Difference between revisions of "WOT Wiki:Personally Identifiable Information (PII)"

From WOT Wiki
Jump to: navigation, search
 
(46 intermediate revisions by 14 users not shown)
Line 1: Line 1:
 
The protection of PII is important to maintain public trust and confidence in an organization, to protect the reputation of an organization, and to protect against legal liability for an organization. Organizations have always considered trust, confidence, and reputation as motivating factors in protecting PII. Recently, organizations have become more concerned about the risk of legal liability due to the enactment of many US federal, state, and international privacy laws.
 
The protection of PII is important to maintain public trust and confidence in an organization, to protect the reputation of an organization, and to protect against legal liability for an organization. Organizations have always considered trust, confidence, and reputation as motivating factors in protecting PII. Recently, organizations have become more concerned about the risk of legal liability due to the enactment of many US federal, state, and international privacy laws.
  
=Examples of PII Data=
+
==Examples of PII Data==
 
The following list contains examples of information that may be considered PII.
 
The following list contains examples of information that may be considered PII.
 
    
 
    
 
* Name, such as full name, maiden name, mother’s maiden name, or alias  
 
* Name, such as full name, maiden name, mother’s maiden name, or alias  
  
* Personal identification number, such as SSN, passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number.
+
* Personal identification number (PIN), such as your Social Security Number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number.
 
   
 
   
 
* Address information, such as street address or email address.
 
* Address information, such as street address or email address.
Line 16: Line 16:
 
* Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scans, voice signature, facial geometry).
 
* Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scans, voice signature, facial geometry).
 
   
 
   
* Information identifying personally owned property, such as vehicle egistration or identification number, and title numbers and related information.
+
* Information identifying personally owned property, such as vehicle registration or identification number, and title numbers and related information.
  
 
* Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).
 
* Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).
  
  
==Source==
+
===Source===
Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) [http://csrc.nist.gov/publications/drafts/800-122/Draft-SP800-122.pdf PDF]
+
NIST Special Publication 800-122 [http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf PDF]
 +
<blockquote>National Institute of Standards and Technology Special Publication 800-122<br />Natl. Inst. Stand. Technol. Spec. Publ. 800-122, 59 pages<br />(Apr. 2010)<br /><br />''Guide to Protecting the Confidentiality of Personally Identifiable Information (PII): <br />Recommendations of the National Institute of Standards and Technology <br />Computer Security Division <br />Information Technology Laboratory <br />National Institute of Standards and Technology <br />Gaithersburg, MD 20899-8930''</blockquote>
  
''Computer Security Division
+
===Web forms / registrations===
Information Technology Laboratory
+
If your site has a simple web form to email script or simple forum / newsletter subscription registration most likely you are not gathering any ''personally identifiable information''. If you request a name without requiring first and last names, any "name" can be given.
National Institute of Standards and Technology
+
====Examples of non-PII====
   
+
; A simple Contact Us form requesting :
January 2009''
+
:* name
 +
:* email
 +
:* website
 +
:* subject
 +
:* message
 +
 
 +
; Site / Forum registration requesting :
 +
:* name
 +
:* user name
 +
:* password
 +
:* date of birth ([[Privacy_Policy#COPPA|COPPA]] compliance)
 +
:* email
 +
 
 +
; Newsletter subscription :
 +
:* email
 +
 
 +
====Examples of PII====
 +
; A Contact Us form ''requesting'' :
 +
:* name
 +
:* address
 +
:* city / state / province
 +
:* zip-code / postal code
 +
:* phone / mobile number
 +
:* email
 +
:* website
 +
:* subject
 +
:* message
 +
 
 +
; Site / Forum registration ''requiring'' :
 +
:* first name
 +
:* last name
 +
:* User name
 +
:* location / address (full or partial)
 +
:* phone / mobile number
 +
:* Password
 +
:* Date of birth ([[Privacy_Policy#COPPA|COPPA]] compliance)
 +
:* email
 +
 
 +
==Australian Data Protection Act==
 +
[https://www.privacyinternational.org/reports/australia Privacy International Australia report]
 +
<blockquote>The Australian Senate on 6 December 2000 approved the [http://www.aph.gov.au/house/committee/laca/Privacybill/contents.htm Privacy Amendment (Private Sector) Bill] which extends privacy protections to the private sector. The bill was strongly criticized by privacy advocates and the opposition political party as being far too weak. [http://www.rogerclarke.com/DV/SenatePBSub2000.html Commentary] by privacy expert Roger Clarke who describes the bill as "the world's worst privacy legislation." The European Commission has also expressed concern that the law would not be adequate for trans-border data flows.</blockquote>
 +
[http://www.aph.gov.au/house/committee/laca/Privacybill/contents.htm Advisory Report on the Privacy Amendment (Private Sector) Bill 2000]
 +
 
