Same or different? Why it is so confusing?
I’m just gonna dive straight into this topic.
With the surge of data protection laws and regulations, we’ve been introduced to a variety of different terms that sound familiar but they are actually not, and sound the same but they are actually quite different.
Personal data is one of those terms, especially if you add PII, non-personal data, quasi-identifiers, or sensitive personal data into the mix.
What am I talking about?
If you glance at the term personal data, all seems pretty straightforward. You know what is personal data.
Your name, your address, your social security number. How about your photo? Not quite sure, right.
What about sensitive data like your medical records, are they the same type of personal data as your home address? Not really.
How about publicly available personal data?
So as you can see there are fine variations to the definition.
Why is there such confusion about personal data?
It can be confusing since there are a lot of different sources defining the term.
Personal data is the term used mostly in Europe and is defined in the General Data Protection Regulation as any piece of information that relates to or can be related to an individual that can be directly or indirectly identified via that information.
The GDPR also differentiates sensitive data like biometric data (fingerprints, retina scan or face recognition) and prescribes special safeguards to protect that data.
You see GDPR likes to keep things clean and neat. On the other hand, Personally identifiable information (PII) is not defined by a single piece of legislation, so it can be broader or more focused, depending on who you ask.
So you will have to dive deeper into the legislation that regulates your industry or specific area you are focusing on.
PII vs Personal data
PII is a term mostly used in the U.S. Sometimes the terms correspond to the personal data defined by the GDPR, and sometimes they can be quite different.
The National Institute of Standards and Technology (NIST) defines PII as:
“Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”
However, Since the U.S. legal system is composed of different regulations and different federal and state laws, the definition of PII is fragmented and not as concise and structured as the personal data defined in the GDPR.
Data Privacy Manager explains:
“…since there is no single source of the definition of PII, the best way to determine what is and what isn’t PII is through individual assessment paying attention to the law, procedure, regulation, or standard governing your specific industry or field.”
What is not considered PII nor personal data
Again, GDPR is pretty clear about this. Non-personal data is data regarding anonymized data, data about deceased individuals, or information about legal entities such as companies or public authorities.
Non-PII would be a piece of information that doesn’t allow you to identify a person.
However, it becomes very vague what is not considered PII when compared to personal data that is very clear about the distinction.
Some definitions do not include cookie IDs or IP addresses, which is directly colliding with the GDPR’s definition.
Sensitive personal data
The GDPR distinctly specifies which data is considered sensitive and fall under the special category of data:
- Data related to racial or ethnic origin,
- Political opinions,
- Religious or philosophical beliefs,
- Trade union membership,
- Genetic data,
- Biometric data for the purpose of uniquely identifying a natural person,
- Health data
- Data concerning an individual’s sex life or sexual orientation
The processing of sensitive personal data is not allowed according to the GDPR. Of course, there are certain exemptions to the rule.
What about photos? If you take a look at the photo, you can see race, gender, a disability or medical condition an individual might have…
Well…. I would have to suggest GDPR did not think this through. Photographs are considered biometric data only when they are processed with a specific means so you can identify a person in the photo.
However, photos are still considered both PII and Personal data.
Quasi-identifiers
Now here’s a treat for you. Quasi-what?
Quasi-identifiers or linkable information are little pieces of information that, by itself, are not considered personal data.
However, when combined, they can be used to single out a specific individual.
Data Privacy Manager gives a great example of how quasi-identifiers can be used to identify individual:
Quasi-identifiers are a place of birth, race, gender, religious beliefs or data of birth. As you can see they are not specific to one individual, but obviously there is no limit to what you can do with the right data.
You should pay close attention to the linkable information when GDPR is in question since the links between the data and the individual will sometimes be difficult to establish and define, and it will still be considered personal data.
Continue researching the topic.
Why is the distinction important?
Knowing whether the data you process is considered PII or personal data or none will become crucial in your compliance journey and help you avoid any misconceptions and unnecessary costs.
It is recommended to conduct the assessment for each data set you process to make sure if it is considered personal data so you can comply with applicable laws.
Sources:
