As defined by the Information Commissioner’s Office, Personal Data, or Personally Identifiable Information (PII), is “information that relates to an identified or identifiable individual.” In order to be considered PII, data must not only identify, or make identifiable, an individual to whom it refers, but also “must concern the individual in some way.” The management of PII will often require additional protections due to the sensitive and personal nature of the data, and demands a considerable amount of attention and supervision in order to meet GDPR compliance.
When making a determination as to whether data constitutes PII, the first thing to consider is whether the content of the data identifies, or makes identifiable, the individual to whom it applies, either directly or indirectly. Data that identifies the individual directly will usually contain one or more of the following: the individual’s name, social security number, street address, email, etc. Data without this information may still indirectly allow the individual to be identified by use of other data elements, which often include any number of descriptors such as age, race, gender, or location. In the case of indirect identification, it may be less obvious as to whether the individual is at risk of being identified, and will usually require a more careful and extensive review.
If it is true that the individual is identified, or made identifiable, by the data, then the next question will concern whether the individual “relates to” the information. In other words, what is the individual’s relationship to the data? Does it describe their health records? Finances? Does it log their activities? Further, what is the organization’s reason for processing the information, and what, if any, are the possible effects on the individual resulting from the data being processed? It is important to remember that data will only be considered PII where a relationship is established. As stated in the ICO guidelines, “it is possible that although data does not relate to an identifiable individual for one controller, in the hands of another it does. This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the data therefore does not relate to them.”
Understanding PII, why it is important, and where it applies, is crucial for any organization tasked with managing and processing data. The mishandling of PII, whether intentional or not, can have dire consequences for both the processor and the individual, particularly in the realm of privacy protection and prevention of criminality or personal injury. The U.S. Department of Labor maintains that “the loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of information.” It is therefore essential to be informed and practiced in the proper handling of PII, as well as to understand the regulations in place in your particular field. Personal data, in any variation, should be treated with great care and vigilance, and properly safeguarded against potential misuse.
Information Commissioner’s Office - https://ico.org.uk/for-organisations/accountability-framework/records-of-processing-and-lawful-basis/data-mapping/
U.S. Dept. of Labor - https://www.dol.gov/general/ppii