 +
Also reference: [http://www.efa.org.au/Issues/Privacy/privacy.html Electronic Frontiers Australia Inc.]
 +
 
 +
==Canadian Personal Information Protection and Electronic Documents Act==
 +
===Individual rights===
 +
* know why an organization collects, uses or discloses their personal information;
 +
* ''more''
 +
===Organizations requirements===
 +
* obtain consent when they collect, use or disclose their personal information;
 +
* ''more''
 +
 
 +
sources:
 +
* Wikipedia [https://secure.wikimedia.org/wikipedia/en/wiki/Personal_Information_Protection_and_Electronic_Documents_Act article]
 +
* [http://laws.justice.gc.ca/en/P-8.6/ Personal Information Protection and Electronic Documents Act (2000, c. 5)]
 +
* [http://laws.justice.gc.ca/eng/P-21/index.html Privacy Act (R.S., 1985, c. P-21)]
 +
 
 +
 
 +
==Dutch / Netherlands==
 +
* The Dutch Data Protection Authority (Ducth DPA) : http://www.dutchdpa.nl/
 +
: ''supervises the fair and lawful use and security of your personal data, to ensure your privacy today and in the future.''
 +
 
 +
 
 +
==European Union Data Protection Directive==
 +
 
 +
''officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data''
 +
 
 +
The '''Data Protection Directive''' is a European Union directive which regulates the processing of personal data within the [https://secure.wikimedia.org/wikipedia/en/wiki/European_Union European Union].
 +
 
 +
source: [https://secure.wikimedia.org/wikipedia/en/wiki/Data_Protection_Directive Wikipedia entry]
 +
 
 +
===European Commission: Justice and Home affairs===
 +
* [http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm Data Protection]
 +
: (alternate) [http://ec.europa.eu/justice/data-protection/index_en.htm Protection of personal data]
 +
* [http://ec.europa.eu/justice/doc_centre/privacy/law/index_en.htm Legislative documents]
 +
 
 +
==Hungary Data Protection Bill==
 +
* [http://abiweb.obh.hu/dpc/ Hungarian Parliamentary Commissioner for Data Protection and Freedom of Information]
 +
* privacyinternational.org - [http://www.privacyinternational.org/survey/phr2003/countries/hungary.htm visit]
 +
 
 +
 
 +
==Finland / Sweden==
 +
Information security and protection of privacy in electronic communications.
 +
* Finlex : http://www.finlex.fi/
 +
* Finnish Communications Regulatory Authority (FICORA) : http://www.ficora.fi/
 +
*: [http://www.finlex.fi/en/laki/kaannokset/2004/en20040516.pdf Act on the Protection of Privacy in Electronic Communications (PPEC 516/2004)] (PDF - English translation)
 +
 
 +
 
 +
==Federative Republic of Brazil==
 +
 
 +
Article 5 of the 1988 Constitution of Brazil provides that ''"the privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages resulting from their violation is ensured."''
 +
 
 +
Reference:
 +
* privacyinternational.org - [http://www.privacyinternational.org/survey/phr2003/countries/brazil.htm visit]
 +
 
 +
 
 +
==India Privacy Laws==
 +
 
 +
No specific legislation pertaining to data protection and privacy has been enacted in India. The Indian government is currently considering the idea of enacting a detailed law on data protection under the initiative of the Ministry of Communication and Information Technology.
 +
 
 +
References:
 +
* privacyinternational.org - [http://www.privacyinternational.org/survey/phr2003/countries/india.htm visit]
 +
* dsci.in - [http://www.dsci.in/index.php?option=com_content&view=article&id=94&Itemid=79 visit]
 +
 
 +
 
 +
==New Zealand==
 +
 
 +
* The Privacy Commissioner's Office - [http://privacy.org.nz/ visit]
 +
* Privacy Act 1993 - [http://www.legislation.govt.nz/act/public/1993/0028/latest/DLM296639.html visit]
 +
 
 +
 
 +
==UK Data Protection Act 1998==
 +
 
 +
[http://www.statutelaw.gov.uk/content.aspx?activeTextDocId=3190610 Data Protection Act 1998 (c. 29)] <br />
 +
[https://secure.wikimedia.org/wikipedia/en/wiki/Data_Protection_Act_1998 Wikipedia article]
 +
<blockquote>The Data Protection Act 1998 (DPA) is a United Kingdom Act of Parliament which defines UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. Although the Act itself does not mention privacy, it was enacted to bring UK law into line with the European Directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves.</blockquote>
 +
 
