- What personal information a company collects from customers and other members of the public;
- How it collects such personal information;
- How it stores and protects the information;
- How it uses the information;
- How it may distribute such information; and
- How its customers may access the information collected about them and what choices they have to review, edit/correct, and perhaps delete such information.
In practice, privacy policies are typically published on company websites, usually via a hyper-link at the bottom of the webpage. However, although they may be posted “on-line”, privacy policies can also disclose practices regarding personal information that is collected “off-line”, such as through hard-copy documents or audio and video records.
What is Personally Identifiable Information?
Personal information is often referred to as “Personally Identifiable Information”, or PII. According to a 2010 report from the U.S. Department of Commerce’ National Institute of Standards and Technology, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), PII is “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.” The NIST report also notes that facial photographs, telephone numbers, e-mail addresses, Internet Protocol (IP) or Media Access Control (MAC) addresses or other static identifiers that consistently link to a particular person or small, well-defined group of people are also considered to be PII.
How to Know What to Say and What to Do?
The process typically involves, at a minimum, legal counsel, IT and website managers (whether in-house or outside), human resources, sales and accounting, as well as C-suite input. Determining what personal, financial, medical information is collected, how and where it is collected, how and where it is stored and secured, who has access to it, and how it is used typically requires contribution from a variety of knowledge sources.
Is it a DIY Project?
So Why Not Just Copy and Paste?