|Created by Kimberly Kline, API|
Keeping the personal information of both your clients and your employees safe
is the responsibility of any company,
even a small business.
That is why it is important to put practices in place from the beginning that will help!
That duty begins with guarding the Personally Identifiable Information (PII) of your employees and clients.
Here I will discuss what information is considered PII, why it is important, and what you need to do now to safeguard it.
What is PII?
PII (Personally Identifiable Information) is defined as any information that can be used to determine a person’s identity. It also covers any information that when combined with other identifying information can reveal a person’s identity.
Specific Examples of PII are:
- Full Name (if not common)
- Home Address
- Date of Birth
- Social Security Number / National Identification Number
- Telephone Number
- Email Address (if private)
- Vehicle Registration Number
- Driver’s License Number
- Fingerprints or Handwriting
- Credit Card Numbers
- Genetic Information
- Login Name, Screen Name, or Handle (radio)
There is also information that could potentially be PII when it is combined with other Personally Identifiable Information. The idea here is that one or more of these examples when put together increases the possibility of identifying a person.
Examples of potential PII:
- Full Name (if common)
- Country, state, zip code, city of residence
- Gender or Race
- Name of School they attended or their Workplace
- Grades, Salary, or Job Position
- Criminal Record
- IP Address
Safeguarding this type of information is important. Being lax in any way with how you treat it is dangerous and can open up your clients and your employees to identity theft. This can have serious, lasting effects on their bank accounts, social media accounts, and credit. Having unauthorized access to PII is also an invasion of privacy.
That is why it is crucial to develop a sound policy concerning PII. Your policy should include the safe handling of PII, the proper training of your employees in what is PII and how to keep it safe, and the consequences of not following your policy.
Safeguarding PII begins with You and Your Employees! “Tweet This”
As an employer, you are required to develop and implement a policy for the safe handling of PII. You must also include the rules of behavior expected, including the consequences for non-compliance.
You should also recognize that
employees are often the “weak link”
when it comes to safeguarding PII.
Making sure they are both thoroughly trained and monitored helps.
All employees and contractors who have significant privacy information responsibilities must understand your PII policy. This includes any employees and contractors who work with PII as part of their job duties such as Human Resources staff, finance staff, or Managers / Supervisors.
|Created by Kimberly Kline, API|
Establishing steps to
both recognize PII and handle it properly
is the backbone of a good PII policy.
The first step is to identify whether the information is, in fact, PII. Educating your staff on the examples of what is PII and what, when combined with other information, becomes PII is crucial.
You should then consider “de-identifying” your records as much as possible. This means removing enough PII from any report or document so that the remaining information does not automatically identify an individual.
Another option is to “Anonymize” PII information. For example, you may consider substituting a code for the PII information (such as a name).
But the absolute best way to safeguard PII begins with controlling or limiting access to PII. This includes both physical and mobile access (cell phones, laptops, etc.). Curbing the number of people who come in contact with sensitive PII information is the easiest way to keep it safer and control how it is handled.
Careful consideration of the location of your PII records is also key. Keeping them onsite with limited accessibility is best. Any offsite or mobile storage creates vulnerability.
Your policy also needs to consider the confidential transmission of anything containing PII.
The final safeguarding part of your policy should be developing an auditing program to monitor for potential inappropriate access to PII or for a data breach.
It is also important that your PII policy explains the consequences and corrective actions
for breaching PII protocol.
It should cover both employee and contractor expectations.
You must emphasize that compliance is mandatory and that the penalty for breaking the protocol for safely handling PII may incur disciplinary and/or criminal action.
Penalties may range from reprimand and retraining to suspension or removal. It should be noted that fines may also be levied on anyone found guilty of willful disclosure of PII.
The responsibility for properly training your employees and contractors who work with PII lies with you, the owner, and your managers. The best practice is to develop a thorough training program, make sure your workers follow the program, and frequently monitor the handling of PII.
However, no matter what you include in your PII Policy,
the best way to protect your employees, clients, and your company
is to practice the
“minimum necessary principle”.
The goal is to minimize the use, collection, and retention of PII to the least amount necessary.
This includes the previously mentioned limiting of access to PII. It also means the proper destroying of records physically (shredding for example) and digitally (sanitizing).
Not only is taking these steps to guard PII
the safe thing to do,
it is the right thing to do….and your employees and clients will thank you for it!
If you need help developing
Please Pay it Forward and Share this
on your favorite social sites too!
Visit our site to discover how our Services
can help You with Your Business!
Learn more About Us and
Subscribe to this blog
for weekly tips and Information
dedicated to Hiring, Security, and