What is PII and Not PII
Personal Identifiable Information (PII) refers to data that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. Understanding what constitutes PII is crucial for data protection and privacy.
Types of PII
- Direct PII: This is information that directly identifies an individual without needing any additional data. Examples include:
- Full name
- Social Security number
- Passport number
- Driver’s license number
- Email address
- Telephone number
- Indirect PII: These are details that may not identify an individual on their own but can do so when combined with other information. Examples include:
- Date of birth
- Place of birth
- Mother’s maiden name
- School names
- Employment history
- Physical characteristics
- Sensitive PII: This is information that, when disclosed, could result in harm to the individual. Examples include:
- Medical records
- Financial information
- Biometric data
- Racial or ethnic origin
- Political opinions
- Religious beliefs
What Isn’t PII
- Aggregated Data: Information that has been compiled into data summaries or averages, typically used for statistical analyses, where individual identities are not discernible.
- Anonymized Data: Data from which personal identifiers have been removed, making it impossible to link the data back to an individual.
- Public Information: Information that is publicly available, such as published directories or public records, may not be considered PII unless it is linked with other data to identify an individual.
Combining Information to Form PII
It’s important to note that non-PII can become PII when combined with other information. For example, a combination of a person’s birth date, zip code, and gender could potentially identify an individual, especially in a small community.
Challenges in Identifying PII
The challenge in identifying what is and isn’t PII often lies in the context and manner of use. What may not be PII in one context could become PII in another. For example, a company employee number is not typically PII, but if it’s used in conjunction with the company’s internal database, it can become PII.
The fluid nature of what constitutes PII underlines the importance of context and the potential for data to be linked in ways that could identify an individual. As such, it’s essential to handle all personal data with care, considering both direct and indirect ways it might be used to infer someone’s identity.
To ensure Personal Identifiable Information (PII) is protected when sending out information, it’s important to follow a systematic approach. Here’s a brief summary and a checklist to guide you:
Protecting PII involves a careful review of the information being sent to ensure it does not directly or indirectly disclose identifiable details. This includes checking for both obvious PII (like names and social security numbers) and less obvious PII (like combinations of birth dates and locations). The goal is to prevent unauthorized access or exposure of sensitive personal information.
Checklist for Sending Out Information
- Identify PII: Recognize what constitutes PII in the information you’re about to send. This includes direct, indirect, and sensitive PII.
- Remove or Redact PII:
- Direct PII: Check for and remove or redact social security numbers, full names, addresses, etc.
- Indirect PII: Ensure that combinations of information (like birthdates and locations) do not inadvertently reveal identities.
- Sensitive PII: Extra caution for medical, financial, and other sensitive details.
- Anonymize Data: If possible, anonymize data so that individual identities cannot be traced.
- Use Encryption: Encrypt the information if it must be sent electronically to ensure unauthorized parties cannot access it.
- Limit Access: Ensure that only authorized personnel have access to the PII.
- Review Legal Compliance: Make sure your process complies with relevant data protection laws and regulations.
- Double-Check Recipients: Verify that the recipients’ email addresses or contact details are correct to prevent accidental leaks.
- Confirm Necessity of Sharing: Evaluate whether all the information being sent is necessary for the intended purpose.
- Document Procedures: Keep a record of what information was shared, with whom, and for what purpose.
- Regular Training: Ensure that all team members are regularly trained and aware of the importance of PII protection.
By following this checklist, you can significantly reduce the risk of violating PII protocols when sending out information. It’s a proactive approach to data privacy and protection.