The Full Wiki

More info on Personally identifiable information

Personally identifiable information: Map

Advertisements
  
  

Wikipedia article:

Map showing all locations mentioned on Wikipedia article:



Personally Identifiable Information (PII), as used in information security, refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal, personally, identifiable, and identifying. Not all are equivalent. The effective definitions vary depending on the jurisdiction, and the purposes for which the term is being used. The US government used personally identifiable in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information. The OMB memorandum defines PII as follows:

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.


A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;


Another term similar to PII, "personal information" is defined in a section of the California data breach notification law, SB1386:

(e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (f) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.


The concept of information combination given in the SB1386 definition is key to correctly distinguishing PII, as defined by OMB, from "personal information", as defined by SB1386. Information, such as a name, that lacks context cannot be said to be SB1386 "personal information", but it must be said to be PII as defined by OMB. For example, the name John Smith has no meaning in the current context and is therefore not SB1386 "personal information", but it is PII. A Social Security Number (SSN) without a name or some other associated identity or context information is not SB1386 "personal information", but it is PII. For example, the SSN 078-05-1120 by itself is PII, but it is not SB1386 "personal information". However the combination of a valid name with the correct SSN is SB1386 "personal information".

The combination of a name with a context may also be considered PII. For example if a person’s name is on a list of patients for a clinic known for treating people with a specific illness such as AIDS. However, it is not necessary for the name to be combined with a context in order for it to be PII. The reason for this distinction is that bits of information such as names, although they may not be sufficient by themselves to make an identification, may later be combined with other information to identify persons and expose them to harm.

Although the concept of PII is ancient, it has become much more important as information technology and the Internet have made it easier to collect PII, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to plan a person's murder or robbery, among other crimes. As a response to these threats, many web site privacy policies specifically address the collection of PII, and lawmakers have enacted a series of legislation to limit the distribution and accessibility of PII. However, according to the OMB, it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive.

Examples

The following are often used for the express purpose of distinguishing individual identity, and thus are clearly PII under the OMB definition:



The following are less often used to distinguish individual identity, because they are traits shared by many people.However, they are potentially PII, because there is the potential that they may be combined with other personal information to identify an individual.

  • First or last name, if common
  • Country, state, or city of residence
  • Age, especially if non-specific
  • Gender or race
  • Name of the school they attend or workplace
  • Grades, salary, or job position
  • Criminal record


When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old white man who works at Target". Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none sufficient by itself to uniquely identify an individual, may uniquely identify a person when combined; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that 87% of the population in the United States is likely to be uniquely identified by only gender, date of birth and ZIP code.

Related laws

Below are examples of legal frameworks affecting data privacy in several jurisdictions.

Canada



United States of America

Recently lawmakers have paid a great deal of attention to protecting a person's PII. One of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect a patient's PII. The U.S. Senate has recently proposed the Privacy Act of 2005, which attempts to strictly limit the display, purchase, or sale of PII without the person's consent. Similarly, the Anti-phishing Act of 2005 attempts to prevent the acquiring of PII through phishing.

U.S. lawmakers have paid special attention to the social security number because it can be easily used to commit identity theft. The Social Security Number Protection Act of 2005 and Identity Theft Prevention Act of 2005 each seek to limit the distribution of an individual's social security number.

On the other hand, many businesses see this increasing load of legislation as excessive, an unnecessary expense, and a barrier to progress. The increasing complexity of the laws might force companies to consult a lawyer just to engage in simple business practices such as server logging, user registration, and credit checks. Some have predicted such measures may inhibit the industry as a whole, lowering wages and creating a barrier to entry. For this reason, a number of privacy laws stress the "acceptable uses" of PII, such as Massachusetts' Public Records Law and Fair Information Practices Act.

State Laws

  • California
  • Massachusetts
    • 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth


Proposed Federal Bills

  • Privacy Act of 2005
  • Information Protection and Security Act
  • Identity Theft Prevention Act of 2005
  • Online Privacy Protection Act of 2005
  • Consumer Privacy Protection Act of 2005
  • Anti-phishing Act of 2005
  • Social Security Number Protection Act of 2005
  • Wireless 411 Privacy Act


Federal Law
  • Title 18 of the United States Code, section 1028d(7)
  • US 'Safe Harbor' Rules (EU Harmonisation)


European Union (member states)

  • Article 8 of the European Convention on Human Rights
  • Directive 95/46/EC (Data Protection Directive)
  • Directive 2002/58/EC (the E-Privacy Directive)
  • Directive 2006/24/EC Article 5 (The Data Retention Directive)


Further examples can be found on the EU privacy website.

United Kingdom & Ireland

  • The UK Data Protection Act 1998
  • The Irish Data Protection Acts 1998 and 2003
  • Article 8 of the European Convention on Human Rights
  • The UK Regulation of Investigatory Powers Act 2000
  • Employers' Data Protection Code of Practice
  • Model Contracts for Data Exports
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003
  • The UK Interception of Communications (Lawful Business Practice) Regulations 2000
  • The UK Anti-Terrorism, Crime & Security Act 2001
  • The UK Privacy & Electronic Communications (EC Directive) Regulations 2003


Forensics

In forensics, the tracking down of the identity of a criminal, personally identifiable information is critical in zeroing in on the subject. Criminals will go to great trouble to avoid leaving any PII; they wear masks (faces and hair are PII), gloves (fingerprints are PII), clothing that covers personal marks (tattoos and scars are PII) and avoid writing anything in their own handwriting (handwriting can be PII). Also, more modern 'masks' may be used, such as using a proxy IP address to avoid being tracked online as easily.

Personal safety

In some professions, it is dangerous for a person's identity to become known, because this information might be exploited violently by their enemies; for example, their enemies might hunt them down or kidnap loved ones to force them to cooperate. For this reason, the United States Department of Defensemarker (DoD) has strict policies controlling release of PII of DoD personnel. This is also the reason usually given in fiction for superheros and secret agents to disguise their faces and withhold their true identity.

See also



References

  1. M-07-16 SUBJECT:Safeguarding Against and Responding to the Breach of Personally Identifiable Information FROM: Clay Johnson III, Deputy Director for Management (2007/05/22)
  2. Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
  3. M-07-16 SUBJECT:Safeguarding Against and Responding to the Breach of Personally Identifiable Information FROM: Clay Johnson III, Deputy Director for Management (2007/05/22)


External links




Embed code:
Advertisements






Got something to say? Make a comment.
Your name
Your email address
Message