Personal identifiable information is defined as the personal information of an individual that can be used to identify them. According to the Department of Labor, PII can be in the form of either direct or indirect information.
Examples of direct forms of PII include the following:
- Phone number.
- Social Security number.
- Driver’s license number.
- Tax identification number.
- Email address.
Examples of indirect forms of PII are as follows:
- Birth date.
- Geographic location.
- Physical descriptors.
If there is any piece of information that may be used to contact someone either in person or over the internet, then said piece of information is thereby considered to be personally identifiable. PII comes in various formats, including on paper, in electronic form and via other types of media.
In the words of the DOL, “The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information.”
Employers typically have access to both direct and indirect forms of PII in regard to their employees. These details include information such as the names, addresses, Social Security numbers and birth dates of their employees.
But when it comes to legalities, are employers required by law to protect the PII of those whom they employ? According to workforce.com, U.S. courts have ruled in opposing ways when it comes to answering the legal aspect of this issue.
However, despite the contradictory rulings across the board, most courts have concluded that it is possible for employers to be held responsible for situations in which they fail to protect the PII of their employees. As an employer, even if you are not legally required to protect your employees’ PII, it is still incredibly wise to do so.
It is smart from not only a business perspective but also from the viewpoint of looking out for other people. Business owners and employers of all kinds should make it a point to follow the steps involved in keeping the PII of your employees confidential, safe and secure.
Recommendations made by the Society for Human Resource Management
According to SHRM, the following should be incorporated within an official PII policy:
- Identify the purpose of the PII policy.
- Explain the rules regarding the transfer of PII to approved vendors.
- Discuss the details of PII retention, including how to reduce the amount of PII that is obtained and information about only retaining the PII for the duration of an individual’s employment.
- Mention the type of training that employees who have access to PII will undergo.
- Express how PII audits will work and how the company will ensure that the policy is upheld and enforced at all times.
- Detail the ways data breaches will be handled should they ever arise.
- Document the procedures that are in place for the sake of transmitting PII to other parties, whether internal or external, as well as how PII is stored on employer-approved portable devices and how PII can be accessed.
- List any applicable laws, including those on federal, state, local and international levels, such as the Health Insurance Portability and Accountability Act or the Genetic Information Nondiscrimination Act, both of which are federal laws.
- State the number to a hotline that employees are free to call in the event that they believe there has been a breach of their PII.
- Make a note that informs employees of their need to sign confidentiality confirmation forms that will grant them trust in the fact that their employers, who have access to their PII, will uphold their end of the confidentiality bargain.
- Describe the disciplinary actions that will be applied to situations in which someone has violated PII policies or procedures.
In general, it is best to adhere to as many preventive measures as possible when handling the PII of your employees. As always, work with a trusted legal team to ensure that your company’s PII policy covers all the bases and prioritizes the protection of your employees’ private information.