Data Privacy: Protecting Personally Identifiable Information (PII)
Data privacy focuses on the proper handling of personal data — collection, storage, processing, and deletion. Privacy regulations like GDPR and CCPA have made privacy a legal requirement for most organizations.
What is Personally Identifiable Information (PII)?
PII is any data that can identify a specific individual. Direct identifiers: name, Social Security number, passport number, driver's license, email address, phone number. Indirect identifiers: IP address, device ID, biometric data, date of birth + zip code (which together can identify an individual).
Sensitive PII requires higher protection: medical records, financial accounts, criminal history, sexual orientation, religious beliefs, and biometric data.
PHI (Protected Health Information) — a subset of PII covered by HIPAA, specifically related to health status, medical records, and healthcare payment data. SPII (Sensitive PII) — PII that if disclosed could cause significant harm.
- PII: any data that identifies an individual — direct or indirect
- PHI: health-related PII, covered by HIPAA
- Sensitive PII: requires enhanced protection (SSN, medical, biometric)
- Data classification: public, internal, confidential, restricted
Privacy Principles and Frameworks
GDPR (General Data Protection Regulation) principles: Lawfulness, fairness, and transparency — tell individuals what you're doing with their data. Purpose limitation — collect data only for specified, explicit purposes. Data minimization — collect only what's necessary. Accuracy — keep data accurate and up to date. Storage limitation — delete data when no longer needed. Integrity and confidentiality — protect data with appropriate security.
OECD Privacy Principles — the foundation for most modern privacy frameworks: collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.
Privacy by Design — embed privacy into system design from the start, not as an afterthought. Proactive, not reactive. Privacy is the default setting.
- GDPR principles: lawful, transparent, minimized, accurate, limited storage, secure
- Data minimization: collect only what you actually need
- Purpose limitation: use data only for stated purpose
- Privacy by Design: build privacy into systems from the start
Data Subject Rights
Under GDPR and similar regulations, individuals have specific rights over their data:
Right to be Informed — organizations must tell individuals what data is collected and how it's used (privacy notice).
Right of Access — individuals can request a copy of their personal data (Subject Access Request).
Right to Rectification — incorrect data must be corrected.
Right to Erasure (Right to be Forgotten) — individuals can request deletion of their data under certain conditions.
Right to Restrict Processing — individuals can limit how their data is used.
Right to Data Portability — individuals can request their data in a machine-readable format to transfer to another provider.
Right to Object — individuals can object to processing for marketing or research purposes.
- Subject Access Request (SAR): individual requests their data copy
- Right to be Forgotten: request deletion — not absolute, has exceptions
- Data portability: receive data in usable format, transfer to another provider
- Organizations must respond to data subject requests within 30 days (GDPR)
Data Retention and Disposal
Data retention policies specify how long different types of data are kept. Retention periods are based on legal requirements, business needs, and regulatory mandates.
Examples: tax records — 7 years (IRS requirement), HR records — employment duration + several years, credit card data — must be deleted after processing (PCI DSS requirement), healthcare records — 6+ years (HIPAA).
Secure disposal: physical media — shredding, incineration, degaussing (magnetic destruction), pulverizing. Digital data — secure wipe (overwrite with zeros/random data multiple times), cryptographic erase (destroy encryption key), or physical destruction.
Data retention minimizes legal risk (keep what's required) and security risk (delete what's not needed).
- Retention: align with legal requirements — different data types have different periods
- When in doubt, keep — deletion before legal hold expires creates compliance risk
- Secure disposal: shred (paper), degauss (magnetic), wipe/encrypt (digital)
- Data minimization principle: if you don't need it, don't collect it
Privacy Impact Assessments (PIA)
A PIA (also called Data Protection Impact Assessment or DPIA under GDPR) evaluates how a new project, system, or process will affect individual privacy.
PIA process: (1) Identify the need — determine if PIA is required (high-risk processing), (2) Describe the processing — what data, why, how, who has access, (3) Assess necessity and proportionality — is the processing necessary and proportionate?, (4) Identify privacy risks — what could go wrong?, (5) Identify mitigations — how to address each risk, (6) Sign off — document approval, (7) Integrate outcomes — implement mitigations before launch.
A PIA is required under GDPR when processing is likely to result in high risk to individuals (large-scale processing of sensitive data, systematic monitoring, or new technologies).
- PIA/DPIA: assess privacy risk before deploying new systems
- Required for high-risk processing (GDPR Article 35)
- Risk: what could harm individuals? Mitigation: how will you prevent it?
- Document the assessment: evidence of compliance effort
Exam Tip
Know the data subject rights: access, rectification, erasure (right to be forgotten), portability. Privacy by Design is a key concept. PIA/DPIA is required for high-risk processing. Data retention vs disposal is frequently tested.