Personally Identifiable Information Field Descriptions in Twilio Docs for GDPR Compliance

May 25, 2018
Written by
Tom Tobin
Twilion

PII on your servers

Twilio’s API documentation recently received a new feature: text and symbols to the field descriptions that clarify what is and is not personally identifiable information (PII). We know developers don’t always read privacy policies, but they do read API documentation.

Ensuring appropriate data protection for personal information processed through the Twilio platform is necessarily a shared responsibility between you, our customer, using Twilio’s Platform and Twilio, as the provider of the platform.  We are sharing the updated documentation with PII field information as one part of our work on GDPR compliance.

PII Field Information

We know that Twilio’s GDPR compliance is just part of the journey for your application and your company to be compliant with the new regulations. As you use Twilio and make it part of your technology stack, we want to make it as easy as possible for you to comply with GDPR as part of your policies and compliance framework.

You’ll now see new annotations in the documentation – these annotations show whether data is treated as PII (aka personal information or personal data) or not, and how long at a minimum data will be stored by Twilio. You can store your data with Twilio for longer if you want or not – but after that minimum, it is up to you.
For example, you’ll see an annotation like this:

Or this:

The documentation links to the PII description page to see what each annotation means, for example in the first case above marked “PII MTL: 30 Days”::

  • the field is treated as though it has personal information in it
  • the minimum lifetime of data if you delete it is 30 days, which means if the data is retained at all longer than 30 days it is retained only pursuant to your instruction or choice to leave it there.  

The field marked “not PII” means the field’s contents are not personal information because:

  • The data doesn’t seem to ever need to be PII. For instance, Twilio SIDs are in this category.
  • The data can’t be technically protected or redacted – for instance because we are going to use it as a callback address, and so send it in an HTTP request. So you should not put personal information in that field.
  • Twilio owns that information – for instance if its a phone number that Twilio is operating

The data in a non-PII field may be kept longer-term, not under your control. For instance, you’ll see that the message SID is not PII. This allows us to keep the time and SID, so that we can look at the volume of messages per minute and do capacity planning to allow us to keep the service operating for example. But all identifying information like the actual phone numbers of your end users will be removed from that record so it cannot be used to re-identify your end users.

A Specific PII Example

Let’s say you are using messaging to send people reminders about their hair appointment.

  • You have your Twilio number – normally a phone number would be PII, but in this case it is not, because Twilio is operating the number for you, so we know what it is.
  • You have the other number – that’s PII, because it identifies the person you want to send a reminder to.
  • You have a webhook so you know the status of the message – whether it got an error or was sent.
  • Also, there is the body. That might contain a name, a time, a link to change that reservation. This is content, but could contain PII, so we treat it like PII.

Now in the message documentation we have the following parameters with their descriptions:

When you send us data we treat the phone numbers and body as PII. However, the callback URL is not marked as PII so use an ID or other non-identifiable data if you need to put data specific to that call that in the callback URL.

Conclusion

Twilio is committed to being a good steward of the data you need to protect and helping you manage the privacy along the chain from the user to your application. We want to help you make informed choices about how you manage the set of information about your customers. Once you know how that information will be managed by Twilio, you can trust us to communicate with your customers in line with how you’ve told your customers their information will be managed.