The IT Law Wiki

Definitions[]

There are numerous, albeit similar, definitions for PII:

Biometrics[]

Personally identifiable information is:

[i]nformation about an individual that identifies, links, relates, or is unique to, or describes him or her, e.g., a social security number; age; military rank; civilian grade; marital status; race; salary; home/office phone numbers; other demographic, biometric, personnel, medical, and financial information, etc. Such information is also known as personally identifiable information (i.e., information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother's maiden name, biometric records, including any other personal information which is linked or linkable to a specified individual).[1]

California Attorney General[]

Personally identifiable data are

any data linked to a person or persistently linked to a mobile device: data that can identify a person via personal information or a device via a unique identifier. Included are user-entered data, as well as automatically collected data.[2]

California law[]

One California statute defines personally identifiable information[3] as:

[I]ndividually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:
(1) A first and last name.
(2) A home or other physical address, including street name and name of a city or town.
(3) An e-mail address.
(4) A telephone number.
(5) A social security number.
(6) Any other identifier that permits the physical or online contacting of a specific individual.
(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.[4]

General[]

Personally identifiable information is

[t]he information pertaining to any person which makes it possible to identify such individual (including the information capable of identifying a person when combined with other information even if the information does not clearly identify the person).[5]
one or more pieces of information that when considered together or when considered in the context of how it is presented or how it is gathered is sufficient to specify a unique individual.

The pieces of information can be:

information which can be used to distinguish or trace an individual's identity, such as name, social security number, or biometric records, alone or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, or mother's maiden name.[7]

U.S. Department of Homeland Security[]

Personally identifiable information is

any information that permits the identity of an individual to be directly or indirectly inferred, including any information which is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, lawful permanent resident, visitor to the U.S., or employee or contractor to the Department.[8]

U.S. Office of Management and Budget/NIST[]

Personally identifiable information is

information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc.[9]
  • To distinguish an individual is to identify an individual.[10] Some examples of information that could identify an individual include, but are not limited to, name, passport number, social security number, or biometric data.[11] In contrast, a list containing only credit scores without any additional information concerning the individuals to whom they relate does not provide sufficient information to distinguish a specific individual.[12]
  • To trace an individual is to process sufficient information to make a determination about a specific aspect of an individual's activities or status.[13] For example, an audit log containing records of user actions could be used to trace an individual‘s activities.
  • Linked information is information about or related to an individual that is logically associated with other information about the individual.[14] In contrast, "linkable information" is information about or related to an individual for which there is a possibility of logical association with other information about the individual. For example, if two databases contain different PII elements, then someone with access to both databases may be able to link the information from the two databases and identify individuals, as well as access additional information about or relating to the individuals. If the secondary information source is present on the same system or a closely-related system and does not have security controls that effectively segregate the information sources, then the data is considered linked. If the secondary information source is maintained more remotely, such as in an unrelated system within the organization, available in public records, or otherwise readily obtainable (e.g., internet search engine), then the data is considered linkable.

Background[]

In information security and privacy, "personally identifiable information" or "personally identifying information" (PII) is any piece of information which can be used to uniquely identify an individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual, or information that can be used to distinguish or trace the individual's identity. Generally included in this category are an individual's name or another personal identifier, social security number, biometric records, date and place of birth, and mother's maiden name.

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many website privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

A common misconception is that PII only includes data that can be used to directly identify or contact an individual (e.g., name, e-mail address), or personal data that is especially sensitive (e.g., Social Security number, bank account number). The OMB and NIST definition of PII is broader [see above]. The definition is also dynamic, and can depend on context. Data elements that may not identify an individual directly (e.g., age, height, birth date) may nonetheless constitute PII if those data elements can be combined, with or without additional data, to identify an individual. In other words, if the data are linked or can be linked ("linkable") to the specific individual, it is potentially PII.

Moreover, what can be personally linked to an individual may depend upon what technology is available to do so. As technology advances, computer programs may scan the Internet with wider scope to create a mosaic of information that may be used to link information to an individual in ways that were not previously possible (this is often referred to as the "mosaic effect").[15]

Sometimes multiple pieces of information, none of which alone is considered PII, might still uniquely identify a person when combined. For example, what if a company employ only one 39-year old female with a residence in Roanoke, Virginia. In that case, the employer, age, gender, and city of residence are not PII elements by themselves, but become PII when they are presented together. This scenario is an example of PII established through indirect inference, while data elements such as a driver's license number constitute PII through direct inference.

Examples[]

Items which might be considered PII include, but are not limited to, a person's:

  • Name, such as full name, maiden name, mother’s maiden name, or alias, in connection with one or more of the following:

Information that is not generally considered personally identifiable, because many people share the same trait, include:

  • First or last name alone, if common
  • Country, state, or city of residence
  • Age, especially if non-specific
  • Gender or race
  • Name of the school they attend or workplace
  • Grades, salary, or job position
  • Criminal record

When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old black man who works at Target". Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none of which are PII, may uniquely identify a person when brought together; this is one reason that multiple pieces of evidence are usually presented at criminal trials. For example, there may be only one Inuit person named Steve in the town of Lincoln Park, Michigan.

Related laws[]

Recently lawmakers have paid a great deal of attention to protecting a person's PII. For example, one of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect a patient's PII.

U.S. lawmakers have paid special attention to the social security number because it can be easily used to commit identity theft. The Social Security Number Protection Act of 2005 and Identity Theft Prevention Act of 2005 each seek to limit the distribution of an individual's social security number.

On the other hand, many businesses see this increasing load of legislation as excessive, an unnecessary expense, and a barrier to progress. The increasing complexity of the laws might force companies to consult a lawyer just to engage in simple business practices such as server logging, user registration, and credit checks. Some have predicted such measures may inhibit the industry as a whole, lowering wages and creating a barrier to entry. For this reason, a number of privacy laws stress the "acceptable uses" of PII.

References[]

  1. Biometrics Identity Management Agency, Biometrics Glossary, at 30 (Ver. 5) (Oct. 2010) (full-text).
  2. Privacy on the Go: Recommendations for the Mobile Ecosystem, at 6.
  3. Another California statute defines personal information somewhat differently. See Cal. Civ. Code § 1798.29(g).
  4. Cal. Bus. & Prof. Code §22577(a).
  5. NSTAC Report to the President on Identity Management Strategy, at C-4.
  6. Privacy Technology Focus Group Final Report, App. B, at 58-59.
  7. Criminal Justice Information Services Security Policy, Glossary, at A-9.
  8. DHS Privacy Office, Handbook for Safeguarding Sensitive Personally Identifiable Information at the Department of Homeland Security 4 (Oct. 31, 2008).
  9. OMB Memorandum M-07-16; NIST Special Publication 800-122, at 2-1.
  10. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), at 2-1.
  11. These data elements are included in a list of identifying information from the Identity Theft and Assumption Deterrence Act of 1998, Pub. L. No. 105-318, 112 Stat. 3007 (Oct. 30, 1998).
  12. Information elements that are not sufficient to identify an individual when considered separately might nevertheless render the individual identifiable when combined with additional information. For instance, if the list of credit scores were to be supplemented with information, such as age, address, and gender, it is probable that this additional information would render the individuals identifiable.
  13. Guide, at 2-1.
  14. Id.
  15. Recommendations for Standardized Implementation of Digital Privacy Controls, at 7-8.

See also[]