Personal data or PII

-



PII or not to PII, that is the question





PII, or personally identifiable information, is used an awful lot to describe something that within the EU-GDPR, DPA2018 (UK-GDPR) is referred to as, personal data.

What is personal data vs PII?

Personal data - means any information relating to an identified or identifiable natural person (’data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (GDPR, Art 4(1)).

PII is identified in US law as - information that can be used to distinguish or trace an individual's identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.  (Office of Management and Budget Guidance for Grants and Agreements, Chapter II, Part 200, Sub-part A, Section 200-79).

Take away points:
  • The focus of EU-GDPR (UK-GDPR/DPA2018) is:
    • To protect the interests of a data subject by regulating the activities of the [data] controller and [data] processor who process data that incorporates personal data, and
    • It is the definition of personal data that in fact triggers the EU-GDPR, and not PII.
There is a bit of confusion however, especially with a number of ISO standards, for example:
  • PII rather than personal data - ISO/IEC 27018:2019 (Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors).
The final take away point is please ensure that you are using the correct definitions and where ISO standards are concerned read the small print in which acknowledgment is made of 'local' legislation and regulation.

References: CyBOK v1.0; KanSecurity mindmaps; others as shown.

KanSecurity (NL)

Popular posts from this blog

Black Swans and other things

-
Image
Back swans and other things. For transparency I’m not an academic. What I enjoy doing is reading academic works, it does not matter what field, with the objective of attempting to answer questions I have related to information and cyber security. Two [of many] questions [the context throughout this blog are businesses, organisations, and information and cyber security] . Why, in the many cases that have been documented, do Chief Information Security Officers [CISO] get shown the door following a major breach of a company network? Whilst CISOs are highlighted, others having a similar role but not called CISOs, are also covered under this question. Why, given the current situation of COVID-19, were many businesses unprepared? The unauthorised attempts at infiltrating a company network, are not outliers [thus not a Black Swan], they happen daily, it is the norm. The evidence, even though prejudiced in itself, is there for all to see. I say that the evidence is prejudiced
Read more

Compliance or Conformity

-
Image
Compliance is not security, or is it? There is a view (anecdotal)   that compliance is not security. To be more precise, information and cyber security. For those aware of this standard, ISO/IEC 27001:2013 (information security management system, requirements) asks those organisations seeking certification to conform to its requirements. On the other hand, the Payment Card Industry (PCI) security standards, and for example the Data Security Standard (PCI DSS), requires compliance. Conformity or compliance; in the cases above they both seek to achieve something similar; security, in the context of information and cyber security, by ensuring that important data assets are protected (specifically card holder data for PCI DSS, and ‘other’ sensitive and critical information/data for ISO/IEC 27001:2013). Having generalised with the use of the word ‘other’ for 27001, in truth if card holder data were in scope then in fact ‘other’ would include cardholder data.
Read more