As a business you are responsible for the personal information about your customers and employees. As a matter of law, you are required to safeguard the information and ensure that it’s used in a proper manner. However, it is difficult to know what is considered to be personal information.
It is important to know that the definition of personal information is different depending on the legal jurisdiction and country of origin. In general, personal data is any information that can be used to identify an individual. This includes data such as the person’s email address or telephone number, but it includes any other information that can be linked to an person, thereby making them identifiable. For instance their birth date and their mother’s maiden name biometric data, information regarding visas and passports or credit card numbers, as well as other sensitive data related to employment (e.g. performance ratings and disciplinary records).
The information must be easily identifiable by others. If it is difficult for anyone to identify the information then it is not considered personal. This is called the “practicability test”.
The final step to determine whether something is personal is that it must be related to a living, identifiable person. This excludes business information, such as invoices or orders.
Personal information that is sensitive can be extremely damaging if it is lost, stolen or otherwise disclosed without authorization. It is essential to inform employees about the importance of safeguarding sensitive PII. It is also important to ensure that you secure the data when not in use, for example, logging off of unattended computer systems and destruction of paper documents. It is important to review regularly the PII in your system, and restrict access to those who have an underlying business reason to do this.