Personal data

Personal data, also known as personal information or personally identifiable information (PII),[1][2][3] is any information related to an identifiable person.

The abbreviation PII is widely used in the United States, but the phrase it abbreviates has four common variants based on personal or personally, and identifiable or identifying. Not all are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used.[a] Under European Union and United Kingdom data protection regimes, which centre primarily on the General Data Protection Regulation (GDPR),[4] the term "personal data" is significantly broader, and determines the scope of the regulatory regime.[5]

National Institute of Standards and Technology Special Publication 800-122[6] defines personally identifiable information as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." For instance, a user's IP address is not classed as PII on its own, but is classified as a linked PII.[7]

Personal data is defined under the GDPR as "any information which [is] related to an identified or identifiable natural person".[8][6] The IP address of an Internet subscriber may be classed as personal data.[9]

The concept of PII has become prevalent as information technology and the Internet have made it easier to collect PII leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. As a response to these threats, many website privacy policies specifically address the gathering of PII,[10] and lawmakers such as the European Parliament have enacted a series of legislation such as the GDPR to limit the distribution and accessibility of PII.[11]

Important confusion arises around whether PII means information which is identifiable (that is, can be associated with a person) or identifying (that is, associated uniquely with a person, such that the PII identifies them). In prescriptive data privacy regimes such as the US federal Health Insurance Portability and Accountability Act (HIPAA), PII items have been specifically defined. In broader data protection regimes such as the GDPR, personal data is defined in a non-prescriptive principles-based way. Information that might not count as PII under HIPAA can be personal data for the purposes of GDPR. For this reason, "PII" is typically deprecated internationally.

  1. ^ "Management of Data Breaches Involving Sensitive Personal Information (SPI)". VA.gov. Washington, DC: Department of Veterans Affairs. 6 January 2012. Archived from the original on 26 May 2015. Retrieved 25 May 2015.
  2. ^ Stevens, Gina (10 April 2012). "Data Security Breach Notification Laws" (PDF). fas.org. Retrieved 8 June 2017.
  3. ^ Greene, Sari Stern (2014). Security Program and Policies: Principles and Practices. Indianapolis, IN, US: Pearson IT Certification. p. 349. ISBN 978-0-7897-5167-6.
  4. ^ Skiera, Bernd; Miller, Klaus; Jin, Yuxi; Kraft, Lennart; Laub, René; Schmitt, Julia (2022). The impact of the GDPR on the online advertising market. Frankfurt am Main. ISBN 978-3-9824173-0-1. OCLC 1303894344.{{cite book}}: CS1 maint: location missing publisher (link)
  5. ^ Schwartz, Paul M; Solove, Daniel (2014). "Reconciling Personal Information in the United States and European Union". California Law Review. 102 (4). doi:10.15779/Z38Z814. S2CID 141313154.
  6. ^ a b "NIST Special Publication 800-122" (PDF). nist.gov.Public Domain This article incorporates public domain material from the National Institute of Standards and Technology
  7. ^ Section 3.3.3 "Identifiability"
  8. ^ "Personal Data". General Data Protection Regulation (GDPR). Retrieved 23 October 2020.
  9. ^ "European Court of Justice rules IP addresses are personal data". The Irish Times. 19 October 2016. Retrieved 10 March 2019.
  10. ^ Nokhbeh, Razieh (2017). "A study of web privacy policies across industries". Journal of Information Privacy & Security. 13: 169–185.
  11. ^ "Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)". European Data Consilium. 11 June 2015. Retrieved 3 April 2019.


Cite error: There are <ref group=lower-alpha> tags or {{efn}} templates on this page, but the references will not show without a {{reflist|group=lower-alpha}} template or {{notelist}} template (see the help page).