3

We're looking at implementing an Identity Management/Lifecycle system. We're looking at aggregating all our authentication into this system. However, one area of concern is same-name employees, so we are implementing an employee number and badge number to differentiate employees and authenticate them appropriately.

It is believed that these numbers are PII, thus storing them for cross-reference in any other system will cause that system to fall under PII regulations.

Are employee or badge numbers considered PII?

Edit for clarification This is mainly related to DOE O 206.1 Privacy Directive—and not GDPR. However, this is slightly more general as I had similar arguments in the past.

The issue I'm facing—somewhat exaggerated—is that everyone I know thinks anything to do with anyone is considered PII. Thus every system needs to be regulated.

Nathan Goings
  • 858
  • 6
  • 14
  • 1
    it depends on what regulations you are subject to - can you explain what those might be? For GDPR, the answer is plainly 'yes' – schroeder Jul 10 '18 at 17:08
  • Not plainly, They are not attributes owned by the human, merely non-descriptive numbers owned by the company. A company is not a government and company ids are not government ids. The company can retain a record that ID X was assigned to a human from 2018-2020 after the employee leaves. – Jonah Benton Jul 10 '18 at 21:26
  • I've commented this three times now and it hasn't shown up... "Surprisingly, this is unrelated to GDPR" The closest thing that applies to this situation is DOE O 206.1 Privacy Directive. – Nathan Goings Jul 11 '18 at 04:15
  • @JonahBenton GDPR explicitly says that employee IDs are PII and badges, if tied to human activity, are also, explicitly, PII. – schroeder Jul 11 '18 at 08:23
  • @NathanGoings this might be either too general ("what regulations deem employee IDs PII?" or way too specific ("what does DOE O 206.1 Privacy Directive say about PII?"). If one framework says that they are, is that enough for you? Or do you want the one framework to also be mapped to the DOE O 206.1 Privacy Directive? – schroeder Jul 11 '18 at 08:34

4 Answers4

2

Under GDPR or NIST definitions this would count as Personally Identifiable Information (PII). Anything that can be used to identify a person uniquely (by itself or in conjunction with other information) is considered PII.

Egret
  • 436
  • 3
  • 5
1

According to the reference below (from the Department of the Navy CIO), badge numbers are "non-sensitive PII." On the other hand, things like: name, mother's maiden name, SSN, etc are "sensitive PII."

Presumably, employee number would also be considered "non-sensitive PII."

So, according to this reference, employee and badge numbers are "non-sensitive PII."

http://www.doncio.navy.mil/ContentView.aspx?id=2428

hft
  • 4,910
  • 17
  • 32
0

If this is about GDPR PII- with all respect, GDPR is a legal regime, so on these topics you have a responsibility to inform and heed the advice of your counsel, and no one else, especially randos at Stack Overflow.

That said, two points: my IANAL conversations indicate that these sorts of numbers are NOT PII in the GDPR sense, for a few reasons; but more importantly, while it is wise to consolidate identity information, this should not necessarily be seen as a strategy for descoping systems for GDPR, the way that one might for PCI. GDPR data doesn't "bleed" the way PANs do. It's much more of an MDM (master data management) kind of problem.

GDPR grants rights to individuals that apply WHEREVER data about them or owned by them may reside. It doesn't have to be in a table with foreign keys into a User table with first and last name fields. ANY data ANYWHERE that you would not have had possession of, had you never had this person as an employee, is potentially in scope.

That said, employer-employee relationships are generally more straightforward under GDPR because there already are data lifecycles around employee onboarding and departure, and employment contracts typically have language around data like photographs and medical data, and there are already HR rules around "processing" for events like promotions and raises and assignments and so forth. GDPR is more relevant and urgent for your human customer data.

Back to the badge/employee id problem. There might be language specific to these kinds of ids in GDPR legislation, I don't remember offhand, but generally speaking- those IDs are not attributes owned by the human to whom they are assigned. They merely identify that human in the context of your company, and they would cease to do so after that human left your employ. So, top level, not PII.

You can retain the fact that they were assigned to a human after the human leaves, and even if you happen to delete all the attributes that are custody of the human, you can still keep a record that those IDs were once assigned to a human. Whether you are able to retain the human's name following their departure and following a subject delete request- my recollection is that there are circumstances in which you must still retain that data for some period of time, but not the details- which doesn't matter because I am just a rando on SO and not your counsel. Cheers!

Jonah Benton
  • 3,359
  • 12
  • 20
  • I may have asked this question at a bad time, as GDPR doesn't quite apply. Although, it will apply to me in the future so I'm not devaluing any information I garner. – Nathan Goings Jul 11 '18 at 04:17
  • 1
    GDPR is *regulatory* not *legal*. Your interpretation of employee IDs is incorrect. And your excusing employee PII processing under "legitimate interests" does not negate the rights and protections of the Data Subject over their PII. In short, you do not appear to understand GDPR at all. – schroeder Jul 11 '18 at 08:25
  • Another answer helpfully pointed out that those sorts of numbers are "non-sensitive" PII. The custody and lifecycle dynamics are quite different- in my opinion. I clearly state IANAL. Is this account ^^ backed by a lawyer? In fact, it looks it is a moderator. My advice: consider choosing words like "correct" more carefully. Also my advice: I would not go to bat on a distinction between "regulation" and "law." GDPR very well has force of law, though in statutory terms and practice, much left to be decided. In any event, cheers and best wishes. – Jonah Benton Jul 12 '18 at 04:15
  • You do not have to be a lawyer to get the details correct on a published document. – schroeder Jul 12 '18 at 23:24
0

You may assess this by your self by answering below questions:

  1. Any country/Region specific regulations affects you? (GDPR/USA Privacy Law/etc)
  2. Are you using the employee number as username to login any systems in your organization (I've seen this is a common in many organization)?

If the answer to either one of these are 'Yes', definitely employee number is a PII.

Sayan
  • 2,033
  • 1
  • 11
  • 21