What is personally identifiable information, otherwise known as personal data?
Personally Identifiable Information (PII), otherwise known as ‘personal data’, is any information that can be used to identify a specific individual. This information can be used on its own or with other relevant data to identify, contact, or locate a single person, or to identify an individual in context. The definition and scope of PII can vary depending on the legal jurisdiction and specific context.
In the context of data protection and privacy laws, The Data Protection Act 2018 is a key piece of legislation in the UK that sets the framework for data protection, privacy, and data rights. It updates and replaces the previous Data Protection Act 1998, incorporating and supplementing the EU General Data Protection Regulation (GDPR).
Now the Brexit transition period has ended, the DPA 2018 (commonly known as UK GDPR) are the primary data protection legislation for organisations that process UK residents’ personal information.
Personally identifiable information is subject to strict regulatory requirements. Organisations that handle PII must ensure they do so in a manner that is compliant with privacy laws. UK GDPR includes obligations around data security, consent for data collection, limitations on data processing and sharing, and rights for individuals to access, correct, and delete their personal data.
Protecting PII is crucial because its misuse can lead to various forms of identity theft, fraud, and
breaches of privacy. As such, both public and private sector entities are required to implement stringent measures to safeguard personal information.
Failure to protect sensitive PII can lead to significant legal consequences, such as the legal requirement to notify the affected individual data subjects and resultant legal liabilities from such a data breach or cyber-attack.
Large fines of up to £17.5 million or 4% of the undertaking’s total annual worldwide turnover in the preceding financial year, whichever is higher can be imposed by the
Information Commissioners Office (ICO). Not to mention the significant reputational damage that a large data breach can cause.
What does personally identifiable information include?
The definition of personal data under UK GDPR is broad, covering any information that can be linked to an identifiable person. This broad scope ensures that a wide array of data types is protected, reflecting the act's intent to safeguard individuals' privacy rights comprehensively.
Anyone that processes or holds personal data must ensure they comply with data protection principles, including lawful basis for processing, data minimisation, and ensuring data accuracy. They must also implement appropriate security measures to protect data and uphold the rights of data subjects as specified by the act.
Under UK GDPR, personal data refers to any information relating to an identified or identifiable natural person (known as a 'data subject'); an identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as:
Identifiable Characters: Names, email addresses, phone numbers, passport number, national insurance number, NHS number, or any other identifiers unique to an individual.
Personal Information: Any physical, physiological, or genetic information relating to the physical characteristics of a person, including medical records, blood type, DNA, etc., that can be used to uniquely identify that person.
Identity Information: Economic, cultural, or social identity information that reveals the economic, cultural, or social facets of an individual, such as their economic situation, cultural habits, or social practices.
Personal Characteristics: Visual identifiers like images, facial recognition data, and even handwriting, as well as other personal characteristics that can identify an individual.
Location Data: Information about an individual’s location, which can be as precise as an home address, GPS data or as general as a city or region.
Online Identifiers: This includes IP addresses, cookies, or other identifiers that could be used to trace internet activity back to a specific device or individual.
UK GDPR emphasises not only the broader categories of data typically considered personal but also any information that, when combined with other pieces of data, can indirectly identify a person. This could include various data points that, when pieced together, reveal the identity of an individual.
Sensitive PII (special category data) vs non-sensitive PII
Personally identifiable information can be categorised into two types: sensitive PII and non-sensitive PII, each posing different levels of risk to an individual's privacy and security when exposed. Sensitive personal data can also mean:
-
payment card numbers, or bank account numbers;
-
passport, national insurance, or other national ID information;
-
criminal activity data;
-
any data relating to children under the age of 18; and
-
special category data.
UK GDPR also recognises "special categories" of personal data which are particularly sensitive PII and require more stringent processing protections. To lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9.
The UK GDPR defines special category data as:
-
personal data revealing racial or ethnic origin;
-
personal data revealing political opinions;
-
personal data revealing religious or philosophical beliefs;
-
personal data revealing trade union membership;
-
genetic data;
-
biometric data;
-
data concerning health;
-
data concerning a person’s sex life; and
-
data concerning a person’s sexual orientation.
Sensitive data is information that, when disclosed, could result in harm, embarrassment, inconvenience, or unfair treatment to an individual. This category of information requires stricter handling guidelines because its exposure can lead directly to identity theft or other significant personal impacts.
What are the risks associated with holding or processing personally identifiable information?
Holding or processing PII can pose significant risks, primarily around the potential for data breaches and consequential losses. One of the most significant risks of holding PII is the potential for data breaches, where unauthorised parties gain access to the data. This can occur through hacking, phishing attacks, malware, or even physical theft of storage devices.
If personally identifiable information is exposed or stolen, it can be used for identity theft. Criminals can use sensitive information like national insurance numbers, address, birth dates, or credit card numbers to open accounts, make purchases, or commit fraud in someone else's name. Financial information, medical information and other health information will always pose the greatest threat.
Companies or public sector organisations that suffer a data breach involving PII may face substantial financial costs. These can include direct costs such as the costs for forensic investigations, and costs associated with notifying affected individuals and providing them with credit monitoring services.
Many jurisdictions have strict regulations governing the protection of PII (such as UK GDPR). Non-compliance or breaches can lead to expensive fines and sanctions, as well as affected parties’ actions seeking a claim for compensation.
Legal liabilities depending upon the sensitivity of the personal data can cause a significant financial loss to the organisation or business. Not to mention that a data breach can significantly damage to their reputation. Loss of consumer trust can lead to decreased customer retention and difficulty in attracting new customers, impacting long-term revenue and business opportunities.
A data breach can cause operational disruptions, as systems may need to be taken offline for investigation and remediation. These compliance costs can impact the productivity and operational capabilities of a business or organisation.
Read guides provided by the UK Nation Cyber Security Centre.
How many personally identifiable records?
Personally identifiable information means all personal data pertaining to a natural individual, but any one piece of information could be considered PII. When understanding how many personally identifiable records you hold or process, you should only count the number of individuals (data subjects), it is not necessary to count each individual piece of information.
When applying for cyber insurance, or technology E&O insurance, you will need to provide an approximation of PII and percentage of sensitive PII that is stored, processed or in motion on your network over the next 12 months.
Insurers want to understand if you are the target of a cyber-attack or data breach, what their exposure under the insurance product. Cyber liability covers, can sometimes be provided under
professional indemnity insurance policies, therefore you my be required to disclose this information.
How to manage your personal data risk?
Encryption of sensitive PII data, access controls, firewalls, anti-virus software, regular updates, and patch management is common practice. Educating your staff about data security best practices and phishing attacks is also very important, given they are commonly the weakest link in your information security policy.
Companies or public organisations which hold large amounts of personally identifiable information, may face increased scrutiny from insurers, regulators and may need to invest in compliance, data retention policies, and cyber security measures to prevent data breaches.
Internal controls and data retention policies are becoming increasing important to insurers when accessing your risk. Multifactor authentication for your email accounts and remote access to your network is now commonly a prerequisite to cover.
There are now some cyber insurance products will now take a protective approach to managing your risk to data breaches by periodically testing your domains for weaknesses that cyber criminals could exploit.
These practices can not only reduce the likelihood of a data breach but also mitigate the potential impacts if a breach occurs. Effective
risk management requires ongoing effort and adaptation to new data security threats.