In the United States, PII refers to any information you can use to trace an individual’s identity. It includes biometric data, geolocation data, metadata, and other pieces of information that you may use to determine a person’s identity. You may not generate this information for every transaction. To decide which data might be PII, one must assess the risk that you might use the information to identify a specific individual.
PII is information that you can use to trace an individual’s identity
PII is information that others can use to identify an individual in simple terms. It includes any information that can directly or indirectly link to an individual. However, the scope of PII is broad. For example, data that cannot now identify an individual, such as an Internet user’s physical location, can still be classified as PII. This is the case even for data that is not linked to an individual’s identity, such as a telephone number, address, and IP address.
There are numerous ways to protect PII:
- Organizations must use strong encryption.
- They must use secure passwords and two-factor authentication.
- It is imperative to keep Social Security cards in a safe place.
- Online purchases also involve PII, such as an individual’s name, company name, shipping and billing addresses, phone number, and credit card information.
It includes biometric data, geolocation data, and metadata.
Location-based services can provide highly detailed information about individuals, from where they sleep to purchasing beer. They can even provide information on who attends which political or religious gatherings and which doctors they have visited. And most importantly, location-based data cannot be anonymized. As IBM fellow Jeff Jonas, chief scientist of IBM Entity Analytics Group, puts it: Location records are “behavioral biometric markers” and can reveal a lot about us.
There is little regulation governing the collection of biometric data in the United States. However, some governments have recently stepped up their metadata collection programs. This data may be collected lawfully and used to identify a person, but it may contain sensitive information. While governments can protect this data, it’s vital to understand what is and isn’t allowed. Unfortunately, there is no federal law that explicitly regulates biometric data collection.
It is not all the information generated by a transaction.
While the Social Security number is a critical piece of personally identifiable information, the name is not. A name can be shared or unique, but it can also be PII. In addition to the title, other types of information generated in a transaction include the serial number of the item that a person purchases, cookies that are saved on the customer’s browser, and the customer’s IP address. A non-secure site will not display “https” in its URL.
Personal information includes full name, street address, social security number, driver’s license number, passport number, and ZIP code. It may also include biometric data, date of birth, and credit card numbers. Personal information is collected in any manner and can be combined with other information to identify an individual. According to the United States General Accounting Office, it is possible to identify 87% of Americans by just using their name, gender, and ZIP code.
It requires a case-by-case assessment of the specific risk that an individual can be identified.
There are several steps involved in risk assessment. Still, the key to identifying a high-risk individual is gathering information about the person in question, analyzing it, and creating a plan of action. This involves assessing each risk factor on a case-by-case basis and identifying the most appropriate response to that risk. For simple situations, staff can use checklists and probability matrixes to generate a risk assessment. However, complex cases require the collaboration of knowledgeable staff members.
In addition to identifying an individual’s specific risk, a case-by-case assessment of an individual’s criminal risk can determine appropriate placement and release conditions. In most cases, a person’s underlying needs are linked to their criminal behavior. Therefore, a risk assessment should be based on a case-by-case analysis of the individual’s psychiatric history.