Personally identifiable information
"Personally identifiable information" (PII), as used in US privacy law and information security, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. The abbreviation PII is widely accepted in the US context, but the phrase it abbreviates has four common variants based on personal /personally, and identifiable / identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. (In other countries with privacy protection laws derived from the OECD privacy principles, the term used is more often "personal information", which may be somewhat broader: in Australia's Privacy Act 1988 (Cth) "personal information" also includes information from which the person's identity is "reasonably ascertainable", potentially covering some information not covered by PII.)
NIST Special Publication 800-122 defines PII as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." So, for example, a user's IP address as used in a communication exchange is classed as PII regardless of whether it may or may not on its own be able to uniquely identify a person.
Although the concept of PII is old, it has become much more important as information technology and the Internet have made it easier to collect PII through breaches of internet security, network security and web browser security, leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. As a response to these threats, many website privacy policies specifically address the gathering of PII, and lawmakers[who?] have enacted a series of legislations to limit the distribution and accessibility of PII.[which?]
However, PII is a legal concept, not a technical concept. Because of the versatility and power of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may be uniquely identifying on their own, any attribute can be identifying in combination with others.
The following data, often used for the express purpose of distinguishing individual identity, clearly class as PII under the definition used by the National Institute of Standards and Technology (described in detail below):
- Full name (if not common)
- Home address
- Email address (if private from an association/club membership, etc.)
- National identification number
- IP address (in some cases)
- Vehicle registration plate number
- Driver's license number
- Face, fingerprints, or handwriting
- Credit card numbers
- Digital identity
- Date of birth
- Genetic information
- Telephone number
- Login name, screen name, nickname, or handle
The following are less often used to distinguish individual identity, because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual.
- First or last name, if common
- Country, state, or city of residence
- Age, especially if non-specific
- Gender or race
- Name of the school they attend or workplace
- Grades, salary, or job position
- Criminal record
When a person wishes to remain anonymous, descriptions of them will often employ several of the above, such as "a 34-year-old white male who works at Target". Note that information can still be private, in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none sufficient by itself to uniquely identify an individual, may uniquely identify a person when combined; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that, in 1990, 87% of the population of the United States could be uniquely identified by gender, ZIP code, and full date of birth.
In hacker and Internet slang, the practice of finding and releasing such information is called "doxing." It is sometimes used to deter collaboration with law enforcement. On occasion, the doxing can trigger an arrest, particularly if law enforcement agencies suspect that the "doxed" individual may panic and disappear.
In privacy law
The U.S. government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), and that usage now appears in US standards such as the NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows:
- Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.
A term similar to PII, "personal data" is defined in EU directive 95/46/EC, for the purposes of the directive:
- Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
Another term similar to PII, "personal information" is defined in a section of the California data breach notification law, SB1386:
- (e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (f) For purposes of this section, "personal information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
The concept of information combination given in the SB1386 definition is key to correctly distinguishing PII, as defined by OMB, from "personal information", as defined by SB1386. Information, such as a name, that lacks context cannot be said to be SB1386 "personal information", but it must be said to be PII as defined by OMB. For example, the name John Smith has no meaning in the current context and is therefore not SB1386 "personal information", but it is PII. A Social Security Number (SSN) without a name or some other associated identity or context information is not SB1386 "personal information", but it is PII. For example, the SSN 078-05-1120 by itself is PII, but it is not SB1386 "personal information". However the combination of a valid name with the correct SSN is SB1386 "personal information".
The combination of a name with a context may also be considered PII; for example, if a person's name is on a list of patients for an HIV clinic. However, it is not necessary for the name to be combined with a context in order for it to be PII. The reason for this distinction is that bits of information such as names, although they may not be sufficient by themselves to make an identification, may later be combined with other information to identify persons and expose them to harm.
