Admin - Personally Identifiable Information (PII) White Paper – CareAR

Personally Identifiable Information (PII)

Personally Identifiable Information (PII), or personal data, is data that corresponds to a single person. PII might be a phone number, national ID number, email address, or any data that can be used, either on its own or with any other information, to contact, identify, or locate a person.

How PII is determined

In response to businesses collecting and storing more and more individuals’ PII (also known as personal data), individuals and regulators have been applying greater scrutiny to how businesses use and safeguard that data. As a result, various jurisdictions have passed legislation to limit the use, distribution, and accessibility of PII, while allowing companies who need it to manage the data safely.

As PII (or personal data) is a legal concept rather than a technical concept, legislation around PII varies across different jurisdictions. The GDPR in the European Union, HIPAA and PCI in the United States, state laws like CalOPPA and other data breach laws, and other regulations control what defines PII. Which data is classified as PII may also differ by use case. For instance, depending on the jurisdiction or your use case, IP addresses may or may not be considered PII.

What CareAR considers PII

CareAR interprets PII as information that could be used on its own to directly identify, contact, or precisely locate an individual. This includes the following that is collected by CareAR:

Full Names
Email Addresses
Phone numbers (at user’s discretion)
Profile Photos (at user’s discretion)
GPS coordinates (at user’s discretion)
IP Address

How CareAR manages PII

CareAR takes the management of our customers’ information seriously. We have software, configurations, processes, and guidelines for managing data internally to keep your data safe and secure.

CareAR is committed to making clear which data is managed as PII in our system to help you make sure your data is managed the right way for your jurisdictions and use cases.

PII fields

CareAR manages fields marked PII in CareAR’s documentation as though they contain PII, also known as personal information or personal data. This means that CareAR implements appropriate technical and organizational security controls as appropriate to the risk associated with that data. For example, data will not be visible to CareAR’s employees unless they are acting as a surrogate for you (e.g., debugging on your behalf) or have some other legitimate businesses need to access it.

PII Management when you leave CareAR

When you leave CareAR, following a reasonable grace period to allow you to change your mind, all PII data is anonymized or removed from CareAR’s systems where possible within 60 days.

Call logs that CareAR collects will have a data retention of 90 days. After that time, they will be automatically purged from the system. Audit logs will be kept for 180 days. These should not typically contain PII and contain data for changes to the infrastructure.

We may also retain PII in connection with detecting, preventing, and investigating spam, fraudulent activity, and network exploits and abuse, or if required to do so in connection with legal matters such as litigation, law enforcement requests, or government investigations.

Non-PII Fields

Other data which is not PII that is stored in CareAR systems may be used for counting or other operations as CareAR runs its systems. These fields generally cannot be redacted or removed.

In some instances, you might be able to control the data in these fields. You should take care not to place PII in fields that were not meant for PII. The fields which are not designated as PII fields may be visible to CareAR employees, stored long-term, and may continue to be stored after you’ve left CareAR’s platform.

If you think you need to put PII in these fields, please check with our support team to see if there’s a better way to manage your data.

Effective date: May 21st, 2021