Manage Privacy Concerns (PII, GDPR, Privacy of Information)

Definitions:

PII: Personal Identifiable Information: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.

GDPR: General Data Protection Regulation: The law on data protection and privacy in the European Union and the European Economic Area.

About Privacy of Information

Personal Information can be any data or document that identifies a person (name, date of birth, address, etc.), or information about them (drivers licence number, training records, etc.). People have legal rights to ask how their personal information is being used, stored, and managed. They also have certain rights to demand removal/deletion of personal information from many types of files and databases. There are many regulations regarding this that may apply to you, a business you work for, or an organization that has information about you.

YOU, as a user of this online software system may be legally responsible for ensuring you abide by the regulations not only in your jurisdiction (industry, state, province, country, continent, etc.) but also in the jurisdictions your users live in or travel to.  Some regulations regarding records keeping may even contradict with some Privacy regulations. It is YOUR responsibility to know what you should be doing regarding information privacy.

We (the providers of the software that powers this online training system) only process data in it, we do NOT manage it.  Personal Information is entered and managed by users with the following 'roles' in this system assigned them:

  • Registrar (mostly)
  • Manager (depending on your system settings)
  • Safety Manager (Safety Reports feature)
  • Communications (Memos feature)

So anyone with any of these roles assigned should know the Privacy of Information requirements and regulations that pertain to their use of the system.

Examples:

  • An ex employee of your company contacts management and says they want their private information removed from your records. [This would likely be the most common case]
  • An employee filled in a Safety Report and then requests that their name not appear to anyone except the person(s) conducting the investigation.
  • A contractor hears that some of their employees names are listed in a Memo you sent in your system and they want those names removed from future communications.
  • Your company has a policy to delete ex employees' personal information after a certain number of years. As the Registrar or Manager, you are responsible for ensuring that is done.
  • A customer in Europe requests your company's GDPR compliance information.


The Good News

Although all this may sound ominous, most of it is actually just prep work of preparing documents that describe:

  • What information you have;
  • What you use the information for;
  • Where and how is information stored;
  • Who is responsible for storing info;
  • When or under what circumstances certain info is to be deleted or destroyed;
  • Who is responsible for deleting or destroying info;
  • How will the info be deleted or destroyed and how will that be documented.

Once you have that information together and in the hands of the right people, you have pretty much met the bulk of Privacy of Information requirements

IMPORTANT: There are also regulations that require an employer to retain certain employment and training records for certain lengths of time. There may be conflicts between an information removal demand and a requirement to keep the info. There are several ways to handle this, and we will review one example below:

Your company employs "John Doe". John takes many modules throughout his tenure with your company, and then moves on. Some number of months later, John reaches out to your Human Resources department and advises that he no longer wants ANY personal information held within your company database. This creates an issue, because some of the training John had received was regulatory, and records need to be kept on file for a minimum period of 10 years. What can you do?

One suggestion: In your learning center, change the name of John Doe to User1001. With that, you'll need to keep a record offline of this change in case the training record is needed at some point in the future. This way you can remain compliant to both the privacy of data, and the regulations around training. 

NOTE: We (the providers of the software that powers this online training system) only process data in it, we do NOT manage it.  Personal Information is entered and managed by users of the system, and will not be altered by Aerostudies.


What is GDPR?

General Data Protection Regulation is the law on data protection and privacy in the European Union and the European Economic Area. This law imposes obligations on all companies that process personal identifiable information (PII) from individuals residing in the EU.

GDPR strengthens the individual’s rights over their personal data as well as improves consumer confidence. This law requires greater control by companies that collect PII by adhering to stricter data collection rules set out by GDPR.


Aerostudies & GDPR

Aerostudies is committed to the security and protection of our customer, our customer's employees and our partner's personal data. We are in ongoing improvement for GDPR compliance with rules and regulations in regards to Article 6 of this law.

The GDPR provides for two relationships for businesses handling PII: Data Processor (A third party that processes personal data on behalf of a data controller) and Data Controller (The person who decides why and how personal data will be processed). Aerostudies can be one or the other, depending on your relationship with the company.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Related Articles