In Australia, the Privacy Act 1988 deals with the protection of individual privacy, using the OECD Privacy Principles from the 1980s to set up a broad, principles-based regulatory model (unlike in the US, where coverage is generally not based on broad principles but on specific technologies, business practices or data items). Section 6 has the relevant definition. The critical detail is that the definition of 'personal information' also applies to where the individual can be indirectly identified:
- "personal information" means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. [emphasis added]
This raises the question of reasonableness: assume it is theoretically possible to identify a person from core information which say does NOT include a simple name and address, but does contain clues which could be pursued to ascertain who it relates to. Just how much extra effort or difficulty would such a step need before we could clearly say that the identity could NOT be "reasonably ascertained" from it?
- For instance, if the information involves an IP address, and the relevant ISP stores logs which could easily be inspected (if you had sufficient legal justification) to re-link the IP address to the account holder, can their identity be "reasonably ascertained"? If such linking used to be expensive, slow and difficult, but becomes easier, does this change the answer at some point?
It appears that this definition is significantly broader than the Californian example given above, and thus that Australian privacy law, while in some respects weakly enforced, may cover a broader category of data and information than in some US law. In particular, online behavioral advertising businesses based in the US but surreptitiously collecting information from people in other countries in the form of cookies, bugs, trackers and the like may find that their preference to avoid the implications of wanting to build a psychographic profile of a particular person using the rubric of 'we don't collect personal information' may find that this does not make sense under a broader definition like that in the Australian Privacy Act.
- Privacy Act (governs the Federal Government agencies)
United States of America
Recently lawmakers have paid a great deal of attention to protecting a person's PII. One of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect a patient's PII. The U.S. Senate proposed the Privacy Act of 2005, which attempted to strictly limit the display, purchase, or sale of PII without the person's consent. Similarly, the (proposed) Anti-Phishing Act of 2005 attempted to prevent the acquiring of PII through phishing.
U.S. lawmakers have paid special attention to the social security number because it can be easily used to commit identity theft. The (proposed) Social Security Number Protection Act of 2005 and (proposed) Identity Theft Prevention Act of 2005 each sought to limit the distribution of an individual's social security number.
State laws and significant court rulings
- The California state constitution declares privacy an inalienable right in Article 1, Section 1.
- California Online Privacy Protection Act(OPPA) of 2003
- SB 1386 requires organizations to notify individuals when PII is known or believed to be acquired by an unauthorized person.
- In 2011, the California State Supreme Court ruled that a person's ZIP code is PII.
- Nevada Revised Statutes 603A-Security of Personal Information
- Title 18 of the United States Code, section 1028d(7)
- US "Safe Harbor" Rules (EU Harmonisation)
European Union (member states)
- Article 8 of the European Convention on Human Rights
- Directive 95/46/EC (Data Protection Directive)
- Directive 2002/58/EC (the E-Privacy Directive)
- Directive 2006/24/EC Article 5 (The Data Retention Directive)
Further examples can be found on the EU privacy website.
The United Kingdom
- The UK Data Protection Act 1998
- Article 8 of the European Convention on Human Rights
- The UK Regulation of Investigatory Powers Act 2000
- Employers' Data Protection Code of Practice
- Model Contracts for Data Exports
- The Privacy and Electronic Communications (EC Directive) Regulations 2003
- The UK Interception of Communications (Lawful Business Practice) Regulations 2000
- The UK Anti-Terrorism, Crime & Security Act 2001
- The UK Privacy & Electronic Communications (EC Directive) Regulations 2003
In forensics, particularly the identification and prosecution of criminals, personally identifiable information is critical in establishing evidence in criminal procedure. Criminals may go to great trouble to avoid leaving any PII, such as:
- wearing masks, sunglasses, or clothing to obscure or completely hide distringuishing features, such as eye, skin, and hair colour, facial features, and personal marks such as tattoos, birthmarks, moles and scars.
- wearing gloves to conceal fingerprints, which themselves are PII. However, gloves can also leave prints that are just as unique as human fingerprints. After collecting glove prints, law enforcement can then match them to gloves that they have collected as evidence. In many jurisdictions the act of wearing gloves itself while committing a crime can be prosecuted as an inchoate offense.
