Personally identifiable information

From The IT Law Wiki

(Redirected from PII)

[edit] Background

In information security and privacy, personally identifiable information or personally identifying information (PII) is any piece of information which can be used to uniquely identify an individual or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual, or information that can be used to distinguish or trace the individual’s identity. Generally included in this category are an individual’s name or another personal identifier, social security number, biometric records, date and place of birth, and mother’s maiden name.

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many website privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

[edit] Definitions

There are various, albeit similar, definitions for PII.

The federal Office of Management and Budget defines PII as “information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”^[1]

California law defines personally identifiable information as:

[I]ndividually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following:

(1) A first and last name.

(2) A home or other physical address, including street name and name of a city or town.

(3) An e-mail address.

(4) A telephone number.

(5) A social security number.

(6) Any other identifier that permits the physical or online contacting of a specific individual.

(7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.^[2]

[edit] Examples

Items which might be considered PII include, but are not limited to, a person's:

Name, such as full name, maiden name, mother’s maiden name, or alias, in connection with one or more of the following:

Personal identification number, such as social security number (SSN), passport number, driver’s license number, taxpayer identification number, or financial account or credit card number
Address information, such as street address or email address
Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), fingerprints, handwriting, or other biometric image or template data (e.g., retina scans, voice signature, facial geometry).
Telephone number
IP address (in some cases)
Vehicle registration plate number

Information that is not generally considered personally identifiable, because many people share the same trait, include:

First or last name alone, if common
Country, state, or city of residence
Age, especially if non-specific
Gender or race
Name of the school they attend or workplace
Grades, salary, or job position
Criminal record

When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old black man who works at Target". Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none of which are PII, may uniquely identify a person when brought together; this is one reason that multiple pieces of evidence are usually presented at criminal trials. For example, there may be only one Inuit person named Steve in the town of Lincoln Park, Michigan.

[edit] Related laws

Recently lawmakers have paid a great deal of attention to protecting a person's PII. For example, one of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect a patient's PII.

U.S. lawmakers have paid special attention to the social security number because it can be easily used to commit identity theft. The Social Security Number Protection Act of 2005 and Identity Theft Prevention Act of 2005 each seek to limit the distribution of an individual's social security number.

On the other hand, many businesses see this increasing load of legislation as excessive, an unnecessary expense, and a barrier to progress. The increasing complexity of the laws might force companies to consult a lawyer just to engage in simple business practices such as server logging, user registration, and credit checks. Some have predicted such measures may inhibit the industry as a whole, lowering wages and creating a barrier to entry. For this reason, a number of privacy laws stress the "acceptable uses" of PII.

[edit] References

↑ OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.[1]
↑ Cal. Bus. & Prof. Code §22577(a).

[0] OMB Memorandum 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information.[1]

[1] Cal. Bus. & Prof. Code §22577(a).

[1]

[2]

Create a new article Upload a new image
Recent changes Help	Random page Special pages Recent changes Random page