Managing PII Flags

Last updated 26 days ago

This guide explains how administrators can flag and manage Personally Identifiable Information (PII) in survey responses to ensure GDPR compliance and protect respondent privacy.

What Are PII Flags?

PII (Personally Identifiable Information) is any data that could identify an individual, such as:

Names (first, last, full)
Email addresses
Phone numbers
Postal addresses
Employee IDs
IP addresses (in some jurisdictions)
Unique identifiers

PII Flags mark responses or comments that accidentally contain PII, allowing administrators to:

Review potentially sensitive data
Redact or anonymise PII
Prevent PII from appearing in reports
Comply with GDPR data subject rights

Why PII Flags Matter

The Privacy Risk

Even though ProcureValue is designed for anonymous surveys, respondents occasionally include PII in open-ended comments:

Examples:

"I worked with Sarah Johnson in Finance and she was very helpful..."
"You can reach me at john.smith@company.com if you want to discuss..."
"My employee ID is EMP-12345 and I've had issues..."

The Consequences

Without PII management:

❌ Accidental de-anonymisation of responses
❌ GDPR violations (data minimisation principle)
❌ Increased risk if database is breached
❌ Difficult to honour "right to erasure" requests

With PII flags:

✅ Proactive identification of PII
✅ Ability to redact before sharing insights
✅ Audit trail of PII handling
✅ Easier GDPR compliance

How PII Detection Works

Scan all open-ended comments on submission
Flag responses containing likely PII using pattern matching:
- Email addresses (regex pattern)
- Phone numbers (international formats)
- Names (NLP entity recognition)
Mark flagged responses for admin review

Accessing PII Management Tools

Navigation

Log in as an Administrator
Navigate to Admin → PII Management
Or from campaign results: Actions → Review PII Flags

Screenshot spot: [Admin menu with PII Management option]

PII Management Dashboard

The dashboard shows:

Flagged Responses: Count of responses marked for review
Pending Review: Responses needing admin action
Redacted: Responses with PII removed
Recent Activity: Audit log of PII flag changes

Flagging Responses Manually

Step-by-Step Process

View Campaign Responses
- Navigate to Campaigns → [Campaign Name] → View Responses
- Review open-ended comments (Q5 "Additional Feedback")
Identify PII
- Read each comment carefully
- Look for names, emails, phone numbers, addresses
- Consider context (could this identify someone?)
Flag the Response
- Click Actions → Flag as Contains PII
- Add reason for flagging: "Contains full name", "Includes email address"
- Set priority: High (obvious PII) or Low (potential PII)
- Save flag
Review Flagged Responses
- Navigate to Admin → PII Management → Pending Review
- Review each flagged response
- Decide action: Redact, Unflag, or Delete

Screenshot spot: [Response with Flag PII button and modal]

Redacting PII

What Is Redaction?

Redaction = Removing or masking PII while preserving useful content.

Example:

Original: "I worked with Sarah Johnson in Finance and she was very helpful with the Q2 budget."
Redacted: "I worked with [REDACTED] in Finance and she was very helpful with the Q2 budget."

How to Redact

Manual Redaction:

Open flagged response in PII Management dashboard
Click Edit Response
Replace PII with [REDACTED] or [NAME REMOVED]
Save changes
Mark response as Redacted

Auto-Redaction (Planned):

System automatically replaces emails/phones with [REDACTED]
Admin reviews and confirms
One-click approval for obvious cases

Redaction Guidelines

What to redact:

✅ Full names (first + last)
✅ Email addresses
✅ Phone numbers
✅ Street addresses
✅ Employee IDs / badge numbers
✅ Unique project names (if identifiable)

What to preserve:

✅ Department names ("Finance", "IT", "Operations")
✅ Generic roles ("my manager", "the procurement team")
✅ First names only (if very common: "John", "Sarah")
✅ Context and sentiment

Example decisions:

Original Text	Redact?	Redacted Version
"Sarah in IT helped me"	✅ Yes	"[REDACTED] in IT helped me"
"The IT team helped me"	❌ No	(unchanged)
"Email me at john@company.com"	✅ Yes	"Email me at [REDACTED]"
"Project Phoenix was delayed"	Maybe*	"Project [REDACTED] was delayed"

*If "Project Phoenix" is widely known (non-identifiable), keep it. If it's a small project with <5 people, redact it.

PII Flag Workflow

Status Flow

New Response ↓ [Admin Reviews] ↓ ┌──────────────────┐ │ Contains PII? │ └──────────────────┘ │ │ ↓ NO ↓ YES Cleared Flagged for Review ↓ [Admin Reviews] ↓ ┌───────────────────────┐ │ Action Needed? │ └───────────────────────┘ │ │ │ ↓ ↓ ↓ Redact Unflag Delete │ │ │ ↓ ↓ ↓ Redacted Cleared Removed

Status Definitions

Status	Meaning	Next Action
Unflagged	No PII detected or reviewed	None (normal state)
Flagged	Marked for admin review	Admin reviews and decides
Pending	Awaiting redaction	Admin edits and redacts
Redacted	PII removed, safe to share	Include in insights/reports
Deleted	Response removed entirely	Permanent (cannot undo)

When to Delete vs. Redact

Redact (Preferred)

When:

PII is limited to a few words/phrases
Majority of comment is useful feedback
Redaction preserves sentiment and context

Example:

"I worked with John Smith (john.smith@company.com) and he was incredibly slow to respond. This delayed our project by 3 weeks."

Redacted:

"I worked with [REDACTED] and he was incredibly slow to respond. This delayed our project by 3 weeks."

