pii

Approaching "Big P.I.I."

Is your pet’s name P.I.I. (personally identifiable information)? In the era where data is bought, sold, and reaggregated the answer has to be “Yes!” If you find yourself asking whether something is P.I.I. then you should probably treat it as such.

A few years ago, it would have been silly to take a stand saying that your pet’s names are your P.I.I. Perhaps what we all didn’t quite anticipate was how the data we share over here, the data we share over there would likely be reunited in a single file by one of the many firms that aggregates and resells data. There are many bits of information about you that seem innocuous, certainly not so obviously compromising as an SSN or credit card number, but the reality is that when all the available information is collected about you, every little bit matters.

The world of 2019 has a lot more people than names, and when you think about it we end up using odd bits of information in maintaining our identity. Your bank may ask you where you met your partner, the names of pets, etc. and I am sure that each reader can come up with some more examples of their own. This is in part an effort to avoid more circulation of more intrinsically dangerous information like government ID numbers, but the result is that all these little facts then become and stay sensitive. If you could tell Facebook your cat’s name and Robinhood where you bank without them comparing notes behind your back, the situation would not be so bad, but this sort of behind the scenes aggregation is a pervasive part of the data economy and it is unlikely to go anywhere soon.

To change resolution a bit, there will always be a lot of other people out there with personal information that looks a bit like yours - same name, similar address, and so on - and there will always be someone digging a bit deeper for that last piece of data that identifies you the human uniquely. There are all manner of organizations working on this all the time, with motives both friendly and hostile to you, and they are eager to get that marginal value out of the names of your pets. And it should be noted that there have already been notable breaches of large aggregated datasets of information on millions of consumers with details including information on pets and more.

Until there is a major change in the regulatory climate, or some other seismic shift, definitions of P.I.I. must become more and more expansive. If you can use it to tell the difference between you and someone else that shares your name, someone will use it for this purpose, and anyone you share it with might decide to hoard it until it becomes interesting later - interesting to them, or interesting to someone else who wants to buy it.

The "why" of our acronyms: PII vs. PHI

by Alexander C. Mueller

You might have a medical diagnosis you find embarrassing or just plain don’t want to talk about. If someone had your medical records, they would certainly find out… but if they had just some, any medical records, without reference to you or any other particular person, then your privacy is secure.

This silly fact highlights the difference between PII and PHI, and why PII is important. PHI, or personal health information, might be described as medical records that with enough data to tie them to people in the real world. This connecting data is then PII, or personally identifiable information, pretty much by definition. With your PII, a chart becomes your medical record and fits the definition of PHI, otherwise it is some medical record and this extra level of privacy motivates interest in deidentifying datasets.

PHI and PII overlap in usage a ton because PII is a key part of what makes PHI a privacy concern.

ABCs of PII

by Alexander C. Mueller

What is personally identifiable information, abbreviated P.I.I. or PII, and why is it important?

It’s easiest to break down backwards. First, it is Information, and typically the information so discussed is held by a large corporation of a government agency. Second, it Identifies some individual Person apart from the others. The term PII can sometimes refer by law to specific types of data, but the term is used broadly to refer to a broad category of data about everyday people that large organizations commonly end up storing.

Your name is the ultimate everyday example of PII. If you are standing next to someone else, a person who wanted your attention would say your name and not theirs - they’ve just used a small piece of information (your name) to identify you as one person apart from another.

Phone numbers are a bit more interesting. They do have a practical purpose, but they are also a good way to keep two people with the same name from getting confused in your database. Often, a business that collects this information on you is doing it for this sort of reason and not to actually try and call you. Phone number is thus another example of PII, information used to identify one person apart from another.

Thinking about data in this way is valuable because there are many white collar crimes and other misdeeds for which this sort of information is absolutely necessary to get started. Identity theft is the obvious and familiar example. However, there are many more scams you can only begin after you have enough information to target specific individuals and not groups of people. Imagine you are a foreign spy agency looking to recruit informants. Which is more helpful to you: 1) knowing that there are indebted people living in a particular city 2) a list of names, addresses, and phone numbers of indebted people in a particular city?

What is P.I.I. (a.k.a. PII or personally identifiable information)?

An important category of data is personally identifiable information, often referred to as P.I.I. or PII, and it's name is suggests accurately what it is: information that can be used to identify an individual person.  There are many very familiar examples like name, social security number, address, etc.  Some more arcane examples are the sorts of things one needs to supply as a secondary verification of identity at the bank, such as mother's maiden name.  P.I.I. is often an explicitly spelled-out regulatory category but there are a number of pieces of information that considered as P.I.I. across jurisdictions and the philosophy defining P.I.I. is consistent even when the level of inclusiveness is not.  (Is the name of your first pet personally identifiable information?)

P.I.I. is important privacy is not just about what information is available, but what information can be tied back to an individual.  Medical records provide a great example.  If someone steals your medical records, this is not perhaps so bad if they lack information to tie these records back to you - from their perspective, they don't have your medical records but only some unknown person's medical records.