Many businesses receive correspondence, such as from customers or vendors, which may contain sensitive data, such as confidential financial information. This correspondence may be stored in computer data files. For example, the stored correspondence may include emails that are stored in email archives or other storage. The stored correspondence may also include documents scanned into a computer system and stored as text or other data files. Often sensitive and confidential information is stored in business computer data files, such as PII.
PII is information which might be used to uniquely identify, contact, or locate a single person, either alone or in combination with some other information, or from which identifiable information can be derived. PII includes such information as name; national identification number; telephone number; street address; email address; IP address; vehicle registration number; driver's license number; biometrics; financial profiles; credit card numbers; and digital identity.
A number of laws have been enacted in the last several years to protect confidential information of individuals, such as PII. For instance, Canada has enacted the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA). Legal frameworks in the European Union to protect privacy include Article 8 of the European Convention on Human Rights; Directive 95/46/EC (Data Protection Directive); and Directive 2002/58/EC (the E-Privacy Directive). Additional information on efforts to protect privacy in the European Union can be found at the website <<http://ec.europa.eu/justice_home/fsj/privacy/index_en.htm>>. Individual European countries also have enacted privacy protection, for example the UK Data Protection Act of 1998; the Irish Data Protection Acts of 1998 and 2003; and the UK Regulation of Investigatory Powers Act of 2000.
Both the United States and individual states have similarly enacted laws to protect sensitive and confidential information, including PII. The Constitution of the State of California includes a right to privacy in Article 1, Section 1. California also passed the Online Privacy Protection Act (OPPA) of 2003 which requires all owners of commercial web sites or online services that collect personal information from California residents to conspicuously post their privacy policies on their websites and comply with those posted policies; disclose in the privacy policies the types of PII collected and must identify, generally, any third parties with whom that information might be shared, and under what circumstances; provide a description of the process (if one exists), by which a visitor can request changes to any of that information; describe the process by which the operator of a Web site notifies users of changes to that privacy policy; and identify the effective date of the privacy policy.
Federal laws in the United States to protect PII include the Privacy Act of 2005; the Information Protection and Security Act; the Identity Theft Prevention Act of 2005; the Online Privacy Protection Act of 2005; the Consumer Privacy Protection Act of 2005; the Anti-phishing Act of 2005; the Social Security Number Protection Act of 2005; and the Wireless 411 Privacy Act.
Files containing sensitive and protected information may be accessible by a large number of people in a data-driven company, such as a bank. Since it is not always known which files contain sensitive information, when they were received or archived, or where they are currently stored, it is sometimes difficult to identify and protect the files that contain sensitive information. The files containing sensitive information may occupy a large amount of space in a computer system. It is time consuming to go through each file to determine if sensitive information is contained in the files.