Since the publication of recommendations by the President’s Identity Theft Task Force and the Office of Management and Budget (OMB) Memo 07-16, federal agencies are required to review their holdings of all personally identifiable information (PII) and ensure they are accurate, relevant, timely and complete. Agencies are also required to reduce PII to the minimum necessary for the proper performance of a documented agency function and eliminate unnecessary collection and use of Social Security numbers.
Performing maintenance on PII creates benefits beyond satisfying the OMB requirements. The process is an opportunity to significantly reduce privacy vulnerability, promote awareness and enhance processes, thereby reducing breach incidents. These opportunities are not exclusive to government-controlled systems. Also susceptible to privacy vulnerability are information systems owned or controlled by private-sector organizations.
Of importance is the methodology used to determine inventory and conduct maintenance. The level of scrutiny by the review team and the willingness to modify business processes by stakeholders can make a difference in the effectiveness of a “review and reduce” program. While each organization is different, the following areas of focus are essential for a thorough review aimed at reducing privacy vulnerability:
Each of these areas of focus represents an effort to fulfill the Fair Information Practice Principles (FIPPs) of data minimization, use limitation and/or data quality and integrity. To help ensure cooperation and meaningful discussion towards resolution, the importance of these principles should be discussed with organization stakeholders before introducing the “review and reduce” findings.
Nuts and bolts
First, a word on the tools needed to complete a PII “review and reduce” inventory. Most prominently, Privacy Impact Assessments (PIAs) are a great resource. Although PIAs first emerged as a tool to ensure compliance, many private companies now implement PIA programs to establish privacy risk assessment into the fabric of the organization. In addition to PIAs, one may also seek information on a more granular level by interviewing system users and owners or by interacting with the system or application itself.
Because a PIA is customarily performed on a single system, it may be difficult to understand the overall effect of operations in terms of privacy risk. It may appear reasonable that a particular system compiles or maintains PII in the manner it does when it is examined in isolation. However, other hidden but avoidable risks may be revealed when a system is viewed in relation to others with which it interconnects.
The first step in this analysis is to define general business areas. Operations that depend on compiling and maintaining PII should be divided into broad business areas, which will usually correspond to organizational hierarchies already established by HR or marketing teams. It’s worth noting that an area can be supported by one standalone system or by several interconnected systems and databases.
If necessary, the business area can be subdivided into business processes. From the standpoint of compilation or use of PII, a business process usually has a beginning and an end and achieves a specific need or purpose different from other processes under the business area. For example, recruitment is a business process within an organization’s general HR business area.
The final step in organizing a top-down approach is to ensure each system that involves PII is mapped to the business process it supports. Documentation, whether in a PIA or internal system architecture mapping, can be analyzed to understand how systems within a process are sequenced or interoperate.
Once the business areas and business processes are established and mapped, the fact-gathering step begins. Standardized data sheets can be created to assist in this step, which will ordinarily be the most labor-intensive part of “review and reduce.” Such sheets guarantee commitment to principles of uniformity while retaining a special focus on those characteristics bearing on risk. A data sheet may describe one of three kinds of entities that exist in business processes:
After an assessment of the inventory is reviewed and opportunities for risk mitigation are discovered, formal findings should be discussed with each corresponding office. After these discussions take place, revised findings, conclusions or resolutions supported by the program can be incorporated.
Challenges and lessons learned
After successfully inventorying PII within an organization and identifying opportunities for data reduction, the next step is to work with stakeholders to incorporate the resolutions and risk mitigation measures. An effort to reduce PII within an organization will likely present challenges. Common issues that arise include:
Converting to a unique identifier other than SSN
Often an organization assumes that the SSN, sometimes in combination with the date of birth (DOB), is the best—or only—way to accurately distinguish an individual among all the personal records maintained in a system. This assumption increases risks associated with identity theft. It can also result in the creation of duplicate identity records in multiple corporate IT systems and inhibit identity integration across the enterprise.
Alternatives to the use of the SSN to accurately distinguish record subjects exist. Organizations should be encouraged to consider viable alternatives to the SSN such as a unique employee ID number. This ID should be unique to the individual and should be something that the individual can remember. Besides decreasing risks associate with identity theft, additional benefits include the ability to correlate identity data for the same individual across multiple systems, enable modernized access controls and provide better visibility into how identity data is used across the enterprise.
Generating awareness that duplicate collections of PII increases vulnerability
Frequently, organizations maintain duplicate files or databases of PII even where consolidation is feasible, thereby increasing privacy vulnerability. The PII inventory identifies such duplicate collections, but system owner participation is required to reduce them. Often this situation arises when different offices within an organization are unaware that the same data is being maintained in other offices, do not have access to the other collections of PII or are unwilling/unable to rely on/share PII from another point of collection.
Meeting with system owners or other stakeholders to discuss the importance of PII minimization within an organization and share duplicate collections that have been identified is a key component of a successful “review and reduce” effort.
Next steps
The reduction of PII within an organization, and the corresponding reduction of privacy risk, should be an ongoing endeavor. The final product of a “review and reduce” effort provides a solid foundation from which to assess and mitigate privacy risk. It is important, however, to continue to review the organization’s PII inventory regularly and assess progress towards the agreed upon resolutions.
Performing maintenance on PII creates benefits beyond satisfying the OMB requirements. The process is an opportunity to significantly reduce privacy vulnerability, promote awareness and enhance processes, thereby reducing breach incidents. These opportunities are not exclusive to government-controlled systems. Also susceptible to privacy vulnerability are information systems owned or controlled by private-sector organizations.
