personally identifiable information [English]


Syndetic Relationships

InterPARES Definition

n. (also personally identifiable information, personal identifying information, personal identifiable information; PII, abbr.) ~ 1. Data that allows a specific individual to be recognized. – 2. Restricted, private data that can be linked to a specific individual.

General Notes

Examples of distinguishing data include information that (taken individually or as a small set) can be tied to a unique person, such as a Social Security Number, email address, mother's maiden name, and date of birth. Examples of data that are restricted because they are private include medical, educational, or financial information.

Other Definitions

  • Directive 95/46/EC 1995 (†684 2 (a)): 'Personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
  • Wikipedia (†387 s.v. personally identifiable information): Information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
  • Wikipedia (†387 s.v. "personally identifying information"): The abbreviation PII is widely accepted in the US context, but the phrase it abbreviates has four common variants based on personal / personally, and identifiable / identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used.

Citations

  • Bogle 2013 (†363 ): American schools are migrating online, providing parents with real-time academic results. The cloud services that remotely host this information about educational achievement are also increasingly being used to store sensitive student details like names, religion, and health status [personal identifying information]. But according to a new study from the Center on Law and Information Policy at Fordham Law School, schools are failing to read the terms and conditions and providing troves of student data to third-party vendors without sufficient safeguards or adequate parental consent. ¶ Of the 54 school districts examined, almost 95 percent used cloud services, but many failed to inform parents of the full breadth of information being outsourced. Furthermore, very few of the schools’ contracts explicitly restricted the marketing of student information. ¶ One-third of data analytics contracts did not comply with the Family Educational Rights and Privacy Act’s requirement that data be deleted after it is no longer needed for the purposes for which it was provided. Few agreements specified a level of encryption, and even fewer required the vendor to tell the schools if there was a data breach. (†359)
  • CNSS-4009 (†730 p.54): Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (†1740)
  • EOP 2007 (†708 p. 1): "Personally identifiable information" refers to information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (†1623)
  • GAO 2008 (†687 p. 1): The Privacy Act of 1974 serves as the major mechanism for controlling the collection, use, and disclosure of personally identifiable information within the federal government. The act provides safeguards for information in a system of records (any grouping of records containing personal information retrieved by individual identifier) maintained by a federal agency. The act also allows citizens to learn how their personal information is collected, maintained, used, and disseminated by the federal government. (†1570)
  • GAO 2008 (†687 p. 1): For purposes of this report, the terms personal information and personally identifiable information are used interchangeably to refer to any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother’s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. (†1571)
  • GAO 2008 (†687 p. 2): The provisions of the Privacy Act are largely based on a set of principles for protecting the privacy and security of personal information, known as the Fair Information Practices, which were first proposed in 1973 by a U.S. government advisory committee. These principles, now widely accepted, include: · collection limitation, · data quality, · purpose specification, · use limitation, · security safeguards, · openness, · individual participation, and · accountability. (†1572)
  • NIST 2010 (†710 p. 2-1): Examples of PII range from an individual‘s name or email address to an individual‘s financial and medical records or criminal history. Unauthorized access, use, or disclosure of PII can seriously harm both individuals, by contributing to identity theft, blackmail, or embarrassment, and the organization, by reducing public trust in the organization or creating legal liability (†1624)
  • NIST 2010 (†710 p. 2-1): PII is "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." [Citing GAO Report 08-536, "Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information" (May 2008).] ¶ To distinguish an individual is to identify an individual. Some examples of information that could identify an individual include, but are not limited to, name, passport number, social security number, or biometric data. In contrast, a list containing only credit scores without any additional information concerning the individuals to whom they relate does not provide sufficient information to distinguish a specific individual. ¶ To trace an individual is to process sufficient information to make a determination about a specific aspect of an individual's activities or status. For example, an audit log containing records of user actions could be used to trace an individual's activities. ¶ Linked information is information about or related to an individual that is logically associated with other information about the individual. In contrast, linkable information is information about or related to an individual for which there is a possibility of logical association with other information about the individual. For example, if two databases contain different PII elements, then someone with access to both databases may be able to link the information from the two databases and identify individuals, as well as access additional information about or relating to the individuals. (†1625)
  • NIST 2010 (†710 p. 2-2): The following list contains examples of information that may be considered PII. ·¶Name, such as full name, maiden name, mother's maiden name, or alias ·¶Personal identification number, such as social security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number ·¶Address information, such as street address or email address ·¶Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well defined group of people ·¶Telephone numbers, including mobile, business, and personal numbers ·¶Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry) ·¶Information identifying personally owned property, such as vehicle registration number or title number and related information ·¶Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information). (†1626)
  • NIST 2013 (†734 p. B-16): Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.). [OMB Memorandum 07-16] (†1826)
  • OMB M-13-13 2013 (†685 p. 4): As defined in OMB Memorandum M-10-23 [Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010)], "personally identifiable information" (PIT) refers to information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. The definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified. In performing this assessment, it is important for an agency to recognize that non-PII can become PII whenever additional information is made publicly available (in any medium and from any source) that, when combined with other available information, could be used to identify an individual. (†1566)