51-556: PII may refer to: Personal data , also known as personally identifiable information (PII) Pentium II , a computer processor Polaris Inc. , New York Stock Exchange stock symbol PII Public-interest immunity , previously known as Crown privilege, in English common law Publisher Item Identifier , in scientific journals Professional indemnity insurance Proto-Indo-Iranian language Indonesian Islamic Party Topics referred to by
102-499: A United States federal law, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies. One of the primary focuses of the Health Insurance Portability and Accountability Act (HIPAA) is to protect a patient's Protected Health Information (PHI), which
153-444: A broader category of data and information than in some US law. In particular, online behavioral advertising businesses based in the US but surreptitiously collecting information from people in other countries in the form of cookies, bugs , trackers and the like may find that their preference to avoid the implications of wanting to build a psychographic profile of a particular person using
204-625: A customer of the EE mobile phone operator in the UK. Another category can be referred to as financial identity theft, which usually entails bank account and credit card information being stolen, and then being used or sold. Personal data can also be used to create fake online identities, including fake accounts and profiles (which can be referred as identity cloning or identity fraud ) for celebrities to gather data from other users more easily. Even individuals can be concerned, especially for personal purposes (this
255-414: A name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person A simple example of this distinction: the color name "red" by itself is not personal data, but that same value stored as part of a person's record as their "favorite color" is personal data; it
306-481: A name, social security number, date and place of birth, mother's maiden name, or biometric records. (2) Any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. PII gathering refers to the collection, organization, manipulation, analysis, exchange, or sharing of such data. Governments collect PII to provide social and legal benefits, improve services, and fulfill legal obligations. Depending on
357-623: A series of legislation such as the GDPR to limit the distribution and accessibility of PII. Important confusion arises around whether PII means information which is identifiable (that is, can be associated with a person) or identifying (that is, associated uniquely with a person, such that the PII identifies them). In prescriptive data privacy regimes such as the US federal Health Insurance Portability and Accountability Act (HIPAA), PII items have been specifically defined. In broader data protection regimes such as
408-571: A valid name with the correct SSN is SB1386 "personal information". The combination of a name with a context may also be considered PII; for example, if a person's name is on a list of patients for an HIV clinic. However, it is not necessary for the name to be combined with a context in order for it to be PII. The reason for this distinction is that bits of information such as names, although they may not be sufficient by themselves to make an identification, may later be combined with other information to identify persons and expose them to harm. The scope of
459-416: A variety of uses. Sources, usually Internet -based since the 1990s, may include census and electoral roll records, social networking sites , court reports and purchase histories. The information from data brokers may be used in background checks used by employers and housing. Gathering of personally identifiable information The gathering of personally identifiable information (PII) refers to
510-518: Is a form of "sensitive" personal data. The twelve Information Privacy Principles of the Privacy Act 1993 apply. New Zealand enacted the Privacy Act in 2020 to promote and protect individual privacy. The Federal Act on Data Protection of 19 June 1992 (in force since 1993) has set up a protection of privacy by prohibiting virtually any processing of personal data which is not expressly authorized by
561-783: Is a physical sciences laboratory, and a non-regulatory agency of the United States Department of Commerce. Its mission is to promote innovation and industrial competitiveness. The following data, often used for the express purpose of distinguishing individual identity, clearly classify as personally identifiable information under the definition used by the NIST (described in detail below): The following are less often used to distinguish individual identity, because they are traits shared by many people. However, they are potentially PII, because they may be combined with other personal information to identify an individual. In forensics , particularly
SECTION 10
#1732858303738612-402: Is an example of data misuse, where only a fraction of the users whose data was collected had consented. Hackers illegally collect PII for financial or political gain. Notable examples include North Korean hackers targeting Sony Pictures and the large-scale breach at Equifax that exposed sensitive data from millions of users. PII gathering is often associated with violation of privacy and
663-548: Is collected and used. The Behavioral Advertising Principe also calls for reasonable security to protect the collected personal data and limited length of data retention but for as long as is necessary to fulfill a legitimate business or law enforcement need. The principle is also self-regulatory and intended to encourage more discussion and further development by all interested parties. Public concern about PII gathering centers around privacy violations and potential discrimination. The unauthorized collection and use of data, as seen in
