The sources of PII maintained by enterprises range from internal employee information to customers and vendors, and are pervasive because PII likely impacts a significant part of the enterprise’s records retention schedule (RRS). Identifying what records are subject to PII laws is fundamental to any strategy for effectively managing PII. While this task seems simple enough, making such a determination is ultimately dependent upon the jurisdiction(s) that are relevant to the PII. For enterprises that operate in various U.S. states and/or internationally, it becomes increasingly complex to reconcile requirements across different jurisdictions.
To provide initial guidance on identification and management of PII through an RRS, I’ve provided a few examples of U.S. privacy laws that may impact a company, followed by a checklist to help with this process.
U.S. State Laws
Within the U.S., there is no uniform definition for PII, but rather it is defined by various federal and state laws and agencies. On one end of the spectrum, California takes the lead with an aggressive privacy approach. In California, personal information includes an individual’s first name or initial combined with one or more other elements “when the name or data elements are not encrypted”, including social security number, driver’s license number, medical or health insurance information, along with an extensive list of other companion elements.[2] Several other states adopt a similar multi-factor approach but limit the definitional scope to fewer components that constitute PII when combined, thus imposing less restrictive standards.
U.S. Federal Laws
In contrast to the state approach, U.S. Federal laws take a broader approach in defining personal information. An example of this can be found in the Gramm-Leach-Bliley Act of 1999, which defines personally identifiable personal information as “nonpublic personal information.”[3] The General Services Administration, in its privacy policy applicable to contractors, defines PII at a minimum to include “information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc.”[4]
Initial Checklist
By first understanding and identifying the various types of PII mandated per jurisdiction, records and information management professionals can confidently devise an RRS strategy during their efforts to initiate and maintain a program that effectively manages this information. An initial checklist to help with this process may include some of the following:
- Identify the relevant jurisdictions and regulators. For purposes of PII, this should consider not only the enterprise’s places of operation, but also the jurisdictions from which the PII is collected.
- Identify privacy laws which may be applicable to the enterprise. These should include those that are broadly applicable to the enterprise’s business as well as those that are specific to its industry.
- Survey and summarize the privacy laws applicable to the enterprise.
- Where multiple jurisdictions are involved, consider focusing on the most stringent PII standards you identified when evaluating the RRS to facilitate a strategy that can be uniformly implemented and followed.
- Identify examples and record series within the RRS that meet the criteria required by the identified PII laws. Identifying the particular records and business processes that involve PII and mapping those requirements to the schedule will be helpful for the initial and ongoing efforts.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.
[1] http://www.idtheftcenter.org/ITRC-Surveys-Studies/2015databreaches.html
[2] CAL. CIV. CODE § 1798.82(h)
[3] 15 U.S.C. § 6809(4)(A) (2006)
Author: Jennifer Chadband, IGP, CRM, ECMp
Senior Analyst / Licensed Attorney