Data security becomes more important with each passing year. It’s important to have a good understanding of the terms that both governments and the information security industry use. Understanding these terms will help you lead your organization to comply with today’s regulations as well as whatever new regulations are coming down the pike. Today we’ll define three major terms: personally identifiable information, non-personally identifiable information, and personal data.
Personally identifiable information, or PII, is information that organizations may hold on individuals that can be tied to the individuals’ identities. The National Institute of Standards and Technology provides a legal definition for the USA:
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
PII comes in two varieties. Linked information is the more sensitive variety. Anything that can by itself be used as an identifier is considered linked information. Social security numbers, driver’s license numbers, full names, and physical addresses are all examples of linked information.
Linkable information is the second category. Linkable information can’t do much on its own, but it becomes powerful when linked with other pieces of information. ZIP code, race, age range, and job information are all examples of linkable information.
Non-personally identifiable information, or non-PII, is information that doesn’t fall into the above categories. All sorts of information falls into this category. In the digital world, IP addresses, cookies, and device IDs are considered non-PII, since (unlike what you see on TV) these pieces of information can’t be used to identify an individual.
Personal data sounds like a casual way to describe the above, but it’s more than that. Personal data is a term used in Europe that is roughly equivalent to PII. Euro-centric publications won’t tend to use the term PII unless discussing something explicitly American. Many of the same principles of PII apply to personal data, but there are some further ramifications that are important to know.
As the USA does with PII, the EU has a specific definition for personal data, defined in GDPR as this:
Article 4(1): ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
One of the most crucial differences between the NIST’s definition of PII and GPDR’s definition of personal data is this: GPDR concludes that even cookies, IP addresses, and “other identifiers such as radio frequency identification tags” can be personal data, especially when combined with other unique identifiers.
In short, the EU’s GPDR guidelines are more restrictive than their USA equivalents. This is the explanation for the rash of “cookie notices” that’s spread around the web, and it could have implications for your business.
If you need more information about PII, non-PII, and personal data, don’t hesitate to reach out. We’re here to serve you and meet your IT needs.