What is personally identifiable information (PII)?

By Sara Kassabian/ Published on October 2, 2018

TrueVault is in the business of protecting personally identifiable information (PII) collected on behalf of your company. PII is different from other types of data, and by storing PII in our SecureVault, we limit the legal liability for businesses that interact with this sensitive data.

Personally Identifiable Information 101

There are countless facts about you that may be relevant to different businesses in the form of data. But logically, your shoe size is less sensitive information than your name, social security number or address. If someone was looking to exploit information about you or simply invade your privacy, a stranger knowing your favorite color is less likely to cause alarm than a stranger knowing your social security number. Why? Because the latter can identify exactly who you are and potentially unlock troves of other sensitive information about you, leading to bank fraud, identity theft, and other disasters.

pii-vertical
Bruce Wayne doesn’t need all of Gotham (or worse, the Joker) knowing his health information. Luckily, his health insurance stores his PII in SecureVault, keeping it safe from prying eyes and potential hackers.

In the United States, PII is defined as any information about an individual that can distinguish or trace an individual’s identity, according to the U.S. Department of Commerce. Some of these identifying details include name, birth date, biometric record etc. Other details that can be linked to an individual, such as medical, educational, financial, and employment information carry their own set of protections as well.

For example, when PII is paired with your medical record, it is referred to as “Protected Health Information (PHI)” and protected under the purview of HIPAA, with harsh penalties for data breaches or non-compliance. Any business or organization that works with PHI (PII + medical information) must institute enhanced security measures necessary to properly secure PHI during the data import and storage process. If you’re working with PHI, TrueVault can help with managing this data.

Acronyms You Need To Know: PII, GDPR, CCPA

While the term “PII” comes up frequently in health and technology sectors, the operating definition of PII varies between governments and therefore is regulated in different ways.

The European Union equivalent to PII is called “personal data”, and has a much broader description under General Data Protection Regulation (GDPR):

“‘Personal data’ means any information relating to an identified or identifiable natural person, and “... can include name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

After GDPR came into effect on May 25, 2018, there has been a cascade of proposed legislation in the United States that mirrors the spirit of consumer protection encapsulated by the EU law.

California, home to TrueVault, as well as leading technology companies like Apple and Google, passed what is essentially its own version of GDPR, the California Consumer Privacy Act (CCPA). CCPA is on track to be implemented in 2020, leaving Californians with more autonomy over how their information is collected and used by businesses and organizations. The law also puts much greater responsibility on companies to safeguard their users’ PII and consumer behavior data.

Personal Data Is Business Critical — And A Liability.

We recognize that personal data is a key driver for your business. Collecting PII from the users who interact with your business is essential to understanding and satisfying consumer needs. However, personal data also carries a liability for the businesses that collect it.

PII is synonymous with risk, particularly when it is linked with another form of sensitive data, such as medical information. Any business that imports or stores PII in their servers is within the scope of laws like HIPAA (if collecting PHI), and soon CCPA, GDPR, and likely many others.

For businesses that collect digital data, PII ought to be treated as toxic, because it comes with a host of responsibilities related to legal compliance, advanced security and good data governance. Fortunately, there are ways to work with PII that will limit potential risk for your business. Pseudonymization or tokenization allows a business to remove the risky PII data from its system and replace it with a series of numbers or letters, leaving behind the behavior data of relevance. By tokenizing PII, a business is able to access the information it needs while removing the risky data, which in turns limits the liability for a business.

We know your business likely doesn’t specialize in tokenization, data security or the interpretation of laws related to personal data. TrueVault's mandate is to secure PII on behalf of your business, while minimizing risk. We offer a suite of tools for companies working with personal data, including a new tokenization engine to help with data import and storage. By storing and managing PII on behalf of your business, TrueVault guarantees that your business will comply with data protection laws like HIPAA, and soon GDPR and CCPA, by offering advanced security options for importing and storing personal data through our product. 

Follow the link below to schedule an introductory meeting with TrueVault:

Talk to TrueVault

 

Latest Posts

Should Utah's Privacy Law Be on Your Radar?

A Cookie Banner Isn't Enough for CCPA Compliance

Why CCPA Compliance Matters to HR

Mailing List