714-499: Is defined in EU directive 95/46/EC, for the purposes of the directive: Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity; In
765-578: Is different from Wikidata All article disambiguation pages All disambiguation pages Personal data Personal data , also known as personal information or personally identifiable information ( PII ), is any information related to an identifiable person. The abbreviation PII is widely used in the United States , but the phrase it abbreviates has four common variants based on personal or personally , and identifiable or identifying . Not all are equivalent, and for legal purposes
816-491: Is lawfully made available to the general public from federal, state, or local government records. The concept of information combination given in the SB1386 definition is key to correctly distinguishing PII, as defined by OMB, from "personal information", as defined by SB1386. Information, such as a name, that lacks context cannot be said to be SB1386 "personal information", but it must be said to be PII as defined by OMB. For example,
867-497: Is linked or linkable to an individual, such as medical, educational, financial, and employment information." For instance, a user's IP address is not classed as PII on its own, but is classified as a linked PII. Personal data is defined under the GDPR as "any information which [is] related to an identified or identifiable natural person". The IP address of an Internet subscriber may be classed as personal data. The concept of PII has become prevalent as information technology and
918-430: Is more widely known as sockpuppetry ). The most critical information, such as one's password, date of birth, ID documents or social security number, can be used to log in to different websites (e.g. password reuse and account verification ) to gather more information and access more content. Also, several agencies ask for discretion on subjects related to their work, for the safety of their employees. For this reason,
969-873: Is often opposed by privacy advocates. Democratic countries, such as the United States and those in the European Union have more developed privacy laws against PII gathering. Laws in the European Union offer more comprehensive and uniform protection of personal data. In the United States, federal data protection laws are approached by sectors. Authoritarian countries often lack PII gathering protection for citizens. For example, Chinese citizens enjoy legislative protection against private companies but have no protection from government violations. The GDPR will take effect on May 25, 2018, and offers comprehensive privacy protection consistent across all sectors and industries. The regulation applies to all businesses and government agencies in
1020-554: Is similar to PII. The U.S. Senate proposed the Privacy Act of 2005, which attempted to strictly limit the display, purchase, or sale of PII without the person's consent. Similarly, the (proposed) Anti-Phishing Act of 2005 attempted to prevent the acquiring of PII through phishing . U.S. lawmakers have paid special attention to the social security number because it can be easily used to commit identity theft . The (proposed) Social Security Number Protection Act of 2005 and (proposed) Identity Theft Prevention Act of 2005 each sought to limit
1071-532: Is the connection to the person that makes it personal data, not (as in PII) the value itself. Another term similar to PII, "personal information", is defined in a section of the California data breach notification law, SB1386: (e) For purposes of this section, "personal information" means an individual's first name or first initial and last name in combination with any one or more of the following data elements, when either
SECTION 20
#17328583037381122-501: The EU rules, there has been a more specific notion that the data subject can potentially be identified through additional processing of other attributes—quasi- or pseudo-identifiers. In the GDPR, personal data is defined as: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as
1173-526: The Internet have made it easier to collect PII leading to a profitable market in collecting and reselling PII. PII can also be exploited by criminals to stalk or steal the identity of a person, or to aid in the planning of criminal acts. As a response to these threats, many website privacy policies specifically address the gathering of PII , and lawmakers such as the European Parliament have enacted
1224-543: The NIST Guide to Protecting the Confidentiality of Personally Identifiable Information (SP 800-122). The OMB memorandum defines PII as follows: Information that can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or recognizing linked or linkable information, such as date and place of birth, as well as
1275-512: The Privacy Act 1988 deals with the protection of individual privacy, using the OECD Privacy Principles from the 1980s to set up a broad, principles-based regulatory model (unlike in the US, where coverage is generally not based on broad principles but on specific technologies, business practices or data items). Section 6 has the relevant definition. The critical detail is that the definition of 'personal information' also applies to where
1326-617: The United States Department of Defense (DoD) has strict policies controlling release of personally identifiable information of DoD personnel. Many intelligence agencies have similar policies, sometimes to the point where employees do not disclose to their friends that they work for the agency. Similar identity protection concerns exist for witness protection programs, women's shelters , and victims of domestic violence and other threats. Personal information removal services work by identifying and requesting data brokers to delete
