We look at what each term means and how they impact your business
With businesses handling growing volumes of information and the continued expansion of privacy regulations, it has become increasingly apparent that respecting data privacy is not an optional consideration. Managing people’s personal data needs to be navigated carefully. But what specific data do you need to be careful with? Is all data equally risky?
You may have come across the term PII, which stands for ‘personally identifiable information.’ But you may be wondering what constitutes ‘identifiable’? Or whether ‘sensitive information’ is different to PII?
You may also be aware of the ongoing expansion of privacy legislation, with new state laws passing in America or the current review of Australia’s Privacy Act. You know this means you should be doing something, but you’re not confident about what this something is.
This uncertainty can be particularly difficult for engineers, who are often responsible for managing data, security and access privileges. As definitions vary based on geography and context, this introduces ambiguity. This ambiguity complicates decisions around design and architecture, consumes resources and ultimately inhibits their ability to perform their primary duties.
Below, we discuss broad definitions for commonly used terms, key legislation to be familiar with, and what you may do to manage personal data within your organisation.
Defining ‘personal data’, ‘personally identifiable information (PII)’ and ‘personal information
Essentially, these terms are broadly the same. ‘Personal data’ is typically used within the EU (as defined by GDPR) whereas ‘personal information’ or ‘personally identifiable information’ are more commonly referred to in America, Australia and New Zealand. Each of them defines data that can be directly or indirectly linked to an individual and therefore used to reveal their identity. The precise definitions can be found in each country’s legislation.
In determining whether information is directly identifiable, context is critical. For instance, the same category of information may be capable of identifying one individual but not another according to how unique the underlying data is. Taking name and location category data as an example, we would likely discover hundreds of matches for ‘John Smith’ in ‘London’, but we may only find one ‘Kris Kringle’ in ‘Lapland.’
In general, personal data would include, but is not limited to, the following examples:
- Physical address
- Phone number
- Email address
- Passport number
- Driver’s licence number
- Social security number
- Biometric information (such as fingerprints and DNA)
Although fragments of personal data, such as location, IP address and employment data, may be insufficient to identify an individual directly, when combined with data enrichment or de-anonymisation techniques then identification may become feasible.
‘Pseudo-anonymised’ pieces of information, therefore, still require careful management and data protection. They are more likely to be considered PII in Europe, under GDPR, than in the US.
What is sensitive data? Is there ‘non-sensitive’ data?
Sensitive data is generally considered private information requiring a higher level of protection against unauthorised access, although precise definitions and examples will again vary by jurisdiction.
Health, financial and employment details are typical examples of sensitive information and data pertaining to children, which would all be subject to data privacy controls. This information has the potential to do more significant emotional, financial or reputational harm to the data subject if it was to be exposed.
Within the EU, Article 9 of GDPR guidelines define ‘special categories of personal data’ (i.e. sensitive data) as information that would reveal any of the following:
- Racial or ethnic origin
- Political opinions
- Religious or political beliefs
- Trade union membership
- Genetic data
- Biometric data for the purpose of uniquely identifying a natural person
- Health information
- Data concerning a natural person’s sex life or sexual orientation
Sensitive information is regularly the target of cyber attacks, especially ransom attacks where cyber gangs seek to leverage the data against data owners, and sometimes data subjects, through extortion to achieve personal financial gain. As the disclosure of sensitive information is likely to result in more significant harm to the data subject, the associated punishments for a data breach are also typically higher.
Non-sensitive data covers broad information and, therefore, cannot be used to identify a specific individual, such as date of birth or postcode, or publicly available information, such as information exposed openly on social media or in phone books.
What laws regulate the use of PII or sensitive information?
The laws which define ‘personal data’ (or the equivalent term) are established at the jurisdictional level, with some additional laws for specific industries, such as HIPAA for healthcare in the US, PCI DSS for financial payments, and COPPA laws that apply to the handling of personal information for children in the US under the age of 13.
To further complicate matters, companies are typically subject to the rules of the country where the data is collected. Therefore, if you are an Australian company that collects data on customers in the EU, you must comply with EU GDPR for data captured from Europe and comply with Australia’s Privacy Act for any data collected in your domestic market.
Let’s take a look at how different countries define ‘personal’ data and how small differences in wording have a big impact on the practical application of these laws.
