What Is Personal Identifiable Information (PII)?
July 18, 2023
July 18, 2023
We hear the term PII a lot these days, but what is Personal Identifiable Information? What are some of the different types of information and what is changing in the industry landscape?
Different regions have different official terminology. Some regions call it Personal Information (PI), and others refer to it as Personally Identifiable Information’ (PII).
Most people, ourselves included, thought that they are the same, but in fact PII is a concept that is defined by fields; a concept that was designed and created by the National Institute of Standard and Technology (NIST). PI (or PD in Europe) however, is a principle-based-language that sweeps up a great deal more than PII. PI is also regulated where as PII is not.
Personal Information includes a broad range of information, or an opinion, that could identify an individual. What PII is, is personal information that will vary, depending on whether a person can be identified or is reasonably identifiable in the circumstances - and can be catalogued.
For example, Personal Information (PI data) may include:
· an individual’s name, signature, address, phone number or date of birth
· sensitive information
· credit information
· employee record information
· photographs
· internet protocol (IP) addresses
· voice print and facial recognition biometrics (as the technology collects characteristics that make an individual’s voice or face unique)
· location information from a mobile device (as it can reveal user activity patterns and habits).
The Privacy Act 1988 doesn’t cover the personal information of someone who has died.
Sensitive information is any personal data or information that could potentially cause harm, damage, embarrassment, or discrimination to an individual if it is disclosed, accessed, or used without authorisation.
Examples of Sensitive Information is personal information that includes information or an opinion about an individual’s:
· racial or ethnic origin
· political opinions or associations
· religious or philosophical beliefs
· trade union membership or associations
· sexual orientation or practices
· criminal record
· health or genetic information
· some aspects of biometric information.
Generally, sensitive information has a higher level of privacy protection than other personal information.
So Personal Information identifies the person, and, sensitive information can tell you about the person.
Generally, information that relates to a business is not personal information. This information includes a business’ name, address, and Australian Business Number(ABN). However, if a sole trader carries a business, that business information can be reasonably identifiable as personal information. Either way, individuals need to be careful with their personal information.
Above, we have discussed the definitions of these terms that you are hearing a lot about, but what does that mean and what is being done about it?
On a personal level, our PII data is necessary to acquire some goods and services, such as medical care and utilities. However, in the wrong hands, PII leads to identity theft and other forms of fraud. If left unprotected, individuals could face damages to their reputation or have their identities stolen. With the significant increase in digital use and our identities being requested and stored it has given rise to the malicious use of this data for people to profit from having this PII.
The request, collection, use and storage of this data has thus come under review across the globe. The European Union has the most well-known – GDPR, or the General Data Protection Regulation.
GDPR is a European Union law with mandatory rules for how organisations and companies must use personal data in an integrity friendly way. Personal data means any information which, directly or indirectly, could identify a living person. Name, phone number, and address are schoolbook examples of personal data. Interests, information about past purchases, health, and online behaviour is also considered personal data as it could identify a person.
Privacy Act under Review
Currently the Australian Privacy Act 1988 is the existing act in place, it is widely accepted that this is due to be updated. In Australia, the term that is used is Personal Information, not PII.
The Attorney-General released the Privacy Act Review Report, containing within this was 116 proposals for reforming the Privacy Act. These proposals aim to make, in the Attorney-General’s words, the Privacy Act “fit for purpose” to “adequately protect Australians’ privacy in the digital age”.
There are 15 key proposals outlined in the Privacy Act Review Report, covering various aspects of privacy protection, consent, data handling, enforcement, and individual rights:
1. The requirement to act fairly and reasonably when collecting, using, and disclosing personal information will be judged on an objective standard, regardless of consent.
2. The definition of consent will be amended to include voluntary, informed, current, specific, and unambiguous consent, with proposed guidance on designing consent requests for online services.
3. The definition of personal information will be broadened to include information or opinions that relate to an identified individual, including inferred or generated information.
4. Individuals will have a direct right of action to seek compensation for privacy breaches, but they must first make a complaint to the Office of the Australian Information Commissioner (OAIC).
5. Additional obligations will be imposed on handling de-identified information, including protecting it from unauthorised access, prohibiting re-identification, and introducing a criminal offence for malicious re-identification.
6. Timeframes for reporting data breaches will be tightened, with a reduced deadline of 72 hours for reporting to the OAIC and a requirement to inform impacted individuals as soon as possible.
7. Certain privacy obligations will be extended to private sector employee records, addressing concerns related to General Data Protection Regulation (GDPR) adequacy status.
8. The concept of processors and controllers will be introduced to align Australian law with other jurisdictions, reducing compliance obligations for processors.
9. Mandatory Privacy Impact Assessments will be required for high privacy risk activities that may significantly impact individuals' privacy, with guidance provided by the OAIC.
10. The use of personal information in automated decision-making will be regulated, requiring transparency and the right for individuals to request information about such decisions.
11. Targeted advertising will be regulated, with prohibitions on using personal information for targeted advertising and content to children and limitations on using sensitive information for targeted advertising to any individuals.
12. Additional protections will be implemented for children and vulnerable persons, including codifying existing guidance on consent and capacity, developing a Children's Online Privacy Code, and considering impacts on vulnerable persons in privacy assessments.
13. A statutory tort for serious invasions of privacy will be introduced, allowing individuals to claim damages for emotional distress.
14. Individuals will have a right of erasure and de-indexation, allowing them to request the deletion of personal information and removal of search engine results under certain conditions.
15. Greater enforcement powers and penalties will be implemented, including new civil penalties, expanded powers for the OAIC, and clearer guidelines for serious interferences with privacy.
This is still in draft, and the government has accepted feedback from the industry to continue the debate. AdFixus has submitted a formal response to this request.
Along with these new changes and definitions there will also be a significant increase in the penalties that can be applied for misuse of PII. The Privacy Legislation Amendment (Enforcement and Other Measures) Act2022 currently includes several new penalty changes - The Bill increases the maximum civil penalty for serious or repeated interferences with privacy from the current $2.22 million to an amount that is the greater of $50 million, three times the value of any benefit obtained from the conduct constituting the serious or repeated interference with privacy, or 30% of an entity’s adjusted turnover in the relevant period.
PII is information that can identify an individual and that information has a large value attached to it given the way we engage in our digital lives. The collection, storage and use of this data has rightly come under scrutiny and governments have had to review their privacy acts and legislations. It is vital that you understand these changes and the potential impacts to your business.
Also read:
· Why, why, why do you need my PII? - https://www.adfixus.com/post/why-why-why-do-you-need-my-pii
.png)