1377-530: The United States Office of Personnel Management have compromised the personal and financial data of millions of Americans, leading to calls for improved information security and PII protection. Currently, there is no universally accepted definition of PII gathering. According to the U.S. National Institute of Standards and Technology (NIST), PII is defined as: (1) Any information that can be used to distinguish or trace an individual's identity, such as
1428-814: The "Skynet" system with 20 million cameras. Although regulations protect PII collected by private companies, there are no limitations on government collection of such data, nor have any plans been made to implement such limitations. European Union nations have stringent domestic and international PII regulations. For example, the General Data Protection Regulation (GDPR) provides comprehensive protections for personal data. With advancements in internet and mobile technologies, private companies collect PII through user registrations, location tracking, cookies, and other methods. Data brokers buy, sell, and analyze PII from various sources, often without user consent. The Facebook–Cambridge Analytica data scandal
1479-648: The EU privacy website. On 1 June 2023, the Hong Kong Office of the Privacy Commissioner for Personal Data published an investigation report on a data breach involving the unauthorised access of a credit reference database platform. The Report highlights the need for organizations to take adequate steps to protect personal data as the mere imposition of contractual obligations and policies is insufficient if such obligations and policies are not effective or are not enforced. The Report also clarifies that credit data
1530-566: The European Union countries. It also regulates all foreign companies and organizations offering services in Europe. Violation and non-compliance with the GDPR may result in penalties of up to 4 percent of the business' worldwide annual revenue. GDPR requires businesses and government agencies to get consent for data processing, make anonymous of collect data, provide quick notifications for data breaches, safe handling of data transfer across borders, and appointment of data protection officers. Section 5 of
1581-625: The Federal Trade Commission Act (FTC Act) is used to make companies safeguard collected PII data. A company in the United States is not required to have a privacy policy, but is obliged to comply if the company disclosed a privacy policy. The company also cannot retroactively change its data collection policy without offering an opportunity for users to opt-out. The FTC imposed a $ 100 million penalty on LifeLock for failure to protect customer's PII data, such as social security numbers, credit card numbers, and bank account numbers, and violated
PII - Misplaced Pages Continue
1632-575: The GDPR, personal data is defined in a non-prescriptive principles-based way. Information that might not count as PII under HIPAA can be personal data for the purposes of GDPR. For this reason, "PII" is typically deprecated internationally. The U.S . government used the term "personally identifiable" in 2007 in a memorandum from the Executive Office of the President, Office of Management and Budget (OMB), and that usage now appears in US standards such as
1683-508: The above, such as "a 34-year-old white male who works at Target". Information can still be private , in the sense that a person may not wish for it to become publicly known, without being personally identifiable. Moreover, sometimes multiple pieces of information, none sufficient by itself to uniquely identify an individual, may uniquely identify a person when combined; this is one reason that multiple pieces of evidence are usually presented at criminal trials. It has been shown that, in 1990, 87% of
1734-529: The collection of public and private personal data that can be used to identify individuals for various purposes, both legal and illegal. PII gathering is often seen as a privacy threat by data owners, while entities such as technology companies, governments, and organizations utilize this data to analyze consumer behavior, political preferences, and personal interests. With advances in information technology, access to and sharing of PII have become easier. Smartphones and social media have significantly contributed to
1785-633: The costs of doing so can be unclear. In relation to companies, consumers often have "imperfect information regarding when their data is collected, with what purposes, and with what consequences". Writing in 2015, Alessandro Acquisti, Curtis Taylor and Liad Wagman identified three "waves" in the trade of personal data: A data broker is an individual or company that specializes in collecting personal data (such as income, ethnicity, political beliefs, or geolocation data ) or data about people, mostly from public records but sometimes sourced privately, and selling or licensing such information to third parties for
1836-486: The data subjects. The protection is subject to the authority of the Federal Data Protection and Information Commissioner . Additionally, any person may ask in writing a company (managing data files) the correction or deletion of any personal data. The company must respond within thirty days. The Privacy Act of 1974 (Pub.L. 93–579, 88 Stat. 1896, enacted 31 December 1974, 5 U.S.C. § 552a ,
1887-523: The distribution of an individual's social security number. Additional U.S.-specific personally identifiable information includes, but is not limited to, I-94 records, Medicaid ID numbers, and Internal Revenue Service (I.R.S.) documentation. Exclusivity of personally identifiable information affiliated with the U.S. highlights national data security concerns and the influence of personally identifiable information in U.S. federal data management systems. The National Institute of Standards and Technology (NIST)