European Union — GDPR (2018)
GDPR is one of the strongest privacy laws globally, including strict rules over the use of personal data. It has informed many subsequent privacy policies overseas, including CPRA and CCPA in California.
GDPR defines ‘personal data’ as:
‘any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.’
California, USA — CCPA (2018) & CPRA (2023)
‘Personal information’ is defined as:
‘information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.’
The inclusion of ‘reasonableness’ reduces the extent to which data can be assumed to be de-identified when compared with GDPR. It also extends the definition beyond an individual to include a household.
Australia — Privacy Act (1988)
In Australia, the Privacy Act refers to personal information which is:
‘information or an opinion about an identified individual, or an individual who is reasonably identifiable: whether the information or opinion is true or not; and whether the information or opinion is recorded in a material form or not.’
It is a more broad definition than GDPR and CPRA. However, it is worth noting that the Privacy Act is currently under review during 2023. The proposals would see an enhanced definition of personal information, bringing Australian legislation closer to GDPR.
New Zealand — Privacy Act (2020)
The Privacy Act brought New Zealand privacy regulations broadly in line with Australia’s existing privacy laws, although it does not include an exemption for employee records. Employee data is, therefore, subject to the same requirements as other personal information.
Canada — PIPEDA (2000)
Under PIPEDA, personal information includes any factual or subjective information, recorded or not, about an identifiable individual.
Do privacy laws only apply to customer data?
No. Although privacy laws are often discussed in the context of customer data they may also require protection for personal data held on anyone — such as employees, patients, donors, or students. The level of coverage depends on the specific jurisdiction and industry.
A data subject under GDPR refers to any living individual whose personal data is collected, held or processed by an organisation.
Employees are provided data privacy rights under California’s CPRA and New Zealand’s Privacy Act. Although Australia’s Privacy Act currently excludes employee records, the ongoing review recommends introducing enhanced protection for employee data.
Why do we need to protect personal data?
Many potential harms can be suffered by both the data subject and the organisation in the event of a breach.
A victim whose private information is exposed, whether as part of an accidental privacy incident or a malicious data breach, faces the threat of identity theft, extortion and harassment. These can result in substantial emotional, reputational and financial harm to themselves and their families.
An organisation guilty of data privacy breaches faces a range of damages, from reputational harm amongst customers, clients and employees, along with financial damages from regulatory penalties, civil action and lost revenues.
Penalties can be steep. Under EU GDPR guidelines, serious violations can result in a fine of up to the greater of €20 million or 4% of a firm’s annual revenue from the preceding year. For Australian companies, the new Privacy Legislation Amendment allows for fines up to the greater of $50 million (AUD), or 30% of adjusted turnover in the relevant period.
EU regulators imposed fines of €746 million on Amazon and €405 million against Instagram (Meta), while Bloomberg Intelligences estimates damages at Medibank, Australia, following a recent major breach, could exceed $700 million (AUD).
An organisation should therefore take care when handling any personal data, whether or not it is specifically covered by local legislation.
How can we protect personal data?
GDPR sets out seven fundamental principles for processing personal data (below). An organisation must limit the amount of personal data collected, protect it throughout the lifecycle, and erase it as early as appropriate.
Personal data should only be collected where a clear, predefined purpose exists. Once gathered, it should be aggregated, anonymised and pseudo-anonymised, wherever possible, to protect the underlying data subject(s) and reduce specificity.
Any personal data held within the organisation should be clearly identified, isolated and protected. Protection starts with encryption. Personal data should be stored as cipher text instead of plain text. Access is restricted to only those with necessary permission, and only for the duration they require it.
Finally, data should only be retained for as long as is reasonably required to complete the activities for which it was gathered. Alternatively, data may need to be retained for a specified duration to adhere to local legislation. Once it is complete or the legislative period has expired, all personal data should be erased.
The seven guiding principles of GDPR
The principles state that personal data shall be:
1. Lawfulness, fairness and transparency
processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
2. Purpose limitation
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘ purpose limitation’);
3. Data minimisation
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
5. Storage limitation
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
6. Integrity and confidentiality (security)
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘ integrity and confidentiality’).
The controller shall be responsible for, and be able to demonstrate compliance.
If you would like to learn more about what we are building at Onqlave to help protect sensitive data, follow our updates via LinkedIn, sign up to our newsletter or feel free to get in touch with any of our team.