 +
 
 +
 
 +
== United States ==
 +
 
 +
United States privacy law embodies several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into his or her private affairs, discloses his or her private information, publicizes him or her in a false light, or appropriates his or her name for personal gain. Public figures have less privacy, and this is an evolving area of law as it relates to the media.
 +
 
 +
The essence of the law derives from a right to privacy, defined broadly as "the right to be let alone." It usually excludes personal matters or activities which may reasonably be of public interest, like those of celebrities or participants in newsworthy events. Invasion of the right to privacy can be the basis for a lawsuit for damages against the person or entity violating the right. These include the Fourth Amendment right to be free of unwarranted search or seizure, the First Amendment right to free assembly, and the Fourteenth Amendment due process right, recognized by the Supreme Court as protecting a general right to privacy within family, marriage, motherhood, procreation, and child rearing.
 +
 
 +
source: [https://secure.wikimedia.org/wikipedia/en/wiki/Privacy_laws_of_the_United_States Wikipedia - Privacy laws of the United States]
 +
 
 +
=== California's Online Privacy Protection Act ===
 +
 
 +
According to California's Online Privacy Protection Act (OPPA), all online businesses that "collects personally identifiable information through the Internet about individual consumers residing in California" must have a [[Privacy Policy]] on its website. If a website fails to add a Privacy Policy within 30 days of being notified to do so, then it is in violation of this Act.
 +
[http://leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579 California Law Code]
 +
 
 +
=== US Information Technology Law ===
 +
 
 +
* [http://www.law.stanford.edu/program/centers/ttlf/law/us/it/ law.stanford.edu]
 +
 
 +
== Other countries - data protection ==
 +
* Austria [AT] : http://www.dsk.gv.at/
 +
* Belgium [BE] : http://www.privacy.fgov.be/
 +
* Bulgaria [BG] : http://www.cpdp.bg/
 +
* Cyprus [CY] : http://www.dataprotection.gov.cy/
 +
* Czech Republic [CZ] : http://www.uoou.cz/
 +
* Denmark [DK] : http://www.datatilsynet.dk/
 +
* Estonia [EE] : http://www.dp.gov.ee/?js=1
 +
* Finland [FI] : http://www.tietosuoja.fi/
 +
* France [FR] : http://www.cnil.fr/
 +
* Germany [DE] : http://www.bfd.bund.de/
 +
* Greece [GR] : http://www.dpa.gr/
 +
* Hungary [HU] : http://www.obh.hu/
 +
* Ireland [IE] : http://www.dataprivacy.ie/
 +
* Iceland [IS]: http://www.personuvernd.is/tolvunefnd.nsf/pages/index.html
 +
* Italy [IT] : http://www.garanteprivacy.it/
 +
* Latvia [LV] : http://www.dvi.gov.lv/
 +
* Liechtenstein [LI] : http://www.dss.llv.li/
 +
* Lithuania [LT] : http://www.ada.lt/
 +
* Luxembourg [LU] : http://www.cnpd.lu/
 +
* Malta [MT] : http://www.dataprotection.gov.mt/
 +
* Norway [NO] : http://www.datatilsynet.no/
 +
* Netherlands [NL] : http://www.cbpweb.nl/
 +
* Portugal [PT] : http://www.cnpd.pt/
 +
* Poland [PL] : http://www.giodo.gov.pl/
 +
* United Kingdom [UK]: http://www.dataprotection.gov.uk/
 +
* Romania [RO] : http://www.dataprotection.ro/
 +
* Slovakia [SK] : http://www.dataprotection.gov.sk/
 +
* Slovenia [SI] : http://www.dataprotection.gov.sk/
 +
* Spain [ES] : http://www.agpd.es/
 +
* Sweden [SE] : http://www.datainspektionen.se/
 +
* Switzerland [CH] : http://www.edsb.ch/
 +
*: http://www.admin.ch/ch/d/sr/235_1/index.html
 +
 
 +
<br />
 +
see also: [[Privacy Policy|Privacy Policy]]

Latest revision as of 08:28, 26 October 2014

The protection of PII is important to maintain public trust and confidence in an organization, to protect the reputation of an organization, and to protect against legal liability for an organization. Organizations have always considered trust, confidence, and reputation as motivating factors in protecting PII. Recently, organizations have become more concerned about the risk of legal liability due to the enactment of many US federal, state, and international privacy laws.

Examples of PII Data

The following list contains examples of information that may be considered PII.

  • Name, such as full name, maiden name, mother’s maiden name, or alias
  • Personal identification number (PIN), such as your Social Security Number (SSN), passport number, driver’s license number, taxpayer identification number, patient identification number, and financial account or credit card number.
  • Address information, such as street address or email address.
  • Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.
  • Telephone numbers, including mobile, business, and personal numbers.
  • Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scans, voice signature, facial geometry).
  • Information identifying personally owned property, such as vehicle registration or identification number, and title numbers and related information.
  • Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, or employment, medical, education, or financial information).


