Sponsored Links
UnlabelledPersonally identifiable information

Jumat, 13 Juli 2018

- -
Sponsored Links

List of Personally Identifiable Information (PII)
src: pullzone1-stationx.netdna-ssl.com

Personal information , described in the field of US law as personally identifiable information ( PII ), or sensitive personal information ( SPI ), as used in information security and privacy laws, is information that can be used alone or with other information to identify, contact, or find one person, or to identify individuals in context. The abbreviations of PII are widely accepted in the US context, but the abbreviated phrases have four common variants based on private / private , and can be identified / identify . Not all are equivalent, and for legal purposes, the definition of effective varies depending on the jurisdiction and the intended use of the term. (In other countries with privacy protection laws derived from the OECD privacy principles, the terms used more often are "personal information", which may be somewhat more extensive: within Privacy Act 1988 (Cth) "personal information Australia "Also includes information from where a person's identity" is ascertainable ", potentially including some information not covered by PII.)

European and other data protection regimes, which are primarily centered around the General Data Protection Regulations, the terms "personal data" are significantly broader, and determine the scope of the regulatory regime.

The Special Publication of NIST 800-122 defines PII as "any information about individuals maintained by the agency, including (1) any information that may be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, name mothers, or biometric records, and (2) any other information that is linked or linked to individuals, such as medical information, education, finance, and employment. "Thus, for example, the user's IP address is not classified as PII itself, but is classified as PII connected.

The concept of PII has become prevalent as information technology and the Internet have facilitated the collection of PII leading to a profitable market in collecting and reselling of PII. PII can also be used by criminals to stalk or steal a person's identity, or to assist in the planning of a criminal act. In response to this threat, many website privacy policies specifically address the collection of PII, and lawmakers have enacted a series of laws to limit PII's distribution and accessibility.

However, PII is a legal concept, not a technical concept, and as noted, it is not used in all jurisdictions. Due to the versatility and strength of modern re-identification algorithms, the absence of PII data does not mean that the remaining data does not identify individuals. While some attributes may not uniquely identify themselves, any attribute could potentially identify in combination with another. These attributes have been referred to as quasi-identifiers or pseudo-identifiers. Although the data may not be a PII in the United States, it is possible to remain private data under European data protection law.


Video Personally identifiable information



Define NIST

The following data, often used for clear purposes to distinguish individual identities, is clearly classified as PII based on the definitions used by the National Institute of Standards and Technology (described in detail below):

  • Full name (if not common)
  • Face (sometimes)
  • Home address
  • Email address (if private from association/club membership, etc.)
  • National identification number (e.g., Social Security number in the US)
  • Passport number
  • Vehicle number plate number
  • Driver's driver's ID
  • Face, fingerprint, or handwriting
  • Credit card number
  • Digital identities
  • Date of birth
  • Place of Birth
  • Genetic information
  • Phone number
  • Login name, screen name, nickname, or handbook

The following are rarely used to distinguish individual identities, because they are properties that are shared by many people. However, they are potentially PII, as they can be combined with other personal information to identify individuals.

  • First name or back, if general
  • Country, state, zip code, or city of residence
  • Age, especially if not specific
  • Gender or race
  • The name of the school they attended or the workplace
  • Value, salary, or job position
  • Criminal record
  • Web cookies

When someone wants to remain anonymous, their description will often use some of the above, such as "a 34-year-old white man working at Target". Keep in mind that information may remain private , in the sense that a person may not want it publicly known, without being personally identifiable. In addition, sometimes some pieces of information, there is not enough by itself to identify an individual uniquely, can uniquely identify a person when combined; this is one of the reasons that much evidence is usually presented in criminal court. It has been shown that, in 1990, 87% of the population of the United States can be uniquely identified by gender, zip code, and full date of birth.

In internet hackers and slang, the practice of finding and releasing information is called "doxing". Sometimes this is used to hinder collaboration with law enforcement. Sometimes, doxing can trigger an arrest, especially if law enforcement agencies suspect that "doxed" individuals may panic and disappear.

Maps Personally identifiable information



In the privacy law

The US government used the term "personally identifiable" in 2007 in a memorandum of the Executive Office of the President, Office of Management and Budget (OMB), and that current use appears in US standards such as NIST Guidelines for Protecting Confidentiality of Personal Identity Information (SP 800-122). The OMB memorandum defines PII as follows:

A term similar to PII, "personal data" is defined in the direction of EU 95/46/EC, for the purpose of the instructions:

However, in EU rules, there is a clearer idea that the subject of the data is potentially identified through additional processing of other attributes - quasi-or pseudo-identifiers. In the EU General Data Protection Regulations, this has been formalized in Article 4: "data subject" is "who can be identified, directly or indirectly, with the greatest possibility to be used by the controller or by other legal or legal persons." GDPR becomes available on May 25, 2018.

