Personally Identifiable Information (PII) at Deployed
Contracts, terms of service, and policies for Deployed's products and platforms refer to "Personally Identifiable Information" (PII). This is a different categorization of data from what the EU General Data Protection Regulation (GDPR) refers to as "personal data".
What Deployed considers PII
Deployed interprets PII as information that could be used on its own to directly identify, contact, or precisely locate an individual. This includes:
- email addresses
- mailing addresses
- phone numbers
- precise locations (such as GPS coordinates - but see the note below)
- full names or usernames
What Deployed considers PII in Statements of Work.
Information in the list above is often included in statements of work, particularly in time and materials contracts where resource names are required to be listed:
- named resource
- key personnel
- escalation
- governance
- supplier manager
- client manager
There typically is a requirement for additional personal information where the client requires the provider to provide information on right to work or identification for systems and physical access. In all cases, this is classified as personal data because it is possible to identify a living individual from the combination of the name email address and workplace.
Clients and Providers who access the Deployed platform need this information to be included in the Statement of Work in order to perform their function. Our clients confirm that processing of this information is lawful or that when they engage staff and or subcontractors, that they have included consent language when it collected that information to be included in the SoW.
PII risk in emails and offline document sharing
Deployed is a collaborative platform where all sharing, commenting and responses are tracked within the same secure space. All interactions are traceable against specific login and user admin.
Deployed see a substantial, if unrealised, risk in the informal sharing of documents handled via email from large numbers of users and therefore the risk of that personal data embedded in those documents.
In principle there may be some legal risk; in practice, it may not be a significant risk if the individuals concerned are unlikely to care about their email address being shared. But in the worst case scenario, where somehow that personal data is compromised or shared with the wrong people or misused in some other way, perhaps that individual would have grounds for an ICO complaint.
Removing the need for email sharing of documents with PII should be a goal of clients and providers alike.
Exclusions
Deployed interprets PII to exclude, for example:
- pseudonymous cookie IDs
- pseudonymous advertising IDs
- IP addresses
- other pseudonymous end user identifiers
Note that data excluded from Deployed's interpretation of PII may still be considered personal data or personal information under the GDPR, and other privacy legislation. This position does not affect any contract provisions or policies relating to personal data or personal information under those laws.
