When used alone or in conjunction with other relevant data, personally identifiable information (PII) can be used to identify individuals.
Personal Identifiable Information may contain direct identifiers that can identify a person uniquely or other sensitive data, such as:
- Passport Information
- Home Address
- Telephone Number
- Email Address
- Login Details
- Internet Protocol Addresses
While quasi-identifiers (indirect and on its own may not be enough to identify an individual), such as:
- First or last name
(must be common; otherwise can be used as a direct identifier)
- Job position
Together, one or more quasi-identifiers can be used to recognise a specific individual, so be careful of what your organisation shares.
What is Personal Data?
Personal data and personally identifiable information are two classifications of data that often cause confusion for companies that collect, store and examine such data.
Personal data is information that is related to an individual. What identifies an individual could be as straightforward as a name, number, or it could include other factors such as an internet protocol address or a cookie.
You need to take into account whether the individual is still identifiable if you cannot directly identify them from that information. All of the means reasonably likely to be used to identify that individual should be considered, along with the information you are processing.
Even if an individual is identified or identifiable, directly or indirectly, from the data you are handling, it is not personal data unless it relates to the individual.
Taking into account a range of components, including the content of the information, the purpose or purposes for which you are handling it, and the likely impact or effect of that processing on the individual is what you need to consider when considering whether information “relates to” an individual.
What Are Identifiers and Related Factors?
If you can distinguish an individual from others, then that person is identified or an identifiable person. Usually, an individual’s name, together with some other information, will be enough to identify them.
GDPR describes related factors as “factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”
These factors are characteristics that can be related to a specific person, meaning in theory, you can identify them.
What Laws and Standards Cover Personally Identifiable Information?
Worldwide many countries have their own laws and standards ensuring that personally identifiable information is protected, such as:
- The UK Data Protection Act 2018 (superseded the UK Data Protection Act 1998)
- GDPR UK
- Article 8 of the European Convention on Human Rights
- The UK Regulation of Investigatory Powers Act 2000
- Employers’ Data Protection Code of Practice
- The Federal Act on Data Protection 1992
- Privacy Act
- Ontario Freedom of Information and Protection of Privacy Act
- Personal Information Protection and Electronic Documents Act
- Ontario Personal Health Information Protection Act
- The Privacy Act 1993
European data protection law does not utilise the concept of personally identifiable information, and its scope is instead determined by a non-synonymous, more comprehensive concept of “personal data”.
- General Data Protection Regulation (GDPR)
- Article 8 of the European Convention on Human Rights
- Directive 2002/58/EC (also known as the E-Privacy Directive)
- Directive 2006/24/EC (also known as the Data Retention Directive)
United States (Federal Laws)
- The Privacy Act of 1974
- US ‘Privacy Shield’ Rules
- Title 18 of the United States Code, section 1028d(7)
- The Privacy Act 1988
PII Security Controls and the Data Privacy Framework
Businesses can protect sensitive data like payments, personal information, and intellectual property by using a Data Privacy Framework.
How to define sensitive data, how to analyse risks affecting the data, and how to implement controls to secure it are outlined in the legal framework. You can emphasise the most sensitive and valuable data within your organisation by using the Data Protection Framework.
You can use this to create design controls suitable for your organisation’s structure, culture, regulatory requirements, and security budget.
Sensitive vs Non-Sensitive Personally Identifiable Information
Personally identifiable information can be classed as either sensitive or non-sensitive.
Sensitive PII has to be processed & protected differently from other personal information & data, and this is because the information is susceptible to nefarious actions.
The following includes some identifiers that are sensitive personally identifiable information:
- Trade union membership
- Mental health
- Genetic or biometric data
- Political beliefs
Non-sensitive PII is classified as information or data that can be transmitted via an unencrypted form without causing harm to the individual in question. The easiest way to visualise what non-sensitive information is, data that can be found in public records, phone books and websites. This information can be things such as race, gender, date of birth, etc. This information by itself cannot be enough to identify an individuals identity.
When being stored or processed electronically, it’s a good idea to protect sensitive personal identifiable information in transit and at rest with suitable encryption.
Due to this information being publicly available, non-sensitive personally identifiable information may be transmitted or stored in plain text without being harmful to the individual.
How Is PII Used in Identity Theft?
If they get a hold of these identifiers, identity thieves can use personal identifiable information to commit fraud in a person’s name. Criminals can apply for loans or lines of credit, make purchases, drain financial accounts, and more.
Identity thieves can also use your sensitive PII to commit synthetic identity theft. Synthetic identities are created when an identity fraudster combines someone’s personally identifiable information with other people’s information to create a synthetic identity.
Another way criminals can use your personally identifiable information is by selling your sensitive data on the dark web. Here you will find PII such as Netflix passwords all the way to credit card numbers. This information is regularly sold on the internet’s underbelly for financial gain, demonstrating the importance of customer data security.
What Is Protected Health Information?
Another type of personal identifiable information is protected health information (PHI), also known as electronic health information (ePHI). This is any personal information linked to an individual about health status, healthcare provision, payment for healthcare and more. This is always interpreted broadly and mostly includes any part of the patients’ medical records or payment history.
There are various forms of protected health information, the most common being personal health records (PHR). Wearable technology, electronic health records, and mobile applications are examples of other types of PHI. There has been an increase in the number of concerns about the safety and privacy of PHI in recent years.
Frequently Asked Questions
What Is Non-Personal Data?
What Is the Meaning of ‘Relates To’?
What Are the User Rights for PII?
Who Is Responsible for Safeguarding PII?
What Should You Do if a Data Breach Occurs?
Disconnected templates and toolkits supported by an expensive consultant just don’t cut it anymore. You need an ISMS that works for you both now and as your business grows.
Policies & Controls Management
Easily collaborate, create and show you are on top of your documentation at all times
Measurement & Automated Reporting
Make better decisions and show you are in control with dashboards, KPIs and related reporting
Audits, Actions & Reviews
Reduce the effort and make light work of corrective actions, improvements, audits and management reviews
Mapping & Linking Work
Shine a light on critical relationships and elegantly link areas such as assets, risks, controls and suppliers
Interested Party Management
Visually map and manage interested parties to ensure their needs are clearly addressed
Simply document, easily control and publish your procedures to ensure stakeholders follow them
Other Standards & Regulations
Neatly add in other areas of compliance affecting your organisation to achieve even more for less
Staff Awareness & Compliance Assurance
Engage staff, suppliers and others with dynamic end-to-end compliance at all times
Supply Chain Management
Manage due diligence, contracts, contacts and relationships over their lifecycle
User Management & Permissions
Practical permissions with low cost plans for more regular and occasional users