Understanding Personal Information, Personally Identifiable & Sensitive Personal Information
Introduction
In this article, we take an expanded look at the scope of Personal Information. Generally, most people have a narrow idea of what personal information is and use the term PII interchangeably with PI. Privacy laws define Personal Information very broadly and understanding the broad scope of personal information is pivotal to complying with Information privacy laws.
Generally, people struggle to determine which information is personal or non-personal – including what sorts of personal information qualify to be more protected (Sensitive Personal Information) and to understand the boundary of what constitutes personal Information.
People often get confused Personal Information with similar common terms in the Information privacy and security world such as PII (Personally Identifiable Information) and Sensitive Personal Information. However each of these terms have specific meanings and distinct definitions in privacy regulations.
To comply with various privacy laws, understanding the expanded scope of personal Information is critical. Let’s review the definitions and dive into the scope covered by each of these terms.
What is Personal Information?
Generally speaking, Personal Information is information relating to a person which, in combination or separately, can be used directly or indirectly to identify that natural person. This definition is consistent with several Information privacy laws across the world where Personal Information applies to several types of Information that can be used to single out or identify a natural person.
Personal Information varies with context, depending on whether a person can be identified or is reasonably identifiable in the circumstances. In short, any sort of Information, or opinion, that can help determine someone’s identity can be considered Personal Information. Examples of personal information
Name and surname
Email address
Phone number
Home address
Date of birth
Race
Gender
Political opinions
Credit card numbers
Health Information
Identification number
Cookie-ID
Internet Protocol (IP) address
Location Information
The advertising identifier of your device
Photograph where an individual is identifiable
What is sensitive personal information? Though personal Information and Sensitive Information are often used interchangeably, the GDPR (General Information Protection Regulation) and several other privacy laws draw a distinct line between these two terms. According to the GDPR, sensitive Information is a set of special categories of Information that needs to be handled with extra security. These special categories are
Ethnic or racial origin
Political opinions
Cultural or social identity
Philosophical or religious beliefs
Biometric Information
Genetic Information
Trade-union membership
Information related to sexual orientation
The GDPR generally prohibits the processing of Sensitive Information except for exemptions provided by employment law, social protection law, health security reasons or for the protection of the vital interests of the Information subject. What is personally identifiable information? Personally Identifiable Information, or PII, is a term used more in the security context. There isn’t a clear and widely accepted definition of PII. NIST, for example, defines PII as follows: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
GDPR Article 4 on the other hand defines “Personal Information” as “any information relating to an identified or identifiable natural person (Information subject)”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location Information, an online identifier or to one or more factors specific to the physical, psychological, genetic, mental, economic, cultural or social identity of that natural person.
While, there is no definitive list of what is or is not personal Information, the GDPR definition is broad and often used as a de-facto definition of PI. Consequently, identifying Personal Information boils down to correctly interpreting the GDPR’s definition.
Key elements of the GDPR around Definition of Personal Information:
Article 4(1) of the GDPR defines personal information as Information that must belong or relate to an individual (or natural person).
“Any information”. This can mean either objective or subjective information. Subjective information can be of any format, such as audio, video, numeric, graphic, or photographic. Subjective information include very disparate information like employment evaluations, psychiatric evaluation of a child’s drawing of their family, which may reveal information relating to the child (about mental health as evaluated by the psychiatrist) and their parents’ behavior etc. Objective information on the other hand could be as trivial as an individual’s height or weight.
The use of the expression “any information” is not restricted to information that is sensitive or private but potentially encompasses all kinds of information provided that it relates to the Information subject. For example, a candidate’s exam script is “Personal Information”, as it constitutes information that is linked to him or her. It can be, among others, a name, a cookie (an online identifier), an email address, a person’s location, occupation, biometrics, gender, health Information, and IoT identifiers.
“Relating to”. Information that could be utilized to learn something about an individual qualifies to be “relating to” an individual’s personal information. Also, if the processing of any information affects the individual, such information again qualifies to be “relating to” an individual and, hence, personal information.
Records containing information, such as medical history or criminal records, about a particular individual clearly indicate “relating to” an individual. Such records that describe an individual’s activities, such as a bank statement, may also qualify to be “relating to” an individual.
“Identifying an individual directly or indirectly”: Directly identifying an individual is an obvious task. Identifying indirectly requires more detail. Indirect identification means identifying an individual with not only available information alone but a combination of available Information and information accessed from another source, such as a third party.
A third party making use of Information available with them in combination with the information they can reasonably access to identify an individual is another example of indirectly identifying an individual. For example, identifying someone with only a license plate number known requires a matching name to identify that individual.