Outcome: Feedback preserved, PII removed ✅

Delete (Last Resort)

When:

Entire response is PII (e.g., "My name is John Smith, EMP-12345")
PII cannot be redacted without making comment meaningless
Response violates terms of use (abuse, harassment)

Example:

"This is John Smith, Finance Manager. Call me at 555-1234 to discuss the issues with procurement. My email is jsmith@company.com."

Outcome: No useful feedback, entirely PII → Delete ❌

Bulk Actions

Flagging Multiple Responses

Scenario: You discover a pattern (e.g., 10 responses mention a specific person's name)

Process:

Navigate to Admin → PII Management
Use Search to find all responses containing "John Smith"
Select all matching responses (checkboxes)
Click Bulk Actions → Flag as PII
Add reason: "Contains name: John Smith"
Confirm bulk flag

Bulk Redaction

Process:

Navigate to Admin → PII Management → Pending Review
Select multiple flagged responses (checkboxes)
Click Bulk Actions → Auto-Redact
System attempts automatic redaction (emails, phones)
Review auto-redacted responses
Manually adjust if needed
Approve bulk redaction

Warning: Always review auto-redacted content before approving. AI may over-redact or miss context-specific PII.

GDPR Data Subject Requests

Right to Access

Scenario: Individual requests: "Show me what data you have about me."

Process:

Search for potentially linked responses (if invitation email known)
Explain: "Responses are anonymous. We cannot attribute specific responses to individuals."
Provide: Invitation record (email, name, invitation status)
Do not provide: Specific survey responses (cannot link)

Right to Erasure

Scenario: Individual requests: "Delete my data."

Process:

Delete invitation record (email, name)
Check for PII flags: If individual's name appears in comments, redact or delete those responses
Explain: "Your invitation record is deleted. Any responses you submitted remain anonymous and cannot be specifically deleted."
Document action in PII audit log

Right to Rectification

Scenario: Individual requests: "Correct my data."

Process:

Update invitation record if still exists (e.g., fix misspelled name)
Explain: "Survey responses are anonymous and cannot be corrected individually."
Document change in audit log

Audit Logging

Every PII-related action is logged:

Who flagged a response
When it was flagged
Reason for flagging
Who redacted/deleted
Original and redacted text (stored separately, encrypted)
Data subject requests related to PII

Access audit logs: Admin → PII Management → Audit Log

Best Practices

Proactive PII Prevention

Survey Design:

✅ Clear instructions: "Do not include names or contact information"
✅ Reminder at top of open-ended questions
✅ Survey intro: "Your responses are anonymous. Please do not include identifying information."

Email Communications:

✅ Pre-survey email: "This survey is anonymous. Do not include personal details."
✅ Survey invitation: Reiterate anonymity

Regular PII Reviews

Frequency: Review responses for PII:

After each campaign closes (before generating insights)
Monthly for ongoing campaigns
Immediately if GDPR request received

Process:

Export all responses with open-ended comments
Review systematically (use search for common PII patterns)
Flag any PII found
Redact within 7 days
Document in audit log

Training Team Members

Who needs training:

All administrators
Campaign managers
Anyone who can view raw responses

Training topics:

What constitutes PII
How to identify PII in comments
When to flag, redact, or delete
GDPR obligations
Audit logging importance

Frequency: Annual refresher + onboarding for new admins

Technical Implementation

Database Schema

-- PII flags table CREATE TABLE pii_flags ( id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), response_id UUID NOT NULL REFERENCES survey_responses(id), tenant_id UUID NOT NULL REFERENCES tenants(id), -- Flag details flagged_by UUID REFERENCES users(id), flagged_at TIMESTAMP DEFAULT NOW(), flag_reason TEXT NOT NULL, priority VARCHAR(20) DEFAULT 'medium', -- low, medium, high -- Status status VARCHAR(50) DEFAULT 'pending', -- pending, redacted, cleared, deleted reviewed_by UUID REFERENCES users(id), reviewed_at TIMESTAMP, -- Audit original_text TEXT, -- Encrypted storage of original redacted_text TEXT, -- Encrypted storage after redaction INDEX idx_tenant_status (tenant_id, status), INDEX idx_response (response_id) ); -- PII audit log CREATE TABLE pii_audit_log ( id UUID PRIMARY KEY DEFAULT uuid_generate_v4(), tenant_id UUID NOT NULL REFERENCES tenants(id), flag_id UUID REFERENCES pii_flags(id), -- Action details action VARCHAR(50) NOT NULL, -- flagged, redacted, deleted, unfl agged performed_by UUID REFERENCES users(id), performed_at TIMESTAMP DEFAULT NOW(), reason TEXT, INDEX idx_tenant_performed (tenant_id, performed_at DESC) );

API Endpoints (For Developers)

// Flag response as containing PII POST /api/admin/pii/flag Body: { response_id, reason, priority } // Get all flagged responses GET /api/admin/pii/flagged?status=pending // Redact PII in response PATCH /api/admin/pii/:flag_id/redact Body: { redacted_text } // Clear false positive flag DELETE /api/admin/pii/:flag_id // Bulk flag POST /api/admin/pii/bulk-flag Body: { response_ids[], reason } // Get PII audit log GET /api/admin/pii/audit?from=2025-01-01&to=2025-12-31

Troubleshooting

"I can't flag a response"

Possible causes:

Insufficient permissions (need Admin role)
Response already flagged
Campaign closed and locked

Solution: Contact your super admin to verify permissions.

"Redacted text still shows PII"

Cause: Incomplete redaction (PII in multiple places)

Solution:

Re-open response for editing
Search for all instances of PII
Replace each with [REDACTED]
Save and re-review

"Auto-redaction removed too much text"

Cause: Overly aggressive pattern matching

Solution:

Review auto-redacted text
Manually restore non-PII context
Approve final version
Report issue to product team for algorithm improvement