Lately we have been analysing issues related to management of Personally Identifiable Information (hereinafter PII), in an organizational and business setup. There are a lot of PII issues involved in running a business or organization that are not even considered while dealing with the idea of PII in Law. Here are some of the things that are to be considered by an organization while dealing with issues pertaining to PII:
• Level of assessment of PII is important in any organizational setup. Data field and its relevance in PII terms can be used for the same.
• Context is to be considered while dealing with PII. Say for instance leakage of Law enforcement data and data with respect to subscribers will have two very different legal and social implications. Accordingly steps have to be taken and protocols designed to deal with crisis.
• Individual case to case approach should be taken. Assessing the level of PII loss and contextual implications of the same differ on a case to case basis.
• Either there is release of information by the organization itself or there is a leakage of information. In both the cases modifying method of usage and kind of information to be release can be determined by some methods such as context if usage, data field sensitivity, identifiability, quantity of PII, obligation to protect confidentiality and access to and location of PII.
• De-identification algorithms, controlling Access to information, separation of duties, remote access etc. can be used to secure PII.
• How to calculate losses due to leakage or release of PII? – depends on multiple factors and basically on context. Harm caused is to be measured on three thresholds i.e. Low, Medium or High?
This is a very basic introduction to the various aspects of our research in this field. For more, keep following us!