Do you know what types of personal information your company collects?  

Sure. We get names, addresses, and email addresses from users who sign up for emails from our website, and credit card information from customers who buy things. That’s it.

Are you sure? There’s a good chance that you might collect more personal information than you think, including the following types of personal information from the following sources:

  • Employees – Nearly all employers collect names, home addresses/phone numbers, and SSNs from employees. Often, employers will also collect credit card information from employees in order to pay for travel or other company-related expenses that will be subject to later reimbursement. Other information commonly collected from employees includes bank account information (for direct deposit of paychecks) and health insurance information.
  • Prospective customers – Many companies collect personal information from website visitors and from promotions in stores, malls, and other in-person contacts.
  • Job applicants – Nearly all companies collect at least some personal information from job applicants, including name, home contact information, SSNs, and other personal information.
  • Vendors (especially freelancers, independent consultants, and other small business owners) – Many companies collect personal information from vendors for payment and tax purposes, including name, contact information, SSN, and/or bank account information.

I thought I only needed to worry about customer information.

No. The Massachusetts rules apply to any entity that collects the personal information of Massachusetts residents. While a few of the other types of state statutes we talked about in our intro post specifically refer to “customer” or “consumer” information, the majority of the statutes cover the personal information of any state resident. Because of this, it’s absolutely critical for you to make sure you know all the different types of information you collect, and the sources of that information. If you don’t know what your organization is collecting, you won’t be able to make sure you have the necessary controls, policies, and procedures in place to adequately protect that information.

Ask some questions and review your organization’s current systems and processes to make sure you know what kinds of personal information the organization collects. Don’t forget to include Human Resources, Marketing, and other departments that are likely to collect personal information. Once you’ve identified the types of personal information the organization collects, you’ll need to figure out where that information is stored, which we’ll cover in tomorrow’s post.