Personal data


Personal data, also known as personal information or personally identifiable information, is any information related to an identifiable person.
The abbreviation PII is widely used in the United States, but the phrase it abbreviates has four common variants based on personal or personally, and identifiable or identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. Under European Union and United Kingdom data protection regimes, which centre primarily on the General Data Protection Regulation, the term "personal data" is significantly broader, and determines the scope of the regulatory regime.
National Institute of Standards and Technology Special Publication 800-122 defines personally identifiable information as "any information about an individual maintained by an agency, including any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." For instance, a user's IP address is not classed as PII on its own, but is classified as a linked PII.
Personal data is defined under the GDPR as "any information which related to an identified or identifiable natural person". The IP address of an Internet subscriber may be classed as personal data.
The concept of PII has become prevalent as information technology and the Internet have made it easier to collect PII leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. As a response to these threats, many website privacy policies specifically address the gathering of PII, and lawmakers such as the European Parliament have enacted a series of legislative acts such as the GDPR to limit the distribution and accessibility of PII.
Serious confusion arises around whether PII means information which is identifiable or identifying. In prescriptive data privacy regimes such as the US federal Health Insurance Portability and Accountability Act, PII items have been specifically defined. In broader data protection regimes such as the GDPR, personal data is defined in a non-prescriptive principles-based way. Information that might not count as PII under HIPAA can be personal data for the purposes of GDPR. For this reason, "PII" is typically deprecated internationally.

Definitions

The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget, and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information. The OMB memorandum defines PII as follows:
A term similar to PII, "personal data", is defined in EU directive 95/46/EC, for the purposes of the directive:
In the EU rules, there has been a more specific notion that the data subject can potentially be identified through additional processing of other attributes—quasi- or pseudo-identifiers. In the GDPR, personal data is defined as:
A simple example of this distinction: the color name "red" by itself is not personal data, but that same value stored as part of a person's record as their "favorite color" is personal data; it is the connection to the person that makes it personal data, not the value itself.
Another term similar to PII, "personal information", is defined in a section of the California data breach notification law, SB1386:
The concept of information combination given in the SB1386 definition is key to correctly distinguishing PII, as defined by OMB, from "personal information", as defined by SB1386. Information, such as a name, that lacks context cannot be said to be SB1386 "personal information", but it must be said to be PII as defined by OMB. For example, the name "John Smith" has no meaning in the current context and is therefore not SB1386 "personal information", but it is PII. A Social Security Number without a name or some other associated identity or context information is not SB1386 "personal information", but it is PII. For example, the SSN 078-05-1120 by itself is PII, but it is not SB1386 "personal information". However the combination of a valid name with the correct SSN is SB1386 "personal information".
The combination of a name with a context may also be considered PII; for example, if a person's name is on a list of patients for an HIV clinic. However, it is not necessary for the name to be combined with a context in order for it to be PII. The reason for this distinction is that bits of information such as names, although they may not be sufficient by themselves to make an identification, may later be combined with other information to identify persons and expose them to harm.
The scope of the term "sensitive personal data" varies by jurisdiction. In the UK, personal health data is treated as "sensitive" and in need of additional data protection measures. According to the OMB, in the United States it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive.
When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old white male who works at Target". Information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none sufficient by itself to uniquely identify an individual, may uniquely identify a person when combined; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that, in 1990, 87% of the population of the United States could be uniquely identified by gender, ZIP code, and full date of birth.
In hacker and Internet slang, the practice of finding and releasing such information is called "doxing". It is sometimes used to deter collaboration with law enforcement. On occasion, the doxing can trigger an arrest, particularly if law enforcement agencies suspect that the "doxed" individual may panic and disappear.

Laws and standards

Australia

In Australia, the Privacy Act 1988 deals with the protection of individual privacy, using the OECD Privacy Principles from the 1980s to set up a broad, principles-based regulatory model. Section 6 has the relevant definition. The critical detail is that the definition of 'personal information' also applies to where the individual can be indirectly identified:
It appears that this definition is significantly broader than the Californian example given above, and thus that Australian privacy law may cover a broader category of data and information than in some US law.
In particular, online behavioral advertising businesses based in the US but surreptitiously collecting information from people in other countries in the form of cookies, bugs, trackers and the like may find that their preference to avoid the implications of wanting to build a psychographic profile of a particular person using the rubric of 'we don't collect personal information' may find that this does not make sense under a broader definition like that in the Australian Privacy Act.
The term "PII" is not used in Australian privacy law.

Canada

European Union data protection law does not use the concept of personally identifiable information, and its scope is instead determined by the non-synonymous, wider concept of "personal data".
Further examples can be found on the EU privacy website.

Hong Kong

On 1 June 2023, the Hong Kong Office of the Privacy Commissioner for Personal Data published an investigation report on a data breach involving the unauthorised access of a credit reference database platform. The Report highlights the need for organizations to take adequate steps to protect personal data as the mere imposition of contractual obligations and policies is insufficient if such obligations and policies are not effective or are not enforced. The Report also clarifies that credit data is a form of "sensitive" personal data.

United Kingdom