Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is data that could be used to contact and discover the identity of a living person. Since many contributors use their personal devices for recorded tests, which must adhere to certain policies, PII should always be taken seriously.
What are the different types and examples of PII?
Below, the following list includes examples of what UserTesting contributors can’t be asked to disclose in any circumstance (though it isn’t exhaustive).
- Social security number
- Credit card numbers or purchase
- Passport numbers
- Financial account number
- Genetic information
- Health plan account numbers
- Account passwords
- Drivers license number
- Biometric identifiers (fingerprints, etc.)
When it comes to sensitive PII, UserTesting contributors have to give their consent through screener questions. Below are several examples.
- Political opinions
- Criminal convictions
- Religious beliefs
- Sexual orientation
Protected Health Information
Medical information falls under sensitive PII and also requires consent from test participants.
If your organization is a Covered Entity under HIPAA, medical information may be Protected Health Information (PHI) and should only be collected if your organization has a signed Business Associate Agreement with UserTesting.
- Health diagnoses
- Hospital names
- Doctor names
- Medical information or history
What are the best practices to PII?
1. Offer contributors false information to use during tasks. Some usability tests may involve an account login, or a hypothetical checkout process that’ll require information to be filled in. Instead of a contributor using PII, instruct them to enter false, non-identifying data.
For instance, this could be an email address like firstname.lastname@example.org, a credit card number of 5555-5555-5555-5555, or a password of “fake.”
2. If a test calls for one’s PII, and internal policies require the data to be protected, you can take advantage of UserTesting’s Blur Tool. This will conceal personal information like names, account login, and addresses. And even though contributors’ screens will be unreadable, you’ll still be able to hear them speaking aloud.
3. Use screener questions to set expectations and give contributors an opportunity to opt out. If you anticipate that test participants may have PII pop up during the tasks, including notifications or otherwise, make note of this in screeners.
For instance, consider writing a screener that says, “This test requires you to disable notifications. Have you disabled all notifications on your smart device?” From here, a contributor may choose “yes” or “no.”