1938-788: The effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. Under European Union and United Kingdom data protection regimes, which centre primarily on the General Data Protection Regulation (GDPR), the term "personal data" is significantly broader, and determines the scope of the regulatory regime. National Institute of Standards and Technology Special Publication 800-122 defines personally identifiable information as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that
1989-456: The identification and prosecution of criminals, personally identifiable information is critical in establishing evidence in criminal procedure . Criminals may go to great trouble to avoid leaving any PII, such as by: Personal data is a key component of online identity and can be exploited by individuals. For instance, data can be altered and used to create fake documents, hijack mail boxes and phone calls or harass people, as occurred in 2019 to
2040-512: The individual can be indirectly identified: "personal information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not. It appears that this definition is significantly broader than the Californian example given above, and thus that Australian privacy law may cover
2091-462: The mother's maiden name, in official standards like the NIST Guide, demonstrates a proactive approach to ensuring robust privacy safeguards amid the dynamic landscape of data security. This integration into established standards is a foundational framework for organizations to adopt and implement effective measures in safeguarding individuals' personal information. A term similar to PII, "personal data",
PII - Misplaced Pages Continue
2142-455: The name " John Smith " has no meaning in the current context and is therefore not SB1386 "personal information", but it is PII. A Social Security Number (SSN) without a name or some other associated identity or context information is not SB1386 "personal information", but it is PII. For example, the SSN 078-05-1120 by itself is PII, but it is not SB1386 "personal information". However the combination of
2193-442: The name or the data elements are not encrypted: (1) Social security number. (2) Driver's license number or California Identification Card number. (3) Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual's financial account. (f) For purposes of this section, "personal information" does not include publicly available information that
2244-502: The personal information of their clients. This process can be manual or fully automated, but it is nevertheless complex because it involves dealing with numerous data brokers, each with different policies and procedures for data removal. During the second half of the 20th century, the digital revolution introduced "privacy economics", or the trade of personal data. The value of data can change over time and over different contexts. Disclosing data can reverse information asymmetry , though
2295-460: The population of the United States could be uniquely identified by gender, ZIP code , and full date of birth. In hacker and Internet slang , the practice of finding and releasing such information is called " doxing ". It is sometimes used to deter collaboration with law enforcement. On occasion, the doxing can trigger an arrest, particularly if law enforcement agencies suspect that the "doxed" individual may panic and disappear. In Australia,
2346-560: The rubric of 'we don't collect personal information' may find that this does not make sense under a broader definition like that in the Australian Privacy Act. The term "PII" is not used in Australian privacy law. European Union data protection law does not use the concept of personally identifiable information, and its scope is instead determined by non-synonymous, wider concept of "personal data". Further examples can be found on
2397-403: The same term [REDACTED] This disambiguation page lists articles associated with the title PII . If an internal link led you here, you may wish to change the link to point directly to the intended article. Retrieved from " https://en.wikipedia.org/w/index.php?title=PII&oldid=1130466817 " Category : Disambiguation pages Hidden categories: Short description
2448-501: The term "sensitive personal data" varies by jurisdiction. In the UK, personal health data is treated as "sensitive" and in need of additional data protection measures. According to the OMB, in the United States it is not always the case that PII is "sensitive", and context may be taken into account in deciding whether certain PII is or is not sensitive. When a person wishes to remain anonymous, descriptions of them will often employ several of
2499-477: The terms of a 2010 federal court order. The FTC also uses the Behavioral Advertising Principe to provide guidelines and suggestions for website operators on data collection practices, activity tracking, and opt-out mechanisms. A website operator is requested to obtain express consent before sensitive PII data, such as social security numbers, financial data, health information, and data of minors
2550-601: The type of government, whether democratic or authoritarian, methods for collecting PII may vary, but the goals are generally similar. In the U.S., PII is gathered through processes like tax filing, property registration, and driver's license applications. The government also collects PII for crime prevention and national security purposes, though such practices, especially by the National Security Agency (NSA), remain controversial. China uses big data to enhance governance, employing advanced surveillance networks like
2601-481: The widespread collection of personal data, making it a pervasive and controversial issue. Recent cases of illegal PII collection, such as the Cambridge Analytica scandal involving the data of over 87 million Facebook users, have heightened concerns about privacy violation and increased demands for stronger data protection laws. Major breaches at companies like Equifax , Target , Yahoo , Home Depot , and
SECTION 50
#1732858303738#737262