Of importance is the methodology used to determine inventory and conduct maintenance. The level of scrutiny by the review team and the willingness to modify business processes by stakeholders can make a difference in the effectiveness of a “review and reduce” program. While each organization is different, the following areas of focus are essential for a thorough review aimed at reducing privacy vulnerability:
- Collection of PII not necessary for actual performance of the business process;
- Collection of the same PII more than once from a record subject or another source;
- Collection of PII at a point in time not reasonably proximate to its actual need;
- Maintaining PII longer than necessary for performance of the business process;
- Maintaining duplicate databases or files of PII where consolidation is feasible;
- Displaying PII unnecessarily on human-readable system outputs, including user-facing or customer-facing online views of a record.
Each of these areas of focus represents an effort to fulfill the Fair Information Practice Principles (FIPPs) of data minimization, use limitation and/or data quality and integrity. To help ensure cooperation and meaningful discussion towards resolution, the importance of these principles should be discussed with organization stakeholders before introducing the “review and reduce” findings.
Nuts and bolts
First, a word on the tools needed to complete a PII “review and reduce” inventory. Most prominently, Privacy Impact Assessments (PIAs) are a great resource. Although PIAs first emerged as a tool to ensure compliance, many private companies now implement PIA programs to establish privacy risk assessment into the fabric of the organization. In addition to PIAs, one may also seek information on a more granular level by interviewing system users and owners or by interacting with the system or application itself.
Because a PIA is customarily performed on a single system, it may be difficult to understand the overall effect of operations in terms of privacy risk. It may appear reasonable that a particular system compiles or maintains PII in the manner it does when it is examined in isolation. However, other hidden but avoidable risks may be revealed when a system is viewed in relation to others with which it interconnects.
The first step in this analysis is to define general business areas. Operations that depend on compiling and maintaining PII should be divided into broad business areas, which will usually correspond to organizational hierarchies already established by HR or marketing teams. It’s worth noting that an area can be supported by one standalone system or by several interconnected systems and databases.
If necessary, the business area can be subdivided into business processes. From the standpoint of compilation or use of PII, a business process usually has a beginning and an end and achieves a specific need or purpose different from other processes under the business area. For example, recruitment is a business process within an organization’s general HR business area.
The final step in organizing a top-down approach is to ensure each system that involves PII is mapped to the business process it supports. Documentation, whether in a PIA or internal system architecture mapping, can be analyzed to understand how systems within a process are sequenced or interoperate.
Once the business areas and business processes are established and mapped, the fact-gathering step begins. Standardized data sheets can be created to assist in this step, which will ordinarily be the most labor-intensive part of “review and reduce.” Such sheets guarantee commitment to principles of uniformity while retaining a special focus on those characteristics bearing on risk. A data sheet may describe one of three kinds of entities that exist in business processes:
- A collection is a natural business transaction; e.g., paper form, web form, interview result, that assembles personal facts and is likely completed by the system user.
- A stored record is information about a record subject maintained in a system. A stored record usually manifests itself in a computer master file or a database.
- An output may be in the form of a computer-generated report of persons’ records, a printout of individual records or a computer-readable database extract comprising PII.
After an assessment of the inventory is reviewed and opportunities for risk mitigation are discovered, formal findings should be discussed with each corresponding office. After these discussions take place, revised findings, conclusions or resolutions supported by the program can be incorporated.
Challenges and lessons learned
After successfully inventorying PII within an organization and identifying opportunities for data reduction, the next step is to work with stakeholders to incorporate the resolutions and risk mitigation measures. An effort to reduce PII within an organization will likely present challenges. Common issues that arise include:
Converting to a unique identifier other than SSN
Often an organization assumes that the SSN, sometimes in combination with the date of birth (DOB), is the best—or only—way to accurately distinguish an individual among all the personal records maintained in a system. This assumption increases risks associated with identity theft. It can also result in the creation of duplicate identity records in multiple corporate IT systems and inhibit identity integration across the enterprise.
Alternatives to the use of the SSN to accurately distinguish record subjects exist. Organizations should be encouraged to consider viable alternatives to the SSN such as a unique employee ID number. This ID should be unique to the individual and should be something that the individual can remember. Besides decreasing risks associate with identity theft, additional benefits include the ability to correlate identity data for the same individual across multiple systems, enable modernized access controls and provide better visibility into how identity data is used across the enterprise.
Generating awareness that duplicate collections of PII increases vulnerability
Frequently, organizations maintain duplicate files or databases of PII even where consolidation is feasible, thereby increasing privacy vulnerability. The PII inventory identifies such duplicate collections, but system owner participation is required to reduce them. Often this situation arises when different offices within an organization are unaware that the same data is being maintained in other offices, do not have access to the other collections of PII or are unwilling/unable to rely on/share PII from another point of collection.
Meeting with system owners or other stakeholders to discuss the importance of PII minimization within an organization and share duplicate collections that have been identified is a key component of a successful “review and reduce” effort.
Next steps
The reduction of PII within an organization, and the corresponding reduction of privacy risk, should be an ongoing endeavor. The final product of a “review and reduce” effort provides a solid foundation from which to assess and mitigate privacy risk. It is important, however, to continue to review the organization’s PII inventory regularly and assess progress towards the agreed upon resolutions.