- avoiding writing anything in their own handwriting.
- internet presence may also be masked, with methods such as using a proxy server to appear to be connecting from an IP address unassociated with oneself.
In some professions, it is dangerous for a person's identity to become known, because this information might be exploited violently by their enemies; for example, their enemies might hunt them down or kidnap loved ones to force them to cooperate. For this reason, the United States Department of Defense (DoD) has strict policies controlling release of PII of DoD personnel. Many intelligence agencies have similar policies, sometimes to the point where employees do not disclose to their friends that they work for the agency.
- Personal identifier
- Personal identity
- de Montjoye, Yves-Alexandre; César A. Hidalgo, Michel Verleysen, Vincent D. Blondel (March 25, 2013). "Unique in the Crowd: The privacy bounds of human mobility". Nature srep. doi:10.1038/srep01376. Retrieved 12 April 2013.
- Narayanan, A.; Shmatikov, V. (2008). "Robust De-anonymization of Large Sparse Datasets". 2008 IEEE Symposium on Security and Privacy (sp 2008). p. 111. doi:10.1109/SP.2008.33. ISBN 978-0-7695-3168-7.
- Narayanan, A.; Shmatikov, V. (2009). "De-anonymizing Social Networks". 2009 30th IEEE Symposium on Security and Privacy. p. 173. doi:10.1109/SP.2009.22. ISBN 978-0-7695-3633-0.
- Narayanan, A.; Shmatikov, V. (2010). "Myths and fallacies of "personally identifiable information"". Communications of the ACM 53 (6): 24. doi:10.1145/1743546.1743558.
- "Broken Promises of Privacy: Responding to the Surprising Failure of Anonymization". SSRN 1450006.
- "Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)". NIST.
- "Comments of Latanya Sweeney, Ph.D. on "Standards of Privacy of Individually Identifiable Health Information"". Carnegie Mellon University.
- James Wray and Ulf Stabe (2011-12-19). "The FBI’s warning about doxing was too little too late". Thetechherald.com. Retrieved 2012-10-23.
- "Anonymous's Operation Hiroshima: Inside the Doxing Coup the Media Ignored (VIDEO)". Ibtimes.com. 2012-01-01. Retrieved 2012-10-23.
- "Did LulzSec Trick Police Into Arresting the Wrong Guy? - Technology". The Atlantic Wire. 2011-07-28. Retrieved 2012-10-23.
- Bright, Peter (2012-03-07). "Doxed: how Sabu was outed by former Anons long before his arrest". Ars Technica. Retrieved 2012-10-23.
- M-07-16 SUBJECT:Safeguarding Against and Responding to the Breach of Personally Identifiable Information FROM: Clay Johnson III, Deputy Director for Management (2007/05/22)
- "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data". Eur-lex.europa.eu. Retrieved 2013-08-20.
- "Text of California Senate Bill SB 1386 ref paragraph SEC. 2 1798.29.(e)". California.
- "Privacy Act 1988". Retrieved 14 October 2012.
- "California Supreme Court Holds that Zip Code is Personal Identification Information - Bullivant Houser Bailey Business Matters eAlert". LexisNexis.
- "201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth". Commonwealth of Massachusetts.
- Tyler v. Michaels Stores, Inc., 984N.E.2d 737, 739 (2013)
- "Protection of personal data - Justice". Ec.europa.eu. 2011-01-18. Retrieved 2012-10-23.
- Sawer, Patrick (2008-12-13). "Police use glove prints to catch criminals". Telegraph.co.uk. Retrieved 2013-08-20.
- James W.H. McCord and Sandra L. McCord, Criminal Law and Procedure for the paralegal: a systems approach, supra, p. 127.
- "MEMORANDUM FOR DOD FOIA OFFICES". United States Department of Defense.[dead link]
- Six things you need to know about the new EU privacy framework A legal analysis of the new European regulatory framework about data privacy
- Network Advertising Initiative An internet advertising industry group defining guidelines to protect privacy, definitions of PII.