Which term denotes an entity that collects or creates PII?

The concept being tested is who bears responsibility for determining what PII is collected and how it’s used. This role is the Data Owner/Controller—the entity that collects or creates personal data and decides the purposes and means of processing it. They hold the governance authority: what data to gather, why it’s needed, how long it’s retained, who can access it, and how it’s shared. The Data Owner/Controller sets the policies and controls that shape all subsequent handling of the data. A Data Custodian (or data processor) operates on behalf of the owner/controller, managing storage, access, and protection per those instructions rather than deciding the data collection itself. Data Classification is a labeling process of data by sensitivity, not an entity, and Confidentiality is a security objective focused on protecting data rather than identifying responsible parties.