Company A pays company B for enterprise software. Company A hosts it internally. An employee from company B needs access to servers at company A in order to manage said software
Company A is requesting very personal information of the employees needing remote access. e.g.
- Full Name
- Cell Phone
- Date of Birth
- Passport Number
- Passport Issuer
Can these pieces of information be used alone, or together in a way that would increase the info security risk to the employee in any way?
To me, this is a case of requesting/requiring too much information – that is – beyond what is actually necessary to fulfill the request.
I understand the need for cell number – as they use two-factor authentication where they send a code each time one needs to access the VPN. The rest seems well beyond what is needed.