Privacy Best Practices
- Think through ‘why’ you need to collect the information. What is the purpose of collecting the data? What are you trying to accomplish? Is there a legitimate business interest in collecting the data?
- Only collect the minimum amount of information that is necessary and relevant to accomplish your specific purpose.
- For example, if you only need to collect individuals’ names and email addresses, do not also collect phone numbers and mailing addresses.
- Think about who can and should have access to the data you are collecting.
- Limit access only to those that need to know the information in order to perform the specific task and accomplish the particular purpose.
- Be sure to review the access privileges regularly, and remove anyone that no longer needs access to the data.
- Be upfront and open with people about why you are collecting the information and how you intend to use it.
- Do not use the collected information for a purpose or task other than the intended purpose you told people when you originally collected it.
- Think about whether you might need to get consent to collect, use, and share the information that you are trying to gather.
- There may be a law or regulation that requires you to get consent (i.e. HIPAA, FERPA, GDPR, COPPA, IRB research projects, etc.).
- Even if there is no legal requirement to obtain consent, think about whether it would be the courteous thing to do. What would be the ethical decision? What would be the public perception?
- Consent Form:
- If you decide that consent is needed in order to proceed with collecting the data, provide the individual(s) with a short, clearly-written statement that includes all of the relevant information that person needs to make and educated decision and give informed consent for you to collect, use, and share their PII.
- The statement should include:
- your reason for collecting the PII; and
- all intended uses of the PII; and
- where the PII will be stored and what tools/services will be used to process it (i.e. the kind of Institute-approved collection and storage platforms); and
- a general statement explaining who will have access to the information collected; and
- the retention/deletion timeframe of all PII collected.
- At the end of the consent form, after you have provided all of the relevant information about the purpose for collecting the data, be sure to include a statement or acknowledgement of consent.
- The acknowledgement should require the individual to take action; either by checking a box or signing on a signature line. It CANNOT be something that is pre-checked or pre-signed.
- *See the Consent Form Template for an example.
- Individuals should also be able to revoke their consent to use their PII at any time and have their PII deleted or removed.
- Be sure to provide instructions (with contact information that will remain current for the duration of the project and retention period) explaining how individuals can revoke their consent.
Anonymized or de-identified Use
- Sometimes the specific purpose can be accomplished with an anonymized or de-identified set of data, meaning one that does not identify a specific individual. Instead, it uses an aggregated set of data.
- Think about whether you need to use specific identifiable data that can be pointed to a specific individual, or whether data that is grouped together can still accomplish the same purpose. The less specific and individually targeted, the better in terms of safe privacy practices.
- *Keep in mind that if the sample size of data is small enough, even anonymized or de-identified data might still be able to point to or identify a specific person.
Institute Approved Storage or Platforms
- Some software or platforms are more secure than others and therefore better equipped to protect the data that you are collecting.
- Consider keeping data in a centralized, managed space that supports secure sharing, instead of creating multiple copies of the data and sharing it out in an unsecure way. Keeping the data all in one secure place also helps with data management, inventory, and review of who has access.
- Platforms that have been approved by OIT have been reviewed from a security perspective, and they also have a contract in place with the Institute that offers additional protections in the event there is any kind of incident or breach of data.
- Utilize OIT’s Knowledge Articles to help determine whether a software or platform has been approved and what level of security it offers to protect information.
Retention and Deletion
- Think about how long you need to hold onto the information that you collect (including any consent forms).
- There may be legal requirements, USG policies, or campus Policies that dictate how long you need to keep the information. Georgia Tech also has an Institute Records Manager to help assist with records retention requirements.
- However, if there are no formal requirements for how long the data needs to be retained, then review your files regularly and delete the information as soon as the purpose has been accomplished or completed. Do not hold onto information for longer than is needed.
- Remember that if you have information, there is always a risk that it can be breached. If you do not have any data, then that risk goes away.
- Data that can no longer be associated with an individual in any manner.
- This means that the data has been stripped of all personal identifiers, and those data elements can never be re-associated with the data or the individual.
- Aggregate data is an example of data that has been anonymized.
- *Note- Just because all personal identifiers have been removed from the data, that doesn’t always mean that the data has been anonymized. If the sample size is small enough that the information can be traced back to a specific individual, then the data is not anonymized.
- Confidential information does not have to be anonymized or de-identified.
- Confidentiality simply means that the information will not be shared or provided to others, outside of those that are authorized and need to know, without express permission from the individual who provided the information.
- Data that has removed PII in order to protect personal privacy.
