Personally Identifiable Information (PII)
What is Personally Identifiable Information (PII)?
As defined by the Information Commissioner’s Office, Personal Data, or Personally Identifiable Information (PII), is “information that relates to an identified or identifiable individual.” In order to be considered PII, data must not only identify, or make identifiable, an individual to whom it refers, but also “must concern the individual in some way.” The management of sensitive PII will often require additional data protection requirements due to the sensitive and personal nature of the sensitive data, and demands a considerable amount of attention and supervision best practices in order to meet GDPR compliance.
What does personally identifiable information include?
When making a determination as to whether personal information or data constitutes PII, the first thing to consider is whether the content of the sensitive information identifies, or makes identifiable, the individual to whom the sensitive data applies, either directly or indirectly. PII data that identifies the individual directly will usually contain one or more of the following: the individual’s name, social security number, street address, email, etc. Data without this information may still indirectly allow the individual to be identified by use of other data elements, which often include any number of descriptors such as age, race, gender, location, or even personal data reflecting an individual's financial information. In the case of indirect identification, it may be less obvious as to whether the individual is at risk of being identified, and will usually require a more careful and extensive review.
PII Relationship to Individuals
If it is true that the individual is identified, or made identifiable, by the PII data, then the next question will concern whether the individual “relates to” the information. In other words, what is the individual’s relationship to the data from a human resources perspective? Does it describe biometric data or protected health information through their health records? Finances? Does it log their activities? Further, what is the organization’s reason for processing the information, and what, if any, are the possible effects on the individual resulting from the data being processed? It is important to remember that data will only be considered PII where a relationship is established to the specific individual's data. As stated in the ICO guidelines, “it is possible that although data does not relate to an identifiable individual for one controller, in the hands of another it does. This is particularly the case where, for the purposes of one controller, the identity of the individuals is irrelevant and the data therefore does not relate to them.”
Processing PII Data
Understanding PII, why it is important, and where it applies, is crucial for any organization tasked with managing and processing data. The mishandling of PII, whether intentional or not, can have dire consequences for both the processor and the affected individual, particularly in the realm of privacy protection and prevention of criminality or personal injury.
The U.S. Department of Labor maintains that “the loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of information.” It is therefore essential to be informed and practiced in the proper handling of PII data, as well as to understand the information quality best practices and legal regulations in place in your particular field. Personal data, in any variation, should be treated with great care and vigilance, and properly safeguarded against potential misuse.
Resources
Information Commissioner’s Office - https://ico.org.uk/for-organisations/accountability-framework/records-of-processing-and-lawful-basis/data-mapping/
U.S. Dept. of Labor - https://www.dol.gov/general/ppii