Demystifying Privacy Law: Personally Identifiable Information (PII)

Nearly every organization collects personally identifiable information, or PII. Because of the sensitive nature of many different types of PII, its collection can pose an array of unique challenges, especially for younger or smaller organizations without a dedicated privacy department. The unwarranted release of such information can ravage people’s lives and forever destroy any modicum of trust an organization may enjoy with its customers and with the general public. One of the most fundamental privacy questions an organization may face is: what does "personally identifiable information" mean? Given the differing responsibilities that an organization has with respect to PII versus non-PII, the answer to this question is critical. This article is designed to help you flesh out the concept of personally identifiable information and begin to think about the ways your company should handle PII-related issues.

What Is Personally Identifiable Information?

Pinning down an exact definition for PII can be difficult. The U.S. Department of Commerce defines PII as:

“any information about an individual maintained by an agency, including:

1) Any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records, and;

2) Any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.”

Various other definitions include:

  • “[i]nformation about an individual that identifies, links, relates, or is unique to, or describes him or her” (Biometrics Identity Management Agency),
  • “any information that permits the identity of the individual to be directly or indirectly inferred” (Department of Homeland Security), and
  • “any information pertaining to any person which makes it possible to identify such individual (including the information capable of identifying a person when combined with other information even if the information itself does not clearly identify the person)” (National Security Telecommunications Advisory Committee).

PII is a legal term, not a technical one, and its meaning and connotations vary depending on the jurisdiction and context within which it is used.

For business purposes, PII’s definitional importance lies in its scope: nearly every bit of collectable information about individuals qualifies as “personally identifiable information.” A concise (and by no means comprehensive) list of PII includes:

  • Name
  • Personal identification numbers, such as Social Security numbers, passport numbers, driver’s license numbers, etc.
  • Address
  • Personal characteristics, such as pictures, fingerprints, handwriting, and other related biometric data
  • Digital identity
  • Date of birth
  • Birthplace
  • Telephone number
  • Log-in information, such as usernames, passwords and handles
  • Physical location
  • Age
  • Gender
  • Race
  • School and places of work
  • Criminal records
  • Grades, salary, and job position
  • Web cookies

Some of the listed PII (such as gender, race, and postal codes) may not seem intuitively related to the actual identification of individuals. However, it is important to understand that general definitions of PII encompass both linked and linkable information. Linked information includes information logically associated with specific individuals, requiring no process of inference or supplementation with additional data, such as name or Social Security Number. Linkable information, however, has the potential for logical association, i.e. it can be used to identify specific individuals if combined with additional information. Both types of information fall under the umbrella of PII, and both types of information should be protected accordingly.

How Should Your Company Handle Personally Identifiable Information?

Once a piece of information is established as PII, your company should employ reasonable measures to protect itself and its customers from potentially catastrophic identify breaches. The following seven steps are derived from Commerce Department recommendations, and offer a roadmap towards securing PII collected by your organization.

1. Minimize the Amount of PII Used, Collected and Stored

The best way to avoid PII-related problems is to reduce its collection and storage. If you can minimize your organization’s acquisition of customer data and streamline the way in which that information is used, you can reduce your corresponding risk.

2. Only Request PII if Absolutely Necessary

Consider the reasons for which your enterprise collects PII from its customers. Are there any redundancies that can be eliminated? Can you achieve substantively similar results with less personally identifiable information? How much data is actually vital to your business model? If you believe you can go without, go without.

3. Conduct Periodic Reviews of Aging PII to Determine Its Relevance

Like any other type of information, PII is subject to constant variation. The digital outlines of individual lives shift and change frequently, and collected PII is often rendered obsolete within a relatively short time period. Establish mechanisms to review customer PII on a regular basis, and assign metrics to determine its continued relevance. If the PII you possess is no longer relevant, delete it.

4. Establish Policies for Elimination of Unnecessary PII

Any PII that is no longer useful to your organization should be eliminated as soon as possible. Create policies and procedures for eliminating unnecessary PII safely and securely.

5. Categorize Existing PII by Confidentiality Impact Level

As the Commerce Department observes, “all PII is not created equal.” Evaluate the PII your organization collects on the basis of sensitivity and assign protection mechanisms accordingly. Factors to take into account include:

  • Identifiability: How easily can specific individuals be identified from your company’s PII?
  • Quantity: How many individuals can be identified from your company’s PII?
  • Data field sensitivity: How sensitive is a certain batch of PII compared to other forms of information?
  • Context of use: Why is your organization collecting PII? How is it being used and stored?
  • Confidentiality obligations: Is your enterprise under any specific obligations related to certain caches of PII?
  • Access and location: Where does your company store its customers’ PII? How is it accessed?

6. Apply Appropriate Standards Based on Confidentiality Level

Different forms of PII will be treated differently depending on their nature and their use within the organization. Create comprehensive policies and procedures governing the use and dissemination of customer PII, and provide in-depth training to ensure your employees are well-equipped to protect customer privacy. Consider redacting some PII from customer records to avoid individual identification, and implement access control policies. Monitor any events affecting the confidentiality of stored PII, and protect information transmissions with encryption.

7. Draw Up Emergency Plans

In the event of a data breach, you need to have a response plan in place. Develop policies addressing customer notification, government reporting criteria, and possible remedial services your company can offer.

Summing Up Personally Identifiable Information

For small businesses, the sticky matter of personally identifiable information can often appear to pose a Catch-22: You need your customer’s information to function, yet every bit of identifiable data you receive and store increases your exposure to liability. However, customer PII can be safely and securely managed with sensible policies and prudent solutions. Information privacy protection best practices abound, and companies have a vast array of resources to choose from when designing PII guidelines.

For more information on how to construct a great PII policy, contact us.

DISCLAIMER: The information in this article is provided for informational purposes only and should not be construed or relied upon as legal advice. This article may constitute attorney advertising under applicable state laws.