committing to safeguarding personal information, we can all contribute to a safer and more trustworthy digital environment for all.