The term privacy has many definitions, but for our purposes, privacy will mean the ability to control information about oneself. Our ability to maintain our privacy has eroded substantially in the past decades, due to information systems.
Personally Identifiable Information
Information about a person that can be used to uniquely establish that person’s identify is called personally identifiable information, or PII. This is a broad category that includes information such as:
- social security number;
- date of birth;
- place of birth;
- mother‘s maiden name;
- biometric records (fingerprint, face, etc.);
- medical records;
- educational records;
- financial information; and
- employment information.
Organizations that collect PII are responsible to protect it. The Department of Commerce recommends that “organizations minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission.” They go on to state that “the likelihood of harm caused by a breach involving PII is greatly reduced if an organization minimizes the amount of PII it uses, collects, and stores.” Organizations that do not protect PII can face penalties, lawsuits, and loss of business. In the US, most states now have laws in place requiring organizations that have had security breaches related to PII to notify potential victims, as does the European Union.
While the privacy laws in the US seek to balance consumer protection with promoting commerce, in the European Union privacy is considered a fundamental right that outweighs the interests of commerce. This has led to much stricter privacy protection in the EU, but also makes commerce more difficult between the US and the EU.