Finding it hard to keep up with this fast-paced industry?
In the case of a data breach, organizations who have mishandled or improperly retained their customers' personal information can find themselves in a precarious position. If they have failed to identify the personal information they hold on their customers, they may lack visibility into the scale of the damage. If they haven't had data minimization strategies in place, a greater number of current and former customers can be affected.
When organizations have poor data management practices, their customers' data privacy is often an afterthought, rather than adopting a proactive framework where privacy is built into systems, technologies, policies, and processes. Such an approach is often referred to as Privacy by Design.
A key part of such an approach is to understand the sensitive data you have, so a level of knowledge about the types of data and the terminology used is a must. This post will help build that baseline knowledge, by outlining what the terms mean both in general and for specific legislation.
Before we do that, let's take a quick look at Privacy by Design.
Benefits of Privacy by Design
Implementing a Privacy by Design approach has many benefits, including allowing for early identification and remediation of potential privacy risks, far better than learning about these risks only once they have been exploited. By adopting this approach you can feel more confident in meeting your privacy compliance requirements.
Having a continuous data inventory with data classification and data minimization policies is an essential part of a proactive Privacy by Design approach. This is where monitoring Personally Identifiable Information (PII) across your systems can help you locate and classify data with PII and ensure it is not retained longer than required.
Now we understand the importance of Privacy by Design and data inventories, we need to understand the terminology.
Let's first take a look at some of the specific privacy terms used that are often used interchangeably: Personal Data, Personal Information, Personally Identifiable Information and Sensitive information.
There is a lot of overlap in the terms across jurisdictions and they all cover common ground, but let's start by looking at the high-level differences.
Personal Data (PD)
When referring to Personal Data, many privacy professionals will be referring to the processing of information as related to the EU’s General Data Protection Regulation (GDPR). Personal Data is broad in scope and means any information that is clearly about a particular person.
GDPR Article 4, gives the following definition for “personal data”:
'Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
GDPR sets out special categories of personal data that includes:
- Political views
- Religion, spiritual or philosophical beliefs
- Biometric data for ID purposes
- Health data
- Sex life data
- Sexual orientation
- Genetic data
Personal Information (PI)
Many different jurisdictions refer to Personal Information rather than Personal Data, such as the Australian Privacy Act and the California Consumer Privacy Act (CCPA). Although PI and PD are more alike than not, there are subtle differences between these definitions in different jurisdictions. For example, the GDPR specifies online identifiers such as IP addresses and cookie identifiers are personal data. The Australian Privacy Act does not specifically address IP addresses and cookie identifiers in personal information.
The Australian Privacy Act defines 'personal information' as:
Information or an opinion about an identified individual, or an individual who is reasonably identifiable:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not.’
The term ‘personal information’ in the Australian Privacy Act context encompasses a broad range of information and the Act does specify types of PI:
- Sensitive information - (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information.
- Health information - which is also ‘sensitive information’
- Credit information
- Employee record information (subject to exemptions), and
- Tax file number information
The more recent California Consumer Privacy Act maintains a broad definition of “personal information”, defining personal information as a broad category of all kinds of data:
“Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
CCPA includes the following categories of personal information:
- Identifiers: Name, alias, postal address, unique personal identifier, online identifier, Internet Protocol (IP) address, email address, account name, social security number, driver’s license number, passport number, or other similar identifiers
- Customer records information: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit or debit card number, other financial information, medical information, health insurance information
- Characteristics of protected classifications under California or federal law: Race, religion, sexual orientation, gender identity, gender expression, age
- Commercial information: Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
- Biometric information: Hair color, eye color, fingerprints, height, retina scans, facial recognition, voice, and other biometric data
- Internet or other electronic network activity information: Browsing history, search history, and information regarding a consumer’s interaction with an Internet website, application, or advertisement
- Geolocation data
- Audio, electronic, visual, thermal, olfactory, or similar information
- Professional or employment-related information
- Education information: Information that is not “publicly available personally identifiable information” as defined in the California Family Educational Rights and Privacy Act (20 U.S.C. section 1232g, 34 C.F.R. Part 99)
- Inferences: Inferences that could be used to create a profile reflecting a consumer’s Preferences, Characteristics, abilities to name a few.
For a full rundown of the privacy legislation landscape across the United States, check out this informative infographic from the International Association of Privacy Professionals (IAPP).
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) terminology is used by both government and corporations and generally speaking, it is information that can be used on its own or combined with other information to identify, contact, or locate a single person, or to identify an individual in context.
A term more commonly used in the United States, the US Office of Privacy and Open Government, defines PII as:
“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
The National Institute of Standards and Technology (NIST) Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), lists the following examples of PII data.
- Name, such as full name, maiden name, mother‘s maiden name, or alias
- Personal identification number, such as social security number (SSN), passport number, driver license number, taxpayer identification number, patient identification number, and financial account or credit card number
- Address information, such as street address or email address
- Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people.
- Telephone numbers, including mobile, business, and personal numbers
- Personal characteristics, including photographic image (especially of face or other distinguishing characteristic), x-rays, fingerprints, or other biometric image or template data (e.g., retina scan, voice signature, facial geometry)
- Information identifying personally owned property, such as vehicle registration number or title number and related information
- Information about an individual that is linked or linkable to one of the above (e.g., date of birth, place of birth, race, religion, weight, activities, geographical indicators, employment information, medical information, education information, financial information).
While not limited to these, the following table contains some specific pieces of PII that can be scanned for in the RecordPoint Data Trust Platform.
Across all jurisdictions, it is key to note that PD, PI and PII can range from sensitive and confidential information to information that is widely publicly available.
Sensitive Personal Information and sensitive data
Sensitive information is a subset of Personal Information. Most jurisdictions' definitions of sensitive information align, but they each have slight differences in language.
The GDPR classifies certain types of information as sensitive data, which is subject to specifically defined processing conditions. Sensitive data includes information that could cause harm to an individual if used for identification and malicious purposes.
Some examples of sensitive data under GDPR:
- Racial or ethnic origin,
- Political opinions,
- Religious beliefs,
- Genetic data,
- Sexual orientation or activities.
The Australia Privacy Act
This regulation defines Sensitive Personal Information to mean information or an opinion about an individual’s:
- Racial or ethnic origin,
- Political opinions,
- Membership of a political association,
- Religious beliefs or affiliations,
- Philosophical beliefs,
- Membership of a professional or trade association,
- Membership of a trade union,
- Sexual preferences or practices; or
- Criminal record.
The California Privacy Rights Act (CPRA)
Often referred to as CCPA 2.0 and an amendment of the CCPA, this regulation defines Sensitive Personal Information to include:
- Government identifiers, such as Social Security Numbers and drivers license numbers,
- Account log-in information (e.g., financial account or credit card numbers in combination with any required access codes or passwords),
- Precise geolocation information,
- Racial or ethnic origin, religious or philosophical beliefs, or union membership,
- Content of postal mail, email, and text messages, unless the business is the intended recipient of the subject communications,
- Genetic data, and
- Biometric information that uniquely identifies a consumer or information concerning a consumer's health, sex life, or sexual orientation.
Understanding all these terms and how they may intersect or differ is a key part of a Privacy by Design approach. Organizations who embed privacy into their systems and processes will have a strategic competitive advantage, as well as generating trust among their customer base.
Data privacy needs good data management
The solution to data privacy starts with good data management. Learn how scalable, consistent, and accurate governance enables teams to solve data privacy challenges
Why data minimization matters
Retaining redundant, obsolete or trivial data (ROT) raises costs and business risk. Data minimization is the answer, and can enable your team to achieve more.