As a Records and Information Management (RIM) professional, and a librarian, I’ve always been concerned about keeping private information protected. When working in RIM, I’m constantly evaluating the sensitivity of the information I’m managing to ensure proper safeguards are in place. Typically this entails defining different levels of sensitivity (e.g., secret, top-secret, etc.) for the business documents. Once established we then determine who is allowed access to each levels.
I have to confess that managing personally identifiable information (PII) is a completely different story. On the surface, PII seems obvious and assigning a sensitivity level should be straightforward. About 10 years ago, I would have only considered protection for obvious PII such as names, birthdates, gender, address, social insurance/security numbers, government-issued identifiers, etc. However, the way different data points about a person are now used to determine their likes/dislikes or influence how s/he may vote have really broadened the definition of PII.
So much information is collected, known and unknown by users, PII needs to be expanded to incorporate other factors. For example, when I first blogged about big data I learned that people could be “outed” (i.e., identified as LGBTQ) based on their interests and other “non-personal” data points. Data was analyzed to reveal patterns, preferences, and behaviors, all without a specific admission of being one way or another.
Recently Europe’s new General Data Protection Regulation (GDPR), which goes into effect on May 25, 2018, has been in the news. Essentially the regulation focuses on protecting personal data, which is defined in Article 4 (1) in the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 as:
“(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; “*
As technology changes, it’s important to reframe and contextualize our definitions. Now including things like genetics or cultural identities as personal data seems appropriate, especially considering how powerful data analytics have become. It’s easy for companies to create profiles from PII that may not initially appear to be specific, but taken in conjunction with multiple other data points can actually be quite revealing. But in order to protect it, we have to first be able to define it.
*Eur-Lex: Access to European Union Law. “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).” European Parliament, 27 April 2016. Web. 21 May 2018.