- Unlike anonymized data, de-identified data may be able to be re-associated with an individual at a later time.
Personally Identifiable Information (“PII”)
- PII is any information about an individual, including any information that can be used to distinguish or trace an individual’s identity.
- Examples include name, social security number, date of birth, place of birth, mother’s maiden name, or biometric records.
- PII also includes any other information that is linkable to an individual.
- This can include medical, educational, financial and employment information.
- Other examples of PII can include: photo/image that includes an individual’s face or other identifying characteristics, email address, physical street address, GTID, and personal phone number.
- This is a University System of Georgia defined term.
- It is a subset of PII that if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
- Examples include Social Security Number or alien number (A-number).
- Sensitive PII requires stricter handling guidelines because of the risk of increased harm to the individual if the information is compromised.
*For additional defined privacy terms, the International Association of Privacy Professionals (“IAPP”) has a free glossary that is available to the public.
*These FAQs are not an exhaustive list, nor do they pose the only correct answer or solution to a problem. They are simply suggestions of how to handle common scenarios when looking through a privacy lens.
Q: What is an example of accidental or intentional misuse or improper disclosure or exposure of PII data?
A: PII data can be disclosed to an unauthorized individual intentionally or unintentionally. For example, an unintentional disclosure might be an email that was sent to the wrong individual(s) with a spreadsheet attached that contains PII related to students or employees. Conversely, an intentional disclosure might come from a bad actor looking to hack a Georgia Tech system, or it could be from someone within Georgia Tech that snoops or accesses information that they don’t have a legitimate business need to see that PII data.
Q: What does it mean to identify the population of Data Subjects whose PII is being Processed, the Processing activities, and the purpose for the Processing?
A: Let’s look at a common scenario to help understand this language. For example, a faculty member would like to use a third-party software program for their class to help students submit and manage assignments.
• First, the faculty member needs to identify the population of Data Subjects whose data will be Processed. In this scenario, it will be students in the faculty member’s classes. It is student information that will be used and Processed within the tool.
• Then, the faculty member will need to identify specifically what PII data will be processed. This is the information that will be uploaded into the tool. In this scenario, it might be student first and last name, GTID, email, and potentially student assignments and coursework.
• Lastly, the Processing activity of uploading student coursework and managing assignments should also have a legitimate purpose. In this instance, it might be that this software is made to manage and assess assignments specific to this particular course, and utilizing the software will help streamline and enhance the educational course experience.
Q: What does it mean to articulate who has access to PII that is being Processed?
A: Utilizing the same scenario as the question above, the faculty member needs to determine who will have access to the data. Will just the individual student and faculty member be able to see the information? Or, will the entire class of students be able to access the data? Additionally, will the third-party vendor be able to access the data? Is there a way to put protections around some data, while allowing access to other data elements?
Q: What does the principle of Data Minimization look like in practice?
A: Sticking with the same scenario, the faculty member should consider what PII is necessary in order to utilize the software and accomplish the specific purpose. Implementing the principle of data minimization means that the faculty member uses the PII that is needed to operate and educate but nothing more. So, if the software requires student name, email, and GTID in order to login, the faculty member should not also collect additional information such as phone number, address, or date of birth. The faculty member should only Process the minimum amount of information necessary to accomplish the purpose.
Q. What does it mean to De-identify data?
A: To De-identify data means to strip the PII of all identifying elements so that a specific individual cannot be identified by looking at the data set. Sticking with the same classroom scenario, the faculty member should consider if there are ways to minimize the Processing of PII. Does the software allow the data to be de-identified? Can course submissions and assignments be anonymized so that others cannot identify who submitted what assignments or answers?
IRB Human Subjects Research
If you are conducting Human Subjects Research (HSR), review and approval by Georgia Tech’s Institutional Review Board (IRB) is required.
- The IRB is a panel that is required by federal law to review and approve research projects that involve human beings as the subject matter area.
- The IRB must ensure the research is safe and accounts for the rights and wellbeing of the human beings being studied.
- The IRB is made up of Georgia Tech faculty and administrations as well as representatives from the greater Atlanta community.
- Information on Georgia Tech’s IRBs can be found at https://oria.gatech.edu/irb
How do I know if my data collection qualifies as HSR that would require IRB approval?
- Use the IRB Submission Decision Tree to help you make your determination https://oria.gatech.edu/institutional-review-boards-submitting-protocol/submission-decision-tree
- Or, contact the Office of Research Integrity Assurance at firstname.lastname@example.org.
- If your research needs IRB approval, know that there will likely be additional research specific consent requirements and additional document retention requirements.