[SERIES] POPII - Protection Of Personally Identifiable Information - Part 1

Privacy – this is very interesting, everybody wants protection over their own PII at the same time people are eager to know other PII.

So what is Privacy or Personally Identifiable Information (PII)?

PII is any data that could identify any living individual.

Before I start further, let’s understand few terminologies

Data Controller	Data controller means … a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
Data Processor	Data processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data Subject	Data processor means an individual who is the subject of personal data.
Source: https://ico.org.uk/for-organisations/guide-to-data-protection/key-definitions/

There are laws and regulations on POPII across many countries. Different countries have defined privacy rules as per their requirements. All countries PII laws and regulations talk same with little changes. In general there are 7 to 10 Privacy Principles across various country’s laws and regulations

We shall discuss these principles in detail. However what is important is:

When and how organizations are receiving PII?

OR RATHER I would say

How do we end ourselves giving PII to different entities Knowing or -unknowingly?

To understand this holistically, let’s take examples of few different industries

Sr	Industries/ Category	PII Entry Point	PII	Mode	Concerns
1	Bank or Financial industries	·     At the time of opening an account (Fixed Deposit, Saving / Current acc, Loan etc) ·	·     Name & Address, ·     Age & Gender ·     Religion & Nationality ·     Education etc (Demographic Info)	·     Physical form and later electronic form (Computer & Media)	Not much as such industries have strict regulations to follow in most of the countries.
2	Research Company	·     Online Survey ·     Field Survey	·     Demographic Info as mentioned above ·     Depend upon type of survey, it could be your personal political opinion, relational belief, Medical / Health related survey	·     Physical form and later electronic form (Computer & Media) ·	·     Are you aware what the purpose of these survey ·     Are aware how your PII would be protected by these research companies? ·     Are they going to sale your PII? ·     How long are they going to keep your PII?
3	BPO / KPOs	·     Outsourcing or subcontracting ·     Data controller might share PII to third party (as a part of outsourcing. Data controller could be Bank, Insurance company, research firm, hospital, Parma company etc.	·     Any of above	·     Mostly electronic form	·     Are you aware data controller is going to share PII with third? ·     Did you give consent to your data controller? ·     Do you know how your PII is going to be protected at third party? ·     Do you know if your PII is going out of your country? Other counties might not protect your PII as your country.
4	Dispensary, hospital	·     Hospitalization ·     Regular checkups	Sensitive PII ·     insurance details ·     SSN ·     Health problem ·     Any health related deficiency ·     History of health ·     Medicines related etc	·     Mostly electronic form	·     Most of the countries have laws to govern health related information. ·     But the problem I personally feel: “is there any ongoing compliance audit? Have they published their privacy practices etc. Does Hospital staff aware of such information security requirements?
5	Hotels, Restaurant, Club membership	·     check-in ·     opt for membership	·     ID proof ·     demographic information	·     Registration form (physical) and later electronic mode	·     Does hotel or club have privacy policy? ·     Do their staffs understand the importance of privacy? ·     Do they have infrastructure/system to protect PII? ·     Are they going to share or sale your PII to any other entity?
6	Others Shopkeeper, Shopping Mall,	·     At the time invoice generation	·     Mobile no ·     demographic information	·     Physical or electronic mode	·     Does shopkeeper or Mall have privacy policy? ·     Do their staffs understand the importance of privacy? ·     Do they have infrastructure/system to protect PII? ·     Are they going to share or sale your PII to any other entity?
7	All Types of employers	·     At the time of hiring or in a process of Interview ·     Periodic appraisal / feedback meeting	·     ID proof ·     demographic information ·     Salary & Bank account information ·     Experience, education and qualification details ·     Performance & appraisal details ·     background / ref check check report	·     physical as well as electronic information	·     Does employer have privacy policy to protect their employee information? ·     Does employee aware if employer is going to share PII with third party? ·     are appropriate system / infrastructure in place to protect PII?

There could be many industries; I have only listed few to set a context for my “POPII blog series”

I thought this would be good to start to explain “Where and How are sharing PII with various “Data Controller”.  Many times we tend to forget “How PII is going to be secure? Can somebody misuse my PII?

Hope this would be useful.

Wait and watch for my NEXT blog on “PRIVACY SERIES”. I shall explain on types of PII and privacy principles.