Accessing PII (Personally Identifiable Information)
Under specific regulatory circumstances, authorized data consumers may need to access the underlying PII associated with a compliance attestation.
When PII Access Is Permitted
PII access is only granted when:
- A valid legal basis exists (regulatory mandate, court order, active investigation)
- The requesting entity is an authorized data consumer with appropriate role permissions
- The PII is relevant to the specific transaction or entity under review
- Access is logged and auditable
How PII Access Works
- Request submission — Data consumer submits a PII access request via the CRYMBO Platform or API
- Authorization check — CRYMBO verifies the consumer's role, jurisdiction, and legal basis
- Institution notification — The institution that owns the PII is notified of the access request (where legally required)
- Decryption and delivery — If authorized, the relevant PII is decrypted and delivered to the requesting party via secure channel
- Access logged — The access event is permanently recorded in the audit trail
Important Principles
- CRYMBO does not hold raw PII — PII is encrypted and stored by the originating institution
- Selective disclosure — Only the specific fields required for the request are shared
- Data minimization — Access is scoped to the minimum data necessary
- Transparency — Institutions can see who accessed their data and when