In the wake of the recent Target Data Breach, ITRC call center advisors have noticed much confusion amongst the consumer population as to what constitutes Personally Identifying Information or PII, and what risks are associated with various pieces of information. Accordingly, the powers that be at the ITRC determined it was time to write a blog on the subject.
So what is PII exactly? The legal definition of personally identifying information varies from jurisdiction to jurisdiction, and from state to state. Generally speaking PII, refers to information which can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual. Anything that can uniquely identify us as individuals, separate from all others, can be considered PII. But not all PII is created equal. Some information is more sensitive than other information.
Our Social Security number, date of birth, driver’s license number, bank account and financial information, as well as passport number, are all examples of PII because they are unique identifiers. The ITRC considers this information to be PII. While some organizations and experts will disagree on the semantics the ITRC does not consider things like your name, address, telephone number, passwords and email addresses to be PII. I can hear your questions already dear readers. “Wait a minute, how can all these things that are so personal to me not beconsidered sensitive PII?”
Well let’s run through it shall we? We’ll start with your name. It’s hard for most people to fathom a more intimate piece of information about themselves than their name. It was given to you at birth, it’s usually a cornerstone of how we perceive our own identity and it is how family, friends and colleagues address and identify you. In terms of financial, criminal, and medical records however, there’s actually nothing at all unique about your name.
Most people share a name with someone, somewhere else. For example, if you were to try to do a Google search on the author of this article, I can guarantee you the results you’ll get will not identify me as an individual. That’s because my name is a very common name, shared by many thousands or tens of thousands of others. While the commonality of any particular name is subject to the individual, it’s easy to see how tracking financial or criminal history through nothing but a name is not exactly an effective means of doing so. A name must be used in conjunction with a unique identifier like an SSN in order to identify an individual as a separate and distinct individual different from all others. A name, address, phone number, or email address can change and be reassigned to another individual, therefore they do not help us uniquely identify any particular individual, so they are not considered PII. If a name and address were really a form of PII, the creators of your white pages would have a whole heap of legal liability to worry about.
“What is PII?“ was written by Matt Davis. Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.