Information Privacy

CategoryCyber Security Standards

Information privacy controls and procedures are aimed at protecting electronic data that is collected, used or disclosed in certain circumstances. They enable organizations to maintain compliance with all applicable privacy protection regulations and business requirements.

Standards Overview

De-identification and Protection of Personal Records

Technology increasingly facilitates the circulation and exchange of personal data, whereby its value for commercial use is constantly growing. Many jurisdictions establish rules to govern the collection, use and disclosure of personal data, in a manner that recognizes the right of privacy of individuals with respect to their confidential information. Such regulations prompt organizations for implementing a comprehensive framework of technical safeguards and management procedures that reduce the risk of sensitive data disclosure.

Personally Identifiable Information (PII) means attributes of an identifiable individual, but does not include the name, title, business address or business telephone number. A record of such includes any correspondence, audio or video recording, and any other electronic document or data entry. Not only organizations are obligated to minimize the retention of personal records, but also to limit their dissemination and disclosure without a consent.

Organizations are motivated to protect PII for a variety of reasons: to ensure the individual's privacy, to meet legal and regulatory requirements, to maintain corporate responsibility, and to increase consumer trust.

The following publications describe information privacy practices and regulatory requirements:

ISO/IEC Information Privacy Management

ISO/IEC 29100 — Privacy Framework
ISO/IEC 29101 — Privacy Architecture Framework
ISO/IEC 29190 — Privacy Capability Assessment Model
ISO/IEC 29191 — Requirements for Partially Anonymous/Unlinkable Authentication

NIST Personally Identifiable Information

NIST SP800-122 — Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
NIST SP800-188 — De-identifying Government Datasets

CIO Council Privacy Guidelines

Information Privacy Regulations

US Privacy Act — Privacy Act of 1974
CA Digital Privacy Act — Digital Privacy Act of 2015
CA CASL — Canada’s Anti-Spam Legislation of 2014
CA PIPEDA — Personal Information Protection and Electronic Documents Act of 2000
EU GDPR — General Data Protection Regulation of 2016

privacy

PII is any information about an individual maintained by an organization, such that can be used to distinguish or trace the individual's identity, status or specific activities.

A privacy framework is intended to help organizations define their safeguarding requirements related to PII, and aid in the implementation of systems that handle and protect personal data.

Organizations should minimize the collection, use, retention and disclosure of PII to what is strictly necessary to accomplish their business mission and goals.