Information Privacy

CategoryCyber Security Standards

Information privacy controls and procedures are aimed at protecting electronic data that is collected, used or disclosed in certain circumstances. They enable organizations to maintain compliance with all applicable privacy protection regulations and business requirements.


Standards Overview


De-identification and Protection of Personal Records

Technology increasingly facilitates the circulation and exchange of personal data, whereby its value for commercial use is constantly growing. Many jurisdictions establish rules to govern the collection, use and disclosure of personal data, in a manner that recognizes the right of privacy of individuals with respect to their confidential information. Such regulations prompt organizations for implementing a comprehensive framework of technical safeguards and management procedures that reduce the risk of sensitive data disclosure.

Personally Identifiable Information (PII) means attributes of an identifiable individual, but does not include the name, title, business address or business telephone number. A record of such includes any correspondence, audio or video recording, and any other electronic document or data entry. Not only organizations are obligated to minimize the retention of personal records, but also to limit their dissemination and disclosure without a consent.

Organizations are motivated to protect PII for a variety of reasons: to ensure the individual's privacy, to meet legal and regulatory requirements, to maintain corporate responsibility, and to increase consumer trust.

The following publications describe information privacy practices and regulatory requirements:

  • NIST SP800-122 — Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
  • NIST SP800-188 — De-identifying Government Datasets

privacy

PII is any information about an individual maintained by an organization, such that can be used to distinguish or trace the individual's identity, status or specific activities.

A privacy framework is intended to help organizations define their safeguarding requirements related to PII, and aid in the implementation of systems that handle and protect personal data.

Organizations should minimize the collection, use, retention and disclosure of PII to what is strictly necessary to accomplish their business mission and goals.