{"id":2385,"date":"2019-06-27T13:33:16","date_gmt":"2019-06-27T12:33:16","guid":{"rendered":"https:\/\/staging.techgdpr.com\/?p=2385"},"modified":"2024-03-24T18:07:35","modified_gmt":"2024-03-24T17:07:35","slug":"difference-between-pii-and-personal-data","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/difference-between-pii-and-personal-data\/","title":{"rendered":"What is the difference between personally identifiable information (PII) and personal data?"},"content":{"rendered":"\n

When organisations seek to protect their user\u2019s data, it is necessary that they understand the data they need to safeguard. <\/span>Personal data<\/strong>, in the context of GDPR, covers a much wider range of information than personally identifiable information (PII)<\/strong>, commonly used in North America. In other words, while all PII is considered personal data, not all personal data is PII. <\/span><\/p>\n\n\n\n

This calls for some explanati<\/span>on.\u00a0<\/span><\/p>\n\n\n\n

What is PII?<\/h2>\n\n\n\n

Personally, identifiable information is defined by the US <\/span>Office of Privacy and Open Government<\/span><\/a> as : <\/span><\/p>\n\n\n\n

\n

\u201cInformation which can be used to distinguish or trace an individual\u2019s identity<\/strong>, such as their <\/span>name, social security number, biometric records, etc. <\/span>alone<\/b>, or when <\/strong><\/span>combined with other personal or identifying information<\/strong> which is linked or linkable to<\/strong> a specific individual<\/strong>, such as date and place of birth, mother\u2019s maiden name, etc.\u201d<\/span><\/p>\n<\/blockquote>\n\n\n\n

To <\/span>distinguish an individual is to identify an individual by discerning one person from another<\/strong> and to <\/span>trace <\/span>an individual is to process sufficient information to make a determination about a specific aspect<\/strong> of an individual\u2018s activities or status. Following this definition, <\/span>name, email address, postal address, phone number, personal ID numbers (e.g., social security, passport, driver\u2019s license, bank account) are considered <\/span>PII.<\/p>\n\n\n\n

Information is designed as <\/span>linked<\/b> if any piece of personal information can be used to identify an individual<\/strong>. (e.g.: birth name). Information is categorized as <\/span>linkable<\/b> information if, on its own, it may not be sufficient to enable to identify a person<\/strong>, but when combined with another piece of information<\/strong>, it could identify, trace, or locate a person <\/strong>(e.g.: birth date).<\/span><\/p>\n\n\n\n

Take for instance two datasets containing different PII. When both datasets are accessible to the same person, it becomes possible to identify individuals from combining the datasets or accessing additional information about the subject. This is where information security comes into play. If controls designed at keeping the data sources separate are insufficient, then data is considered linked. When an additional source of information remains external or at a distance -the case with siloed databases within organisations or via a search engine on the internet for publicly accessible information, then that data is thought to be linkable.<\/span><\/p>\n\n\n\n

What is sensitive PII? <\/span><\/h3>\n\n\n\n

PII is considered as <\/span>sensitive <\/span>if the loss, compromission, or disclosure<\/strong> without authorization of this data could result in <\/span>harm, embarrassment, inconvenience, or unfairness to an individual<\/b>. For instance, the following information is considered to be sensitive PII: <\/span><\/p>\n\n\n\n