“Identified or identifiable”: At the most basic form, an individual is considered “identified” when the individual is differentiated from others within the group. An individual is considered identifiable when, although the individual has not been identified yet, it is possible to identify the person.
Let’s examine the case of a mobile telecommunications provider who decides to sell information regarding the location and movement patterns of its customers. The information is typically sold in an aggregated form and any location Information about any individual is deleted so that the aggregated information cannot be traced back to individuals.
If the buyer of the aggregated Information manages to find a way to connect location information to an individual, maintaining the aggregated form becomes trickier as the customer could be identifiable by the means of the provider’s other Information about its users/customers.
Now, let’s assume, instead of selling information based on patterns, the provider sells real-time Information on where all its customers are at any given time without enabling the buyer to know to whom certain location Information relates. In such a case, even though the buyer is unable to ascertain to whom the location Information relates, the identifiability, by means of the provider, becomes clearer. The location Information, in this case, may now be considered Personal Information.
“Purpose for processing in deciding personal Information”: The purpose of processing Information by an organization makes the Information personal or non-personal. For example, Information non-personal for one organization may convert into personal for a different organization if its possession may have an impact on the individual. For example, a photo of a street in possession of a photographer – non-personal Information at the moment – becomes personal if the investigator tries to identify the cars and other content on the street, affecting the individuals related to content on the street. Similarly, video surveillance with the sole purpose of identifying individuals constitutes the personal information of identifiable persons.
A guide to what is (or could be) personal Information
It’s hard to explain whether certain information meets the criteria laid under the GDPR’s definition of personal Information. Therefore, we provide you with a list of things that could be considered personal information (alone or in combination with additional information):
Biographical information, including dates of birth, Social Security numbers, phone numbers, and email addresses;
Looks, appearance, and behavior, including eye color, weight, and character traits;
Workplace and academic information, including salary, tax information, student ID or roll numbers;
Private and subjective Information, including geo-tracking Information, religion, etc;
Health, sickness, and genetics, including medical history, genetic Information, etc.
Personal Information has even been found in a business context and within Industry 4.0. For example, in the name of safety of security, health-related real-time Information of workers in the manufacturing industry are monitored via wearables. These Information solely comprises sensitive Information but are often fit in the contractual stipulations regarding the worker-employer relationship.
Even for developers of applications for consumers such as smart homes or in the sphere of consumer electronics that are solely designed for personal usage and enabled to gather all sorts of identifiers — and will process personal information, ultimately — an idea of what personal information is paramount.
Personal Information does not include anonymous Information. However, information which has had identifiers removed or replaced in order to pseudonymize the Information is still personal Information for the purposes of GDPR. Additionally, GDPR does not cover information about someone who is deceased, Information that is properly anonymized; information about public authorities and companies.
Names may not always be personal information: Name is often the most common way to get the attention of a person. Whether it “identifies” someone depends on the context. For example, names may not always amount to Personal Information. Because with the same name and information, there may be many individuals, it may require combining the name of an individual with other information (such as an address, a place of work, or a telephone number) to clearly identify the individual. The addition of another Information point to the name (such as proximity) accounts to have enough information to identify one specific individual. These Information points are identifiers, such as a name, an identification number, location Information, or an online identifier.
Role of context in qualifying Personal Information
Knowing whether certain Information qualifies to be personal Information takes an awful lot of information. Organizations collect varied types of information on people. If one type of Information doesn’t individually identify someone, an organization can still make use of other types of Information to zero in on an individual.
In certain contexts, you might be able to ask visitors downloading products from a website to state their occupation, without GDPR obstruction. Since GDPR doesn’t find a job title unique to a person, such Information doesn’t fall under its scope of Personal Information. Similarly, Information subjects could be asked what company they work for. In this context, again, the person couldn’t be identified directly unless they were the only employee.
Establishing someone’s identity becomes possible when two or more pieces of information are used together to narrow down the number of natural, living persons.
It’s unlikely, but let’s suppose there may only be one person with a specific job title at a specific organization who fits the description. In such cases – such as a BDM at IBM – the two pieces of information won’t necessarily comprise Personal Information as it’s not sufficient to adequately establish someone’s identity. In order to recognize the individual, you would need to have one or more identifiers in place, such as a name or email address.
Information may be personal for one purpose but may not be personal for in a different context.
References
https://www.which.co.uk/consumer-rights/advice/what-counts-as-personal-Information-a4T2s2Y2ffXd
https://www.Informationprotection.ie/en/dpc-guidance/what-is-personal-Information
https://ec.europa.eu/info/law/law-topic/Information-protection/reform/what-personal-Information_en
https://www.itgovernance.eu/blog/en/the-gdpr-what-exactly-is-personal-Information
https://iapp.org/media/pdf/resource_center/Categories-of-personal-information.pdf
Comments