10 min
October 21, 2023
The Most Common Questions About Personal Data Protection
The specific issues regarding personal data protection are regulated by privacy laws around the world. These laws cover the definition of personal data, its use, and the assurance of security and confidentiality. Similarly, while there are some differences between global data privacy regulations, there is generally a consensus on how Personally Identifiable Information (PII) is defined, as well as the duties and actions that companies and organizations must undertake to safeguard it securely and compliantly. This article will introduce you to key definitions and principles of the GDPR, clarify whether common information like an email or IP address constitutes personal data, and provide practical tips on how to protect data within your company.
Important! The information contained in this article is solely our observations as of the date of writing this article and should not be used as current legal interpretation.
Listen to the audio version of this article.
What is PII?
PII (Personal Identifiable Information) stands for personally identifiable information, which refers to information that can identify a person either alone or in combination with other data.
This data may include information such as a person's name, email address, or credit card number, but also less obvious details like an IP address or geographical location. Although the term is commonly used by government agencies and commercial entities, it is not a clearly defined legal term, and its meaning can be interpreted differently by various entities.
What is Personal Data?
This term is often used interchangeably with PII; however, "personal data" is a specific legal term used in regulations like the GDPR. It includes any information relating to an identified or identifiable natural person. This data is subject to strict regulations regarding the processing of personal data, which, among other things, requires obtaining consent from the data owner.
What is the distinction between PII and personal information?
These terms are often used interchangeably, but the key difference is that "personal data" is a legal term that serves as the foundation for processes like personal data processing.
Personal data, either alone or in combination with other personal information, may not identify a specific individual. Conversely, Personally Identifiable Information (PII) always allows for identification and can be used to locate or contact an individual.
Given that personal data is a more general term, it can also encompass various types of information. Some regulations use different terminology, which can also lead to regulatory differences. Occasionally, regulations may use both terms but in different contexts or descriptions. For this reason, the data controller bears full responsibility for their correct processing.
What is Sensitive Personal Data?
Sensitive personal data is information that can be used immediately to identify an individual, such as a name, passport number, or credit card number.
Sensitive personal information is data that can be used directly to identify a specific person. It usually consists of specific identifiers, such as a name, or is linked to only one specific person, like a passport number or a credit card number. Furthermore, sensitive personal information requires special care because there is a risk of personal harm if it is breached or misused. Examples of such harm include crimes or public humiliation.
According to many privacy regulations, sensitive personal data includes information like a name, home address, passport number, facial photo, credit card number, fingerprints, and medical records. For this reason, the decision to share sensitive data with someone should always be fully conscious and deliberate.
What is Related Data?
The term "related data" refers to individual pieces of information that must contain multiple different elements to identify a specific individual, such as only a first name, an age range, gender, or a partial date of birth.
Related data is also referred to as non-sensitive personal information and includes personal data that is not sufficient on its own to identify a person. However, it can do so when combined with other personal information. Related data may include only a first name, a mother's maiden name, a ZIP code or address, an age range, a partial address, gender, or an employer's name.
What is Non-Personal Data?
This is information that does not allow for the identification of a specific person. It is data about a person or resulting from their activities that does not allow for unambiguous identification. This type can include partial, aggregated, or anonymized information.
This data relates to a person or their activities but cannot be used to uniquely identify them. It can be quite general, anonymized, or de-identified. Examples of non-personal data include partially or completely masked IP addresses, aggregated statistics from a large group of people, encrypted information, and sometimes even cookies or device identifiers.
What are the definitions of PII?
Documents or data stored in information systems that hold personal information about individual users.
Documents or information about users in databases, such as medical records or financial information, that relate to users and can identify them. Often such records contain sensitive information, such as health data or specific contact or location information. Data privacy laws address such PII records.
Is the first name and surname treated as personally identifying information?
Yes, a name is typically considered personal data because it can be used to identify an individual in various situations, and it will certainly identify a person in combination with additional information, such as a phone number or credit card number. Names can also provide more personal information about an individual, so they should be carefully protected, for example, by employers.
Is age considered personal data in the context of PII?
Age alone is not considered PII until it is linked to a specific person. However, it is possible to use age as part of personal data that, in combination, can lead to the identification of an individual.
For age to be considered PII, it must be combined with other information. Nevertheless, age is a commonly encountered personal data point stored in various records, so there is a possibility that it can be used for identification. The EU's GDPR also explicitly addresses the issue of age.
Is a telephone number personal data?
Usually yes, telephone numbers are considered personal information (PII) because of the possibility of being linked to a specific person.
Phone numbers are widely considered personal data because they are a unique identifier that can be used to identify, and even locate, individuals. In some cases, they can be treated as sensitive due to the risk of misuse, leading to spam, privacy breaches, or identity theft. For this reason, their processing is regulated by a number of laws, including the European General Data Protection Regulation (GDPR).
