What's the difference between PII and personal data?
The two data protection regulations that TrueVault technology helps companies comply with are the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR). Both HIPAA and GDPR introduce distinct but related concepts surrounding what information constitutes as “personal”. In this blog, we clarify and untangle these definitions.
Personally Identifiable Information (PII)
Personally identifiable information (PII) is any information about an individual that can distinguish or trace an individual’s identity, according to the U.S. Department of Commerce.
Some key examples of PII fields include name (first and last), birthdate, home address, social security number, bank account number, passport number, and mother’s maiden name. Health insurance ID number, health insurance claims, policy numbers, credit card numbers and more can also be considered PII. These fields have various degrees of identifiability, and are therefore secured in different ways. For example, your previous address isn’t particularly telling on its own and isn’t information that is particularly proprietary. Comparatively, your social security number is the gateway to your identity and is information that requires enhanced security.
When PII is linked with health information, it becomes protected health information (PHI). PHI is subject to certain enhanced legal protections under HIPAA because PHI packs a double load of sensitive information: PII, which can inevitably be used to identify an individual, and medical information, which is proprietary when connected to your identity. De-identifying the PII component of PHI will make the data inert because it can no longer be used to identify an individual. De-identified PII is no longer subject to expansive HIPAA protections.
PII is a term that is commonly used in the United States, and can be applied to HIPAA as well as other regulatory frameworks based on U.S. law.
The definition of personal data under GDPR has taken the concept of PII and expanded it considerably.
Article 4.1 of GDPR states: “‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
A LinkedIn article by Jim Seaman breaks down the definition of “personal data” to its component parts, but it is evident that the GDPR definition of personal data intentionally covers a broad scope of information. Social media posts, Google Maps data, and other pieces of your digital footprint may be included under this definition, not to mention even more sensitive information, such as past addresses, medical records, financial transactions etc.
What’s the difference?
I am not an attorney, but I do interpret the differences between “PII” and “personal data” to be rooted in the term “identifiable”, and interpretations of the word “personal”.
“PII” relates to any information or combinations of information can be directly traced to a specific individual. For instance, if a data breach occurred and a hacker acquired your credit card number, the hacker can conceivably trace this number directly to your first name, last name, address and bank account. But if a data breach occurred and a hacker accessed your searched location history from Google Maps, this information cannot be linked directly to your identity without considerable effort and is therefore not likely to be considered PII.
A hacker accessing your credit card information is an unequivocal breach of your personal data under GDPR and your PII under U.S. law. Comparatively, a hacker accessing your searched location history on Google Maps probably won’t trigger any major penalties under U.S. law, but could potentially warrant a breach under GDPR.
It follows that any information that encompasses “PII” can be considered “personal data”, but not all personal data is considered PII.
That’s personal! The U.S. considers expanding privacy regulations
The spirit of GDPR is concerned with consumer privacy, and places the responsibility to secure this data squarely on the shoulders of the institutions that collect it. In the U.S., the concern is primarily in protecting an individual from discrimination, impersonation, fraud, and theft by requiring enhanced security for medical or financial data.
But the narrative around personal data in the United States appears to be shifting toward broader consumer privacy and data protection. Recently, Apple CEO Tim Cook called on the federal government of the United States to implement stricter privacy regulations similar to GDPR. The State of California has passed its own legislation, which goes into effect in 2020, that will introduce its own definition of “personal data,” which will invariably expand the definition of PII. As more influential people like Tim Cook demand action, and more states take action, it is likely that the federal government will pass a law similar to GDPR to make compliance more straightforward for businesses.