Your company is studying the preference of consumers. The marketing department designed an anonymous survey and put it onto the official web site for visitors to fill out. However, the head of the marketing department demands that the survey collect the city of the visitor for regional analysis. Taking account of the privacy issue, which of the following privacy principles should be followed?
A. Reasonable expectation of privacy
B. Defense in depth
C. Consent and choice
D. None of the above
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is D. None of the above.
Personally Identifiable Information (PII)
According to ISO 29100, PII is any information that
(a) can be used to identify the PII principal to whom such information relates, or
(b) is or might be directly or indirectly linked to a PII principal.
Information can be considered to be PII in at least the following instances:
- if it contains or is associated with an identifier which refers to a natural person (e.g., a social security number);
- if it contains or is associated with an identifier which can be related to a natural person (e.g., a passport number, an account number);
- if it contains or is associated with an identifier which can be used to establish a communication with an identified natural person (e.g., a precise geographical location, a telephone number); or
- if it contains a reference which links the data to any of the identifiers above.
Source: ISO 29100
Collecting data of “City” only doesn’t involve privacy or PII as the data doesn’t refer or relate to or be used to establish a communication with the principal, so no privacy principles will be followed.