LDAPWiki: Personally Identifiable Information

Overview[1]#

Any discussion of PII requires some context.

Generically, Personally Identifiable Information (PII) is data that can be used to perform Identification, either alone or when combined with other Personally Identifiable Information that within a specific Context provide a specific Digital Identity from the Anonymity Set.

Within some contexts Personally Identifiable Information (PII) is Protected Data that

can be used to identify the Natural Person to whom such information relates
might be directly or via Identity Correlation to a Natural Person to whom such information relates.

Personally Identifiable Information, as used in Information security, is data that can be used on its own or with other data to identify, contact, or locate a single Natural Person, or to identify a Natural Person in context.

The abbreviation PII is widely accepted, but the phrase it abbreviates has four common variants based on personal/personally, and identifiable/identifying. Not all abbreviations are equivalent, and for legal purposes the effective definitions vary depending on the jurisdiction and the purposes for which the term is being used. [2]

What is Personally Identifiable Information?#

Personally Identifiable Information can only be defined within a provided context.

Generally, any Unencrypted electronic information that when used in combination with other information, can Identity an individual. Typically this is interpreted as any information that includes an individual’s first name or initial, and last name, in combination with any one or more of the following:

Social Security Number (SSN).
Drivers license number or State-issued Identification Card] number.
Financial Data account number, Bank Card Number, or Medical ID Card in combination with any required security code, access code, or password such as expiration date or mother’s maiden name that could permit access to an individual’s financial account.
Patient Data (any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a Health Care Provider)
Health insurance information (an individual’s health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the Natural Person, or any information in an individual’s application and claims history, including any appeals records)

Personally Identifiable Information is regulated by many Government and other organizations.

NIST Guide#

NIST.SP.800-122 is a document aimed at Federal Agencies but is also considered the reference for industry.

ISO 19944 #

Personally Identifiable Information is any information that

a) can be used to identify the PII principal (3.18) to whom such information relates. or
b) is or might be directly or indirectly linked to a PII principal

Personally Identifiable Information Risk #

The Data Security Impact for Personally Identifiable Information Risk is defined in FIPS 199

United States Supreme Court and Personally Identifiable Information#

"In Cox Broadcasting v. Cohen, 420 U.S. 469 (1975), the Supreme Court of the United States held that the First Amendment to the Constitution prohibits states from imposing a penalty on ... for publishing accurate information obtained from a public court record."

More Information#

There might be more information for this subject on one of the following:

[#1] - OpenID Connect Core 1.0 incorporating errata set 1 - based on 2016-09-10
[#2] - http://en.wikipedia.org/wiki/Personally_identifiable_information - based on 2013-04-17
[#3] - § 200.79 [Personally Identifiable Information (PII) - based on information obtained 2021-10-11
[#4] - Relying on Public Records - based on information obtained 2021-10-11