2 Ways To Simplify Your Meeting SchedulingRead more
Data security becomes more important with each passing year. Itâs important to have a good understanding of the terms that both governments and the information security industry use. Understanding these terms will help you lead your organization to comply with todayâs regulations as well as whatever new regulations are coming down the pike. Today weâll define three major terms: personally identifiable information, non-personally identifiable information, and personal data.
Personally identifiable information, or PII, is information that organizations may hold on individuals that can be tied to the individualsâ identities. The National Institute of Standards and Technology provides a legal definition for the USA:
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individualâs identity, such as name, social security number, date and place of birth, motherâs maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
PII comes in two varieties. Linked information is the more sensitive variety. Anything that can by itself be used as an identifier is considered linked information. Social security numbers, driverâs license numbers, full names, and physical addresses are all examples of linked information.
Linkable information is the second category. Linkable information canât do much on its own, but it becomes powerful when linked with other pieces of information. ZIP code, race, age range, and job information are all examples of linkable information.
Non-personally identifiable information, or non-PII, is information that doesnât fall into the above categories. All sorts of information falls into this category. In the digital world, IP addresses, cookies, and device IDs are considered non-PII, since (unlike what you see on TV) these pieces of information canât be used to identify an individual.
Personal data sounds like a casual way to describe the above, but itâs more than that. Personal data is a term used in Europe that is roughly equivalent to PII. Euro-centric publications wonât tend to use the term PII unless discussing something explicitly American. Many of the same principles of PII apply to personal data, but there are some further ramifications that are important to know.
As the USA does with PII, the EU has a specific definition for personal data, defined in GDPR as this:
Article 4(1): âpersonal dataâ means any information relating to an identified or identifiable natural person (âdata subjectâ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
One of the most crucial differences between the NISTâs definition of PII and GPDRâs definition of personal data is this: GPDR concludes that even cookies, IP addresses, and âother identifiers such as radio frequency identification tagsâ can be personal data, especially when combined with other unique identifiers.
In short, the EUâs GPDR guidelines are more restrictive than their USA equivalents. This is the explanation for the rash of âcookie noticesâ thatâs spread around the web, and it could have implications for your business.
If you need more information about PII, non-PII, and personal data, donât hesitate to reach out. Weâre here to serve you and meet your IT needs.
