Long timer lurker, first time poster.
I'm trying to get to grips with GDPR, and one of my first steps is to identify the various types of data we hold on our customers / users.
As part of our service offering, we hold images of a user's handwritten signature, and we also allow them have avatars. Some users will use a photograph as their avatar.
I think we should consider the signature images as PII, and also the avatars
What do people think? Is there any guidance on this?
Article 29 WP 136, 01248/07EN, Opinion 4/2007 on Concept of personal data mentions signatures on page 8 :-
"Special reference should be made here to biometric data These data may be defined as biological properties, physiological characteristics, living traits or repeatable actions where those features and/or actions are both unique to that individual and measurable, even if the patterns used in practice to technically measure them involve a certain degree of probability. Typical examples of such biometric data are provided by fingerprints, retinal patterns, facial structure, voices, but also hand geometry, vein patterns or even some deeply ingrained skill or other behavioural characteristic (such as handwritten signature, keystrokes, particular way to walk or to speak, etc...)"
I would agree, Yes; Signatures are PII.
I would not think you would get much pushback on the signature being PII, but I could see some on the avatar. My avatar on ISC2 would not be considered PII in it's current state, however if the potential is there for me to make it my own photo then it would be considered PII.
So you may have to frame it this way "Since the option is there to add a photo of oneself, it has the potential to be PII and as such we must protect the potentiality of the avatar being PII, or remove the ability to attach a photo or other uniquely identifying thing."
Apologies in advance for the culled text.
A photo would almost certainly count as personal data. I would say(IANAL) that an avatar if used consistently and by a natural person residing in the EU would also be considered as Personal Data(PD) under the GDPR as if you started processing it would identify that natural person as an 'Online Identifier' - If you were processing them then I'd say they would come under 'other identifiers'.
Hopefully, these are useful:
The GDPR applies to ‘personal data’ meaning any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier, reflecting changes in technology and the way organisations collect information about people.
The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria. This could include chronologically ordered sets of manual records containing personal data.
Personal data that has been pseudonymised – eg key-coded – can fall within the scope of the GDPR depending on how difficult it is to attribute the pseudonym to a particular individual.
'Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.'
As the replies above indicate both signature images & avatars are considered PII.
Further photographs in avatar are Sensitive PII since they can reveal a person's race or ethnic origin.
So are the handwritten signature images if used in context of financial services.
Yes... Do not implement the GDPR requirements alone. Seek help. Sought views eg. Legal, DPO, Peers, Supervisory Authority(s). This is a team effort to create a greater trust eco system.
Anything which can permit to UNIQUELY identify an individual, is a personal data. So handwritten signature ? Definitely Yes, it is Personal Data. What about Avatar ? It depends: if it UNIQUELY identifies an individual, then yes as well. If it is an avatar which is used by multiple people (e.g. Mickey Mouse avatar) then no. As simple as that 🙂 Then, be careful as Personal Identifiable Information (PII) definition is very different from the Personal Data definition in EU GDPR . Personal Data and PII ARE NOT MUTUABLE as their definitions are different !!! For example an IP address (and sometimes even a cookie!!) is considered Personal Data within GDPR, but won't be considered a PII for USA laws. The GDPR definition for Personal Data is far wider than that used in USA for PII. BE AWARE of this difference! This is a CISSP, CIPP/E verified answer 🙂
Just a small note of caution on one piece of that advice.
As well as "Is the avatar in any way unique?" and "does it contain a unique timestamp or any metadata?" You do need to factor in aggregation with personal data. I'd consider 'used by multiple people' as too low a bar, here's why.
The fact that you use a Mikey Mouse avatar used by two million people on a forum in which there were one hundred thousand users might not be considered personal data but if you used that avatar on a forum in which only another thousand did it would in combination clearly become personal data, especially if it was used for profiling. It's for this ability to work backward that hashes or and encrypted/pseudonymized personal data are still considered personal data, whereas truly anonymized personal data is not. Just storing a hash that was taken from the avatar in a relational database means that you can crawl the web looking for reuse of that avatar by other usernames and narrow down who you continue to market to.
I once heard Phil Zimmermann say* about a question on complexity from a heckler who felt that governments were not competent enough "I'm, pretty sure they have computers..." Now everyone has as much computer capacity as they can afford, or steal...
*InfoSec Europe 2009(or was it 2010?) if anyone is interested.