Minimizing the use, collection, and retention of PII (Personally Identifiable Information) involves limiting the amount of data collected and stored, as well as using data security measures to protect and store the data securely. It also involves being careful about who has access to the data, and ensuring that it is only used for the purpose it was intended for. Organizations should consider deleting or anonymizing PII after it is no longer needed, or when the data is no longer necessary to fulfill its purpose. Organizations should also create policies and procedures to ensure that all PII is used, collected, and retained responsibly.
STEPS to Minimize Risk associated with Sensitive information
1. Conducting Privacy Impact Assessment (PIA)
The following are some topics that are commonly addressed through the use of a PIA:
What information is to be collected by your firm
Why the information is being collected by your firm
The intended use of the information
With whom the information will be shared
How the information will be secured
2. Remove PII Where Possible
One way to mitigate risk is to remove the PII or firm sensitive data from your systems and networks. You should consider whether you can do your business without storing the PII or firm sensitive information in the system or network location. When removing data from your systems and networks, you should keep in mind any books and records obligations you might have with respect to this data.
3. De-Identifying Information
De-identifying information is a process of removing or obscuring information that can be used to identify an individual or group. This process is often used to protect the privacy of individuals or groups when collecting, storing, or sharing data. De-identifying information typically involves removing or replacing personal details such as name, address, contact details, and other identifying information with a unique identifier or code. Additionally, de-identifying information may involve masking or obscuring certain details to make it difficult to identify an individual. For example, a person's age may be replaced with a range of numbers such as 21-30.
4. Limit Data Sharing
You should consider how the PII or firm sensitive data is shared, identify people or systems that do not require access to the data, and consider limiting access to this data to those who need it.
