Personal Data Classification and Controls (1000 words essay )
Types of Information
Personal Information
Any factual information that is identifiable to a person is Personal Information. Some of them are public information while some are private information.
Image SRC: http://www.unb.ca/secretariat/rtippa/_resources/img/personal-info.jpg
2
Personal Information
| Personal Descriptors | Name, age, place of birth, date of birth, gender, weight, height, eye color, hair color, fingerprint |
| Identification Numbers | Health IDs, Social Insurance Numbers (SIN), Social Security Numbers (SSN), PIN numbers, debit and credit card numbers |
| Ethnicity | Race, color, national or ethnic origin |
| Health | Physical or mental disabilities, family or individual health history, health records, blood type, DNA code, prescriptions |
| Employment | Employee files, employment history, evaluations, reference interviews, disciplinary actions |
| Criminal | Convictions, charges, pardons |
| Life | Character, general reputation, personal characteristics, social status, marital status, religion, political affiliations and beliefs, opinions, comments, intentions |
| Education | Education history |
| Financial | Income, loan records, transactions, purchases and spending habits |
| Credit | Credit records, credit worthiness, credit standing, credit capacity |
Personal Information
Sensitive information of individuals can be classified broadly into,
Personally Identifiable Information (PII)
Personally Identifiable Financial Information (PIFI) and
Personal Health Information (PHI)
Personally Identifiable Information - PII
Image Src: https://kalkiconsulting.com/wp-content/uploads/2015/04/PII-v3.png
PII, personally identifiable information is the basic form of information that uniquely identifies an individual.
Name, Date of Birth, Gender, Address, Telephone number etc.,
PII is mainly used to search, locate and identify specific individuals. PII is virtually stored in all offline, online applications, websites, organizations etc.
For example, to locate a subscription of a telephone, the customer center representative usually enquires the Name, Date of Birth and Contact number to locate the information.
Law enforcement officials use PII for preliminary identification of any suspects.
5
PII Sample list
Full name (if not common)
Home address
Email address (if private from an association/club membership, etc.)
National identification number
Passport number
IP address (when linked, but not PII by itself in US)
Vehicle registration plate number
The following data, often used for the express purpose of distinguishing individual identity, clearly classify as PII under the definition used by the National Institute of Standards and Technology (described in detail below):
Driver's license number
Face, fingerprints, or handwriting
Credit card numbers
Digital identity
Date of birth
Birthplace
Genetic information
Telephone number
Login name, screen name, nickname, or handle
Personally Identifiable Financial Information PIFI
Personally identifiable financial information (PIFI) is any information that a consumer provides to a financial institution that would not be available publicly. PIFI enables the unique searching, identification and validation of a person’s financial information through a specialized database and/or system.
PIFI may include information such as an individual’s name, contact details, bank account number, credit card number, Social Security number, etc.
Personally Identifiable Financial Information PIFI
Unlike PII, PIFI is very sensitive and is available for use by authorized personnel only. The environment where PIFI is used for financial purposes only.
For example, SSN is a PIFI used for credit rating validation when someone applies for new line of credit, similarly, credit card number is used when an individual makes a purchase via an online website.
All financial institutions follow strict protocols and policies in order to protect PIFI of their respective customers.
The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data
Protected Health Information
Protected health information (PHI) is individually identifiable health information that is transmitted or maintained in a database; this can be electronic media or any other form or medium. The protected information must relate to
the past, present, or future physical or mental health condition of an individual;
provision of health care to an individual; or
Payment for the provision of health care to an individual. If the information identifies or provides a reasonable basis to believe it can be used to identify an individual, it is considered individually identifiable health information.
Protected Health Information
| PHI Data | Non – PHI Data |
| Billing information from your doctor Email to your doctor's office about a medication or prescription you need. Appointment scheduling note with your doctor's office An MRI scan Blood test results Phone records | Heart rate readings without identifying to a particular person Number of steps in a pedometer Number of calories burned Blood sugar readings w/out personally identifiable user information (PII) (such as an account or user name) |
Data Classification in Organizations
The classification used is dependent on the overall sensitivity of the data and the levels of confidentiality desired.
Additionally, a nongovernment organization might consider the integrity and availability of the data in its classification model.
| Classification | Description |
| Sensitive | Data that is to have the most limited access and requires a high degree of integrity. This is typically data that will do the most damage to the organization should it be disclosed. |
| Confidential | Data that might be less restrictive within the company but might cause damage if disclosed. |
| Private | Private data is usually compartmental data that might not do the company damage but must be keep private for other reasons. Human resources data is one example of data that can be classified as private. |
| Proprietary | Proprietary data is data that is disclosed outside the company on a limited basis or contains information that could reduce the company's competitive advantage, such as the technical specifications of a new product. |
| Public | Public data is the least sensitive data used by the company and would cause the least harm if disclosed. This could be anything from data used for marketing to the number of employees in the company. |
Responsibilities
Senior management, and other levels of management, understand the vision of the company, the business goals and objectives.
The next layer is functional management, who understand their departments and how security affects their department.
The next layers are operational management managers and staff, understand the techniques and procedures.
The data owner is a member of senior management, he is responsible for negligent acts and decide the classification.
The data custodian maintain and protect the data, for ex. system administrator.
The data user, who routinely uses the data.
The chief information officer (CIO) should work with senior to define procedures.
Responsibilities (contd.)
Business managers determine the level of protection needed, and are involved in the selection of safeguards.
Auditor examines the practices.
Security professional, is responsible for security and carry out the senior manager's directives.
Thank you.