Privacy pros continue to exchange ideas, resources and a wealth of knowledge on the IAPP Privacy List. Last month’s questions included such topics as e-mail addresses as personally identifiable information, government access to data and full-disk encryption.
One professional recently asked, for example, about a U.S. government request for employee data.
“We are being asked to provide our employees’ personal data to the Department of Homeland Security in order to participate in a federal contract,” he said, noting the request includes some biometric data. “Does anyone have experience with this or a similar process you would like to share?”
A peer working for the federal government answered that such a request is “standard practice on all government contracts now,” based on Homeland Security Presidential Directive 12.
“It is a mandated security control for anyone accessing federal information systems other than public sites,” he said, adding that every form requesting personal data should have a statement on it outlining purposes and use for data collection.
Another list subscriber recently asked whether an e-mail address is considered personally identifiable information according to European law.
“Nowhere can I find it stated that e-mail addresses, by themselves, are or are not personal data,” said the subscriber. “Does anyone know of a resource or documentation that covers this that I’ve missed? Is there case law or other opinions that speak to this?”
The question incited a multitude of responses. One professional opined that a personal e-mail address would be considered personal information because it could be matched easily with other data to determine identity or could contain an actual name as part of the address.
Another privacy pro noted that European regulators would argue that you don’t have to identify someone “in the real world” to process personal data; a profile based on Web activity could be established and tied to an e-mail address, effectively identifying a person and, therefore, falling under the European directive rules.
A government employee opined that an e-mail address containing a person’s name within it is not PII because names are publicly available in phone books, on driver’s licenses and on federal mail.
But a European subscriber weighed in, saying that names are personal data “even if we are forced to provide them on our driver’s license, passports and other documents. Lists of Second World War prisoners were lists of names.”
Another contributed the
to a recent decision by the Spanish Data Protection Authority that an e-mail address can be considered personal data.
A U.S.-based lawyer weighed in that under the U.S. Children’s Online Privacy Protection Act, an e-mail address is listed as personal information. The same is true under most companies’ privacy policies, given that an e-mail address could be used to directly contact the individual and “not necessarily because the e-mail address is legally defined as personal information.”
Meanwhile, another member inquired about the technologies that companies are using to implement full-disk encryption on work computers. She was advised by a respondent to select a product that can do both full-disk and “container” encryption and to select one that is compatible with the suite of technologies already employed by the majority of the company.
The Privacy List is a free service for IAPP members only.