What Is Personally Identifiable Information (PII)?

What Is Personally Identifiable Information (PII)?


You’ll likely have heard about Personally Identifiable Information, sometimes just called “personal data”, in relation to your security. But just because it’s an important part of data security as a wider topic doesn’t mean everyone knows what it includes, or even what it is.

It’s actually not just of interest to cybercriminals. Countless services and governmental agencies want your personal details too. So what is considered to be Personally Identifiable Information?

What Is the Definition of Personally Identifiable Information?

Personally Identifiable Information (PII) is personal data that could be used, either by itself or combined with more private details, to identify a particular individual, i.e. you.

PII can roughly be split into two subcategories: direct identifiers; and quasi-identifiers.

A direct identifier is exactly what it sounds like: data that can be used to pinpoint you alone. It’s specific to you. Quasi-identifiers, meanwhile, are details that can be combined with other quasi-identifiers to label you.

These terms feel obscure, but they can also respectively be called sensitive PII and non-sensitive PII. The first should ring alarm bells, but that doesn’t mean you should take a laid-back approach to non-sensitive data either.

Examples of Direct Identifiers

Direct identifiers are all about you. Nothing you share with another person is a direct identifier. Consider the data that is specific to you, not shared with anyone else. Direct identifiers, then, include:

  • Your full name.
  • Your medical history.
  • Your credit or debit card details.
  • Your social security number or national insurance number.
  • Your passport number.

That’s a small sample, however. For instance, Biometric data, such as your fingerprint, and retinal and facial scans, can also be considered direct identifiers under the PII umbrella.

Examples of Quasi-Identifiers

Quasi-identifiers aren’t specific to you, but can still be used to identify you, notably when combined with other examples of PII. These include:

  • Where you live.
  • Your race.
  • Your religion.
  • Your gender and sexuality.
  • Your date of birth.
  • Where you work.

You might share these details with family and friends, or in some cases complete strangers. That may not seem useful to companies, governments, or hackers, but don’t underestimate how important it can be.

Think of a pie chart. Each sphere has a different quasi-identifier. And right in the middle, they all intersect to sum up an individual: you.

What Isn’t Considered to be Personally Identifiable Information?

Sometimes, there’s data called non-PII, but the lines between this and actual PII are increasingly blurred. It can even depend on jurisdiction: the EU’s GDPR, for instance, considers PII as personal data which can include online cookies—however, some American authorities and advertisers don’t consider cookies as PII.

Essentially, non-PII consists of details that aren’t personal, but taking quasi-identifiers into account, a lot of information can be combined to create a profile about you.

Non-PII, then, is aggregated, anonymized, or pseudonymized data sets, i.e. details that can’t be tracked back to specific users like demographic ranges. Alternatively, non-PII could also be masked data; for instance, by using encryption tools like a VPN.

Why Is Personally Identifiable Information Important?

So why is PII actually important? This is a multi-layered question because PII is important to everyone for different reasons.

For individuals, it’s about privacy and security. Whether it’s direct or indirect identifiers, both should really be treated as sensitive. Personal details are valuable, but it’s also about the principle of being able to keep information to yourself.

For companies, PII can mean money. They could either sell this data on; use it to generate personalized ads; or simply to improve their services, which would further result in profits.

It’s similar for governments, but it’s not just money that makes PII valuable to authorities. They can target specific demographics and infer voting intentions and more.

And for cybercriminals, PII leads to financial gain. Such information can be sold on (say, on the dark web), can lead to further malware infection including ransomware, get financial details and login credentials, or all of the above.

How Do Companies and Hackers Get Personally Identifiable Information?

We all surrender some degree of PII. You probably can’t count the number of accounts you’ve signed up for that need at least your name and/or email address. Many of these also require your date of birth and maybe your address too.

You might not realize you’re handing over PII. For instance, unless you use proxies or VPNs, your IP address and more could be stored by websites. If you’ve paid through online stores, you’ve likely given them, or perhaps a third-party operator like PayPal, your financial information.

This is, of course, one way hackers might get your PII too. Any companies storing your information could be compromised; cybercriminals could get hold of your details via a data breach, but it depends on the method it’s held in as to whether they’ll actually be able to read it. Plaintext is the most dangerous way of keeping personal data: that is, exactly as it is written. But responsible services should use encryption to secure passwords and other sensitive data.

Otherwise, you could hand over PII by falling for a scam or downloading malware.

Let’s not forget another major repository of private details: social media. If you go through lists of direct identifiers and quasi-identifiers, you can likely tick off a surprising number that you willingly volunteer on Facebook, Twitter, WhatsApp, LinkedIn, and more.

Sure, it’s unlikely you share your social security number or medical history publicly, but our profiles include a shocking amount of details—even what we “like” or the fun quizzes we take can be revealing. And it’s even worse if you don’t properly keep your Facebook profile etc. private.

How to Protect Your PII

Stopping your PII from falling into the wrong hands is largely about limiting which other parties actually have access to your personal data.

Before signing up for a service, adding personal details to accounts, or handing over data to apps, ask yourself whether it really needs this data for it to operate properly. If not, don’t submit PII.

This can’t always be helped (many services require a certain amount of PII for you to log in or to fully take advantage of its benefits), but you can anonymize data to some extent. For instance, by using email aliases, you can both keep private and ward off spam!

It always helps to keep an eye on the latest scams too. If you know what phishing emails look like, for example, you’re less likely to fall for a fake message.

Keeping Your PII Private

Several rulings around the world aim to limit the collection and use of your PII, including the aforementioned GDPR in the EU, the Personal Information Protection and Electronic Documents Act in Canada, and Federal Trade Commission Act in America.

Ultimately, it’s down to you to keep your PII private and to pressure services into handling your personal data responsibly.


via MakeUseOf https://ift.tt/LDY5P8g

January 25, 2023 at 12:21PM

Leave a Reply

%d bloggers like this: