October 22, 2023
The most common questions about personal data
Specific questions regarding the protection of personal data are governed by privacy laws around the world. They address both the definition of personal data, its use, and ensuring security and confidentiality. Likewise, while there are some differences between global data privacy laws, there is generally agreement on how personal information (PII) is defined and the responsibilities and actions that companies and organizations must take to secure it in a secure and compliant manner.
Important! The information contained in this article is solely our observations as of the date of writing this article and should not be used as current legal interpretation.
What is PII?
PII (Personal Identifiable Information) stands for personally identifiable information, which refers to information that can identify a person either alone or in combination with other data.
Personal Identifiable Information (PII) is information that can identify a person, either alone or in combination with other data. It can include information such as name, email address or credit card number, or less directly identifying information such as IP address or geographic location. While the term is commonly used by government agencies and commercial entities, it is not a clearly defined legal term, and its meaning may be interpreted differently by different entities.
What is personal information?
They usually mean the same thing as PII, but it is a specific legal term used in some data privacy laws, such as the RODO. Like PII, they can also include categories of sensitive personal data that require more careful handling.
What is the distinction between PII and personal information?
These terms are often used interchangeably, but personal information is not always identifying, while personal information can be used to identify, locate or contact a specific person.
Personal data and personal information are related to information about a person and can be confidential. However, personal information alone or in combination with other personal information may not identify a specific person. Personal information, on the other hand, always identifies and can be used to locate or contact a person.
Given that personal information is a more general term, it can also include different types of information. Some regulations use different terms, which can also affect regulatory differences. Sometimes regulations may use both terms, but in different contexts or descriptions.
What is sensitive personal data?
Sensitive personal information is data that can be immediately used to identify an individual, such as name, passport number or credit card number.
Sensitive personal information is data that can be directly used to identify a specific individual. They are usually specific identifiers, such as first and last name, or are only associated with one specific individual, such as a passport number or credit card number. Moreover, sensitive personal information requires special care, as there is a risk of personal harm if it is compromised or misused. Examples of such harm include crimes or public humiliation. According to many privacy laws, sensitive personal information includes information such as name, home address, passport number, face photo, credit card number, fingerprints and medical records.
What is related data?
The term "linked data" refers to individual information that must contain many different elements to identify an individual, such as just a name, age range, gender or partial date of birth.
Linkable data is also referred to as non-sensitive personal information and includes personal information that is not sufficient on its own to identify an individual, but can do so if combined with other personal information. Linkable data may only include first name, mother's maiden name, zip code or address, age range, partial address, gender or employer name.
What is non-personal data?
This is information that does not identify a specific person. It is data about a person or resulting from his or her activities that does not allow for clear identification. This type of data can include partial, aggregated or anonymous information.
Information that does not identify a person. These are data about a person or his activities that cannot be used to uniquely identify him.They can be quite general, anonymized or de-identified.Examples of non-personally identifiable information include partially or completely masked IP addresses, aggregated statistics from a large group of people, encrypted information, and sometimes cookies or device identifiers.
What are the definitions of PII?
Documents or data stored in information systems that hold personal information about individual users.
Documents or information about users in databases, such as medical records or financial information, that relate to users and can identify them. Often such records contain sensitive information, such as health data or specific contact or location information. Data privacy laws address such PII records.
Is the first name and surname treated as personally identifying information?
Yes, a first and last name is usually considered personal data because it can be used to identify a person in a variety of situations, but it will certainly identify a person when combined with additional information such as a phone number or credit card number. Names can also provide more personal information about a person and should therefore be carefully protected, for example by employers.
Is age considered personal data in the context of PII?
Age itself is not considered PII as long as it is not linked to a specific person. However, it is possible to use age as part of personal data which, when combined, can lead to the identification of an individual.
For age to be considered PII, it must be combined with other information, as age alone is not sufficient for identification. Nonetheless, age is a common personal data held in various records, so it is likely that it can be used for identification. The European Union's RODO also explicitly addresses the issue of age.
Is a telephone number personal data?
Usually yes, telephone numbers are considered personal information (PII) because of the possibility of being linked to a specific person.
Phone numbers are commonly considered personal information (PII) because they can be used to identify a person, often being assigned to that person and providing a unique identifier linking the person to their device. They can also be used to track individuals. In some cases, a phone number may constitute sensitive personal data, due to the potential for misuse that could lead to spam, privacy breaches or identity theft.
Is biometric data personal data?
Usually yes, as they include the unique biological or physical characteristics of a particular person.
Personal information such as fingerprints, facial recognition, iris scans, voice samples, etc., are unique physical identifiers, as are other biometric identifiers. They can all be used to identify an individual. Indeed, they are often used to provide security in the workplace or to unlock a phone. Biometric data is explicitly considered personal data in many data privacy laws.
Is salary considered personal data?
It depends on whether the payroll information is linked to an identifiable person.
Payroll can be considered personal information. For example, if there is a payroll table for the whole company, this would not be personal information (personal data), as this data would not be linked to a specific person. However, in a personnel register, payroll data can be linked to a person's name and other personal information, which also makes it personal information. This information should also be treated as confidential. However, in some cases, such as specific positions or industries, pay information, including for specific individuals, is publicly available, so it does not qualify as personal data.
Is a business email address considered personal information (PII)?
It depends on the context, use and laws of the country, as well as how the email address identifies the person.
A business email address can be considered to identify professional identity and not personal identity. However, if the address contains an individual's name and company name, it can be considered personal data. Specific privacy legislation may make it clear that business email addresses are considered personal data - especially the more stringent legislation such as the RODO. However, they are not generally recognised as personal data.
Are business emails personal data?
They may be, but it depends on the content of those emails.
Email addresses used for business purposes, if attached to an email message, may be considered personal data in some cases. This also depends on the content of the email itself. A short email message that does not contain other personal data or personal information is unlikely to be considered private data. However, an email sent to or from the HR department may contain personal data.
Is the account number considered personal data?
Yes, as the account number is usually linked to a specific person and accounts may contain identifying information.
Yes, an account number is usually linked to a specific individual, making it personal data. In addition, accounts often contain additional identifying information, some of which may be confidential. Many data privacy laws give specific examples of types of account numbers, such as bank or credit cards, national insurance numbers, etc. However, they may also include member or customer account numbers.
Is the IP address considered PII?
Sometimes yes, but it depends on the context and the laws of the country.
It depends. Although an IP address alone is not necessarily considered PII, as it does not directly identify specific individuals. However, when it is combined with other data or used in specific situations, it can be used to identify or track individuals, and is then considered PII. Some privacy laws also explicitly classify IP addresses as PII.
Can personal information always be considered confidential?
Yes, especially when they contain sensitive personal information, PII is considered confidential.
Yes, personal data is usually considered confidential. Therefore, additional measures must be taken to ensure the security and confidentiality of personal information. Many privacy laws clearly set out requirements for the protection and security of PII due to its confidential nature and the risks associated with its disclosure.
Do all data privacy regulations cover personally identifiable data?
Yes, all modern data privacy regulations contain definitions of personally identifiable data and related terms, such as sensitive personal information. Also, they contain information on how personally identifiable data may be used, how it should be protected and what knowledge individuals should have about the collection and use of such data. Most provisions also address the rights of individuals to withdraw consent to the collection or use of their personal data.
What information is considered personal data under the provisions of the RODO?
The RODO uses the term 'personal data', which is the same as PII. This includes information relating to confidentiality and the anonymisation process.
The EU General Data Protection Regulation (GDPR) covers PII, but refers to it as 'personal data'. They also include sensitive personal data and more general personal data, which may include data that has been anonymised. Under the RODO, some types of PII include personal information such as name, address or phone number, but also technical information such as device identifiers, browser cookie information or IP address.
What are privacy breaches of personal information?
Breaches of privacy of personal information (PII) are the collection or use of data in a manner that does not comply with data privacy laws or the failure to ensure adequate data security and confidentiality.
Data protection breaches may include, but are not limited to, the collection of personal data in a manner not communicated by the data controller or the use of that information in a manner that is not legitimate or communicated to the data owner. There may also be unauthorised access to or use of personal data, such as data breaches or theft, use of data for purposes not notified, sharing data with people not notified, storing data when it is no longer needed, or giving access to data to people who do not have a need to know. There are a number of laws relating to breaches of privacy of personal information, including health, financial or child protection laws.
In order to safeguard personal information, the same attention to security and confidentiality is required as for other sensitive or confidential data. Data privacy legislation sets out specific requirements and recommendations for the protection of personal information.
Some recommendations for data protection and databases include:
use of encryption technology,
use of system and data access controls,
using difficult passwords and adhering to the rules for their use,
regularly updating systems, including installing patches,
keeping records of activities,
carrying out audits,
minimising data (collecting and storing only the necessary information),
segmenting data (separating different types of data and their uses for access control),
applying data retention policies (storing only the necessary information and safely disposing of or returning it),
providing comprehensive and regular training for employees.