Source

NIST Special Publication 800-122 PDF

National Institute of Standards and Technology Special Publication 800-122
Natl. Inst. Stand. Technol. Spec. Publ. 800-122, 59 pages
(Apr. 2010)

Guide to Protecting the Confidentiality of Personally Identifiable Information (PII):
Recommendations of the National Institute of Standards and Technology
Computer Security Division
Information Technology Laboratory
National Institute of Standards and Technology
Gaithersburg, MD 20899-8930

Web forms / registrations

If your site has a simple web form to email script or simple forum / newsletter subscription registration most likely you are not gathering any personally identifiable information. If you request a name without requiring first and last names, any "name" can be given.

Examples of non-PII

A simple Contact Us form requesting 
  • name
  • email
  • website
  • subject
  • message
Site / Forum registration requesting 
  • name
  • user name
  • password
  • date of birth (COPPA compliance)
  • email
Newsletter subscription 
  • email

Examples of PII

A Contact Us form requesting 
  • name
  • address
  • city / state / province
  • zip-code / postal code
  • phone / mobile number
  • email
  • website
  • subject
  • message
Site / Forum registration requiring 
  • first name
  • last name
  • User name
  • location / address (full or partial)
  • phone / mobile number
  • Password
  • Date of birth (COPPA compliance)
  • email

Australian Data Protection Act

Privacy International Australia report

The Australian Senate on 6 December 2000 approved the Privacy Amendment (Private Sector) Bill which extends privacy protections to the private sector. The bill was strongly criticized by privacy advocates and the opposition political party as being far too weak. Commentary by privacy expert Roger Clarke who describes the bill as "the world's worst privacy legislation." The European Commission has also expressed concern that the law would not be adequate for trans-border data flows.

Advisory Report on the Privacy Amendment (Private Sector) Bill 2000

Also reference: Electronic Frontiers Australia Inc.

Canadian Personal Information Protection and Electronic Documents Act

Individual rights

  • know why an organization collects, uses or discloses their personal information;
  • more

Organizations requirements

  • obtain consent when they collect, use or disclose their personal information;
  • more

sources:


Dutch / Netherlands

supervises the fair and lawful use and security of your personal data, to ensure your privacy today and in the future.


European Union Data Protection Directive

officially Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data

The Data Protection Directive is a European Union directive which regulates the processing of personal data within the European Union.

source: Wikipedia entry

European Commission: Justice and Home affairs

(alternate) Protection of personal data

Hungary Data Protection Bill


Finland / Sweden

Information security and protection of privacy in electronic communications.


Federative Republic of Brazil

Article 5 of the 1988 Constitution of Brazil provides that "the privacy, private life, honor and image of persons are inviolable, and the right to compensation for property or moral damages resulting from their violation is ensured."

Reference:

  • privacyinternational.org - visit


India Privacy Laws

No specific legislation pertaining to data protection and privacy has been enacted in India. The Indian government is currently considering the idea of enacting a detailed law on data protection under the initiative of the Ministry of Communication and Information Technology.

References:


New Zealand

  • The Privacy Commissioner's Office - visit
  • Privacy Act 1993 - visit


UK Data Protection Act 1998

Data Protection Act 1998 (c. 29)
Wikipedia article

The Data Protection Act 1998 (DPA) is a United Kingdom Act of Parliament which defines UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. Although the Act itself does not mention privacy, it was enacted to bring UK law into line with the European Directive of 1995 which required Member States to protect people's fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves.


United States

United States privacy law embodies several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into his or her private affairs, discloses his or her private information, publicizes him or her in a false light, or appropriates his or her name for personal gain. Public figures have less privacy, and this is an evolving area of law as it relates to the media.

The essence of the law derives from a right to privacy, defined broadly as "the right to be let alone." It usually excludes personal matters or activities which may reasonably be of public interest, like those of celebrities or participants in newsworthy events. Invasion of the right to privacy can be the basis for a lawsuit for damages against the person or entity violating the right. These include the Fourth Amendment right to be free of unwarranted search or seizure, the First Amendment right to free assembly, and the Fourteenth Amendment due process right, recognized by the Supreme Court as protecting a general right to privacy within family, marriage, motherhood, procreation, and child rearing.

source: Wikipedia - Privacy laws of the United States

California's Online Privacy Protection Act

According to California's Online Privacy Protection Act (OPPA), all online businesses that "collects personally identifiable information through the Internet about individual consumers residing in California" must have a Privacy Policy on its website. If a website fails to add a Privacy Policy within 30 days of being notified to do so, then it is in violation of this Act. California Law Code

US Information Technology Law

Other countries - data protection


see also: Privacy Policy