Person Identifying Data Item (PII)

From GM-RKB
Jump to navigation Jump to search

A Person Identifying Data Item (PII) is a personal data item that can aid in identify, contact, or locate a single person.



References

2017

  • (Wikipedia, 2017) ⇒ https://en.wikipedia.org/wiki/Personally_identifiable_information Retrieved:2017-4-24.
    • Personally identifiable information (PII), or sensitive personal information (SPI), [1] as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. The abbreviation PII is widely accepted in the U.S. context, but the phrase it abbreviates has four common variants based on personal / personally, and identifiable / identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. (In other countries with privacy protection laws derived from the OECD privacy principles, the term used is more often "personal information", which may be somewhat broader: in Australia's Privacy Act 1988 (Cth) "personal information" also includes information from which the person's identity is "reasonably ascertainable", potentially covering some information not covered by PII.)

       NIST Special Publication 800-122 [2] defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." So, for example, a user's IP address is not classed as PII on its own, but is classified as linked PII (see Section 3.3.3 Under “Identifiability” for more detail). Also see federal judge ruling in the District of New Jersey dismissed on the pleadings a VPPA claim against Viacom on the grounds that device identifiers, cookie IDs, and IP addresses when linked to video titles are not personally identifiable information. The concept of PII has become prevalent as information technology and the Internet have made it easier to collect PII through breaches of Internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. [3] As a response to these threats, many website privacy policies specifically address the gathering of PII, and lawmakershave enacted a series of legislations to limit the distribution and accessibility of PII.However, PII is a legal concept, not a technical concept. Because of the versatility and power of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with others. These attributes have been referred to as quasi-identifiers or pseudo-identifiers. [4]

  1. Cite error: Invalid <ref> tag; no text was provided for refs named Data Security Breach Notification Laws - R42475
  2. NIST Special Publication 800-122
  3. Are you protecting your customer's personal data?
  4. Opinion 05/2014 on Anonymisation Techniques Article 29 Data Protection Working Party