Personally identifiable information

From Wikipedia, the free encyclopedia

This article needs additional citations for verification. Please help improve this article by adding reliable references. Unsourced material may be challenged and removed. (April 2008)

Personally Identifiable Information (PII), as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying. All are equivalent. The US government used personally identifiable in 2007 in a memorandum from the Office of the President^[1], and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information and is defined as:

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.

PII is defined in EU directive 95/46/EC:^[2]

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;

The concept of information combination given in the legal definitions is key to correctly identifying PII. Information, such as a name, that lacks context cannot be said to be PII. For example, the name John Smith has no meaning in the current context and is therefore not PII. A Social Security Number (SSN) without a name or some other associated identity or context information is not PII. For example, the SSN 078-05-1120 has no information associated with it that would identify an individual or expose them to harm, so it is not PII. However the combination of a valid name with the correct SSN is PII.^[3] The combination of a name with a context can also be considered PII. For example if a person’s name is on a list of patients for a clinic known for treating people with a specific illness such as AIDs. The reason for this distinction is that bits of information without context or correlated information are not sufficient to identify a person and expose them to potential harm.

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII.

Contents 1 Examples 2 Related laws 2.1 Canada 2.2 United States of America 2.3 European Union (member states) 2.4 United Kingdom & Ireland 3 Forensics 4 Personal safety 5 See also 6 References 7 External links

[edit] Examples

Items which might be considered PII include, but are not limited to, a person's:

• Full name (if not common)
• National identification number
• IP address (in some cases)
• Vehicle registration plate number
• Driver's license number
• Face, fingerprints, or handwriting
• Credit card numbers
• Digital identity
• Birthday
• Birth Place

Information that is not generally considered personally identifiable, because they are traits shared by many people, include:

• First or last name, if common
• Country, state, or city of residence
• Age, especially if non-specific
• Gender or race
• Name of the school they attend or workplace
• Grades, salary, or job position
• Criminal record

When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old white man who works at Target". Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none of which are PII, may uniquely identify a person when brought together; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that 87% of the population in the United States is likely to be uniquely identified by only gender, date of birth and ZIP code.^[4]

[edit] Related laws

Below are examples of legal frameworks affecting data privacy in several jurisdictions.

[edit] Canada

• Privacy Act (governs the Federal Government agencies)
• Personal Information Protection and Electronic Documents Act (PIPEDA) of (2001 government entities), (2004 All other entities)

[edit] United States of America

Recently lawmakers have paid a great deal of attention to protecting a person's PII. One of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect a patient's PII. The U.S. Senate has recently proposed the Privacy Act of 2005, which attempts to strictly limit the display, purchase, or sale of PII without the person's consent. Similarly, the Anti-phishing Act of 2005 attempts to prevent the acquiring of PII through phishing.

U.S. lawmakers have paid special attention to the social security number because it can be easily used to commit identity theft. The Social Security Number Protection Act of 2005 and Identity Theft Prevention Act of 2005 each seek to limit the distribution of an individual's social security number.

On the other hand, many businesses see this increasing load of legislation as excessive, an unnecessary expense, and a barrier to progress. The increasing complexity of the laws might force companies to consult a lawyer just to engage in simple business practices such as server logging, user registration, and credit checks. Some have predicted such measures may inhibit the industry as a whole, lowering wages and creating a barrier to entry. For this reason, a number of privacy laws stress the "acceptable uses" of PII, such as Massachusetts' Public Records Law and Fair Information Practices Act.

State Laws

• California
  • The California state constitution declares privacy an inalienable right in Article 1, Section 1.
  • California Online Privacy Protection Act(OPPA) of 2003
  • SB 1386 requires organizations to notify individuals when it is known or believed to be acquired by an unauthorized person.
• Massachusetts
  • 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth ^[5]

Proposed Federal Bills

• Privacy Act of 2005
• Information Protection and Security Act
• Identity Theft Prevention Act of 2005
• Online Privacy Protection Act of 2005
• Consumer Privacy Protection Act of 2005
• Anti-phishing Act of 2005
• Social Security Number Protection Act of 2005
• Wireless 411 Privacy Act

Federal Law

• Title 18 of the United States Code, section 1028d(7)
• US 'Safe Harbor' Rules (EU Harmonisation)

[edit] European Union (member states)

• Article 8 of the European Convention on Human Rights
• Directive 95/46/EC (Data Protection Directive)
• Directive 2002/58/EC (the E-Privacy Directive)
• Directive 2006/24/EC Article 5 (The Data Retention Directive)

Further examples can be found on the EU privacy website.

[edit] United Kingdom & Ireland

• The UK Data Protection Act 1998
• The Irish Data Protection Acts 1998 and 2003
• Article 8 of the European Convention on Human Rights
• The UK Regulation of Investigatory Powers Act 2000
• Employers' Data Protection Code of Practice
• Model Contracts for Data Exports
• The Privacy and Electronic Communications (EC Directive) Regulations 2003
• The UK Interception of Communications (Lawful Business Practice) Regulations 2000
• The UK Anti-Terrorism, Crime & Security Act 2001
• The UK Privacy & Electronic Communications (EC Directive) Regulations 2003

[edit] Forensics

In forensics, the tracking down of the identity of a criminal, personally identifiable information is critical in zeroing in on the subject. Criminals will go to great trouble to avoid leaving any PII; they wear masks (faces and hair are PII), gloves (fingerprints are PII), clothing that covers personal marks (tattoos and scars are PII) and avoid writing anything in their own handwriting (handwriting can be PII). Also, more modern 'masks' may be used, such as using a proxy IP address to avoid being tracked online as easily.

[edit] Personal safety

In some professions, it is dangerous for a person's identity to become known, because this information might be exploited violently by their enemies; for example, their enemies might hunt them down or kidnap loved ones to force them to cooperate. For this reason, the United States Department of Defense (DoD) has strict policies controlling release of PII of DoD personnel.^[6] This is also the reason usually given in fiction for superheros and secret agents to disguise their faces and withhold their true identity.

[edit] See also

• Personal identity
• Pseudonymity

[edit] References

[edit] External links

• A History of Privacy Issues: Personally Identifiable Information. Discusses privacy issues of the P-Trak system.
• Network Advertising Initiative. An internet advertising industry group defining guidelines to protect privacy, definitions of PII.