Is biometric data personal data?
Usually yes, as they include the unique biological or physical characteristics of a particular person.
Biometric data is explicitly considered personal data in many data privacy regulations. Personal information such as fingerprints, facial recognition, iris scans, voice samples, etc., are unique physical identifiers, as are other biometric identifiers. All of them can be used to identify a specific individual. They are also often used to ensure security in the workplace or to unlock a phone.
Is salary considered personal data?
It depends on whether the payroll information is linked to an identifiable person.
Salary can be considered personal data. For example, if there is a salary table for the entire company, this would not be personal information (personal data) because this data would not be linked to a specific person. However, in a personal registry, salary data can be linked to a person's name and other personal data, which also makes it personal information. This information should also be treated as confidential. However, in some cases, such as specific positions or industries, salary information, including for specific individuals, is publicly available, so it does not qualify as personal data.
Is a work email address considered personal data (PII)?
It depends on the context, use, and applicable law in a given country, as well as how the email address identifies the person.
A work email address may be considered to identify a professional identity, not a personal one. However, if the address contains a person's name and the company name, it can be considered personal data. Specific privacy regulations may explicitly state that work email addresses are treated as personal data - especially more rigorous regulations like the GDPR. However, they are not universally considered personal data.
Are work emails personal data?
They may be, but it depends on the content of those emails.
Email addresses used for work purposes, if attached to emails, may be considered personal data in some cases. It also depends on the content of the message itself. A short email that contains no other personal data or personal information will most likely not be considered private data. However, an email sent to or from the HR department may contain personal data. This issue always requires an individual assessment, taking into account the context and nature of the information being transmitted.
Is the account number considered personal data?
Yes, because an account number is usually linked to a specific person, and accounts may contain identifying information.
Yes, an account number is typically linked to a specific individual, which makes it personal data. Furthermore, accounts often contain additional identifying information, some of which may be confidential. Many data privacy regulations provide specific examples of types of account numbers, such as bank or credit cards, social security numbers, etc. However, they may also include membership or customer account numbers.
Is the IP address considered PII?
Sometimes yes, but it depends on the context and the laws of the country.
Although an IP address itself is not necessarily considered PII because it does not directly identify specific individuals, it is worth remembering that when it is combined with other data or used in specific situations, it can be used to identify or track individuals, and then it is treated as PII. Some privacy regulations, including the GDPR, also explicitly classify IP addresses as PII.
Can personal information always be considered confidential?
Yes, especially when they contain sensitive personal information, PII is considered confidential.
Yes, personal data is usually considered confidential. Therefore, additional measures must be taken to ensure the security and confidentiality of personal data. Many privacy regulations clearly define the requirements for protecting and securing PII due to its confidential nature and the risks associated with its disclosure.
Do all data privacy regulations cover personally identifiable information?
Yes, all modern data protection regulations contain definitions of personal data and related concepts, such as confidential personal information. They also contain information on how personally identifiable information can be used, how to protect it, and the knowledge individuals should have about the collection and use of such data. Most regulations also cover the rights of individuals to withdraw consent for the processing of their personal data.
What information is considered personal data under the provisions of the RODO?
The GDPR uses the term "personal data," which is equivalent to the term PII. It also includes information on confidentiality and the anonymization process.
The EU's General Data Protection Regulation (GDPR) covers PII, but refers to it as "personal data." It also includes both sensitive personal data and more general personal data, which may include data that has been anonymized. Under the GDPR, some types of PII include information about individuals, such as a name, address, or phone number, but also technical information, such as device identifiers, browser cookie information, or an IP address.
What are privacy breaches of personal information?
Personal information (data) privacy breaches are the collection or use of data in a manner that is inconsistent with data privacy regulations or the failure to provide adequate security and confidentiality of the data.
Personal data breaches may include the collection of personal data in a manner not disclosed by the data controller or the use of this information in a manner that is not legally justified or of which the data owner was not informed. Unauthorized access or use of personal data may also occur, such as a data breach or theft, the use of data for purposes not notified, the sharing of data with unauthorized individuals, the storage of data when it is no longer needed, or providing access to data to individuals who do not have a need for it. There are many regulations concerning personal information privacy breaches, including regulations regarding health, finance, or children.
To secure personal information, it is necessary to maintain the same level of care for security and confidentiality as for other sensitive or confidential data. Data privacy regulations define specific requirements and recommendations for the protection of personal data.
Some recommendations for protecting data and databases include:
Using encryption technology
Implementing system and data access controls
Using strong passwords and following password usage rules
Regularly updating systems, including installing patches
Regularly creating backups
Maintaining activity logs
Conducting audits
Data minimization (collecting and storing only necessary information)
Data segmentation (separating different types of data and their uses for access control)
Implementing data retention policies (storing only necessary information and securely deleting or returning it)
Providing comprehensive and regular training for employees.