I was reading a new article posted by my esteemed colleague and fellow Iowan Rebecca Herold, and what really triggered my mind into writing about this topic was Rebecca's use of the words "de-identified data", and this phrase is similar to something else I've been pondering for quite awhile now.
Here's the problem - too many people have too much information about you, stored in or on who-knows-what, and who-knows-where.
The risks of having your identity stolen and used are astronomical when you factor in all the little leaks springing up all over the... world. All it requires is someone on the receiving end putting it all together.
In my illustration below, I've listed some places where your PII could currently reside, such as current and former places where you've done business, gone to school, financial transactions, applied for something, places you've worked... the list is vast.
The data I'm talking about here is Personally Identifiable Information or PII data. PII data is defined as a combination of data that can positively identify you, such as full name, address and driver's license number or passport number, or SSN, etc...
Also keep in mind that this isn't about having someone's public information alone, such as name, address, and perhaps your phone number. I wouldn't have any problem with entities keeping my public information for verification purposes.
What are some other places you can think of that involve recording your PII? Ever get a traffic ticket? How many national databases do you think that information gets posted to? Remember that I-9 form you have to fill out and provide your SS card and driver's license? How many different places is that still floating around?
I'd like to propose something concerning PII. Once we are done with our business together, I would like to see the following happen to any PII you may have required of me in the past:
Perform a data cleanup and purge
- Remove all of my PII from all of your live records.
- Remove all of my PII from any backed up records and/or records stored off-site.
- You can keep any data required for verification purposes, record retention laws, etc... as long as it does not contain PII data.
Now sure, a company might have some sort of data retention policy, and there are some laws and rules out there concerning PII and breach notifications (This is a joke - you should always monitor your credit usage), and record retention.
There really needs to be some policy or legislation on "PII data cleanup" when the relationship between you and an entity is terminated - as in never coming back - where records need to be combed or filtered for any PII, leaving only public information available if necessary.
PII is me - it's my personal information. It needs to come with me whenever I leave, and not sit around waiting for someone else to stumble upon it. The fewer instances of our PII floating around out there, the better chances we have against identity theft and other misuse of that information.