When organisations seek to protect their user’s data, it is necessary that they understand the data they need to safeguard. Personal data, in the context of GDPR, covers a much wider range of information than personally identifiable information (PII), commonly used in North America. In other words, while all PII is considered personal data, not all personal data is PII.
This calls for some explanation.
What is PII?
Personally, identifiable information is defined by the US Office of Privacy and Open Government as :
“Information which can be used to distinguish or trace an individual’s identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc.”
To distinguish an individual is to identify an individual by discerning one person from another and to trace an individual is to process sufficient information to make a determination about a specific aspect of an individual‘s activities or status. Following this definition, name, email address, postal address, phone number, personal ID numbers (e.g., social security, passport, driver’s license, bank account) are considered PII.
Information is designed as linked if any piece of personal information can be used to identify an individual. (e.g.: birth name). Information is categorized as linkable information if, on its own, it may not be sufficient to enable to identify a person, but when combined with another piece of information, it could identify, trace, or locate a person (e.g.: birth date).
Take for instance two datasets containing different PII. When both datasets are accessible to the same person, it becomes possible to identify individuals from combining the datasets or accessing additional information about the subject. This is where information security comes into play. If controls designed at keeping the data sources separate are insufficient, then data is considered linked. When an additional source of information remains external or at a distance -the case with siloed databases within organisations or via a search engine on the internet for publicly accessible information, then that data is thought to be linkable.
What is sensitive PII?
PII is considered as sensitive if the loss, compromission, or disclosure without authorization of this data could result in harm, embarrassment, inconvenience, or unfairness to an individual. For instance, the following information is considered to be sensitive PII:
- employment information
What is personal data under GDPR?
The GDPR in article 4, defines personal data as follows:
“Personal data” shall mean any information relating to an identified or identifiable natural person (‘Data Subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity ».
In this definition we see four main elements: “any information”, “relating to”, “an identified or identifiable” and “natural person”.
First element: “any information”
The term “any information” contained in the Directive clearly calls for a wide interpretation of the concept. Regarding the nature of the information, this means that both objective and subjective information of a person can be considered as personal data. Regarding the content, personal data covers any sort of information. The definition is also technology neutral, It does not matter how the personal data is stored (e.g.: alphabetical, numerical, graphical, photographic, acoustic). As an example, images of individuals captured by a video surveillance system can be personal data to the extent that the individuals are recognizable.
Second element: “relating to”
In general terms, information can be considered to“relate” to an individual when it is about that particular individual. In order to consider the data related to someone, one of the three flowing features should be present: content, purpose, or result. These three features should be considered as alternative conditions and not as cumulative ones. Accordingly, the same piece of information may relate to different individuals at the same time, depending on what element is present with regard to each one.
Third element: “identified or identifiable”
“Identified” when, within a group of persons, he or she is “distinguished” from all other members of the group. The natural person is “identifiable” when, although the person has not been identified yet, it is possible to do it.
What information can be an identifier? The GDPR provides a non-exhaustive list of common identifiers that, when used, may allow the identification of the individual to whom the information in question may relate (e.g., name, identification number, location data, online identifier).
The concept of “directly” or “indirectly” identifiable implies that the extent to which certain identifiers are sufficient to achieve identification is something dependent on context.
Some characteristics are so unique that someone can be identified with no effort. If I mention “our boss”, you’ll know exactly who I am speaking about.
Fourth element: “natural person”
The concept of a natural person refers to Article 6 of the Universal Declaration of Human Rights, according to which “Everyone has the right to recognition everywhere as a person before the law”. The right to the protection of personal data is, in that sense, a universal one that is not restricted to nationals or residents in a certain country. Thus, a natural person deals with the requirement that « personal data » is about « living individuals ». Under the GDPR, the personal data of deceased individuals are not covered but may still indirectly receive some protection in certain cases, in particular when that personal data involves data subjects who are still alive.
What is sensitive data under the GDPR?
The following personal data are considered as special categories of personal data and are subject to specific processing conditions according to the Art. 9 of the GDPR:
- personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
- trade-union membership;
- genetic data, biometric data processed solely to identify a human being;
- health-related data;
- data concerning a person’s sex life or sensitive data.
What about online identifiers?
Recital 30 of the Regulation clarifies the definition of “online identifier” mentioned
in Article 4:
“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
Device IDs, IP addresses and Cookies are considered as personal data under GDPR. According to the definition of the PII, they are not PII because there are anonymous and cannot be used on their own to identify, trace, or identify a person.
What about pseudonymised data?
A personal data is considered as anonymized if it does not relate to an identified or identifiable natural person or if it has been rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Pseudonymisation of data means replacing any identifying characteristics of data with a pseudonym, or, in other words, a value which does not allow the data subject to be directly identified. Are pseudonymised data still considered as personal data?
According to the Article 29 of the Working Party opinion, personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the GDPR. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.
PII includes any information that can be used to re-identify anonymous data. Information that is anonymous and cannot be used to trace the identity of an individual is non-PII. Device IDs, cookies and IP addresses are not considered PII for most of the United States. But some states, like California, do classify this data as PII. California classifies aliases and account names as personal information as well.
In a nutshell, PII refers to any information that can be used to distinguish one individual from another. The GDPR definition of personal data is – deliberately – a very broad one. In principle, it covers any information that relates to an identifiable, living individual.