Another term similar to PII, "personal information" is defined in part of California's data breach notification law, SB1386:

The concept of a combination of information provided in the SB1386 definition is the key to distinguish PII correctly, as defined by OMB, from "personal information", as defined by SB1386. Information, such as names, which have no context can not be said to be SB1386's "personal information", but must be said to be PII as defined by OMB. For example, the name John Smith has no meaning in the current context and therefore is not SB1386's "personal information", but it is PII. The Social Security Number (SSN) with no name or other relevant identification or context information is not SB1386's "personal information", but it is PII. For example, SSN 078-05-1120 by itself is PII, but it is not a "personal information" SB1386. However the valid name combination with the correct SSN is SB1386 "personal information".

The combination of names with contexts can also be regarded as PII; for example, if someone's name is on the patient list for an HIV clinic. However, the name does not need to be combined with the context to become PII. The reason for this difference is that little information is like a name, although they may not be enough to make an identification, then it can be combined with other information to identify people and expose them to harm.

According to OMB, not always the case of PII "sensitive", and the context can be considered in deciding whether a particular PII or not sensitive.

Australia

In Australia, the Privacy Act of 1988 relates to the protection of individual privacy, using the OECD Privacy Principles of the 1980s to prepare a broad, principles-based regulatory model (unlike in the US, where coverage is generally not based on broad principles but on specific technology, business practices or data items). Section 6 has the relevant definition. An important detail is the definition of 'personal information' also applies where individuals can be identified indirectly:

"personal information" means information or opinions (including information or opinions forming part of the database), whether true or not, and whether recorded in material form or not, of an individual whose identity is clear, or sufficiently certain , of information or opinion. [emphasis added]

This raises the question of reasonableness: suppose theoretically possible to identify someone from the core information that says NOT including a simple name and address, but contains prompts that can be pursued to ascertain who is associated with it. How much extra effort or difficulty does one need before one can clearly say that the identity can NOT be "ascertained definitively" from it?

For example, if the information involves an IP address, and the relevant ISP keeps a log that can be easily checked (if you have enough legal justification) to re-link the IP address to the account holder, can their identities be "fixed for certain"? If connecting like that is expensive, slow and difficult, but it becomes easier, does this change the answer at some point?

It appears that this definition is significantly broader than the California example given above, and thus that Australian privacy laws, while in some cases poorly enforced, may include broader categories of data and information than in some U.S. laws. In particular, the online behavioral advertising business based in the US but secretly collecting information from people in other countries in the form of cookies, bugs, trackers and the like can find that their preference is to avoid the implication of the desire to build a psychographical profile of a particular person who using the rubric 'we do not collect personal information' may find that this does not make sense under such broad definition in the Privacy Act Australia.

Canada

  • The Privacy Act regulates Federal Government agencies
  • Ontario Freedom of Information and Protection of the Provincial Privacy and Regulations Act governs Provincial Government agencies.
  • Personal Information Protection and Electronic Document Law regulate private companies, unless there is an equivalent Provincial law
  • Ontario's Personal Health Protection Protection Act and other similar Provincial laws govern health information

European Union

European data protection law does not use the concept of PII, and its scope is instead determined by the concept of "personal data" that is not identical and broader.

  • Article 8 of the European Convention on Human Rights
  • Directive 95/46/EC (Data Protection Instructions)
    • The General Data Protection Rules adopted in April 2016 will replace the Data Protection Guidelines. (effective May 25, 2018)
  • Directive 2002/58/EC (E-Privacy Guidelines)
  • The 2006/24/EC Directive Article 5 (The Data Retention Directive)

Further examples can be found on the EU privacy website.

United Kingdom

  • English Data Protection Act 1998
  • General Data Protection Regulations (Europe, 2016)
  • Article 8 of the European Convention on Human Rights
  • British Rules for Investigatory Powers Act 2000
  • Business Data Protection Code
  • Model Contract for Data Export
  • Electronic Communications and Privacy Regulations (EC Directive) 2003
  • English Interruption Regulations Communications (Legitimate Business Practices) 2000
  • The 2001 Anti-Terrorism, Crime and Security Act
  • English Data Protection Tag 2018

New Zealand

The Twelve Information Privacy Principles of the Privacy Act 1993 apply.

Switzerland

The Federal Law on Data Protection June 19, 1992 (effective since 1993) has set up strict privacy protections by prohibiting the processing of any personal data that is not explicitly permitted by the data subject. This protection is subject to the authority of the Federal Data Protection and Information Commissioner.

In addition, anyone may request in writing of the company (managing data files) correction or deletion of any personal data. The company must respond within thirty days.

United States

The Privacy Act of 1974 (Pub.L. 93-579, 88 Stat. 1896, adopted 31 December 1974, 5 USC Ã,§§ 552a), United States federal law, establishes the Fair Information Code of Practice governing the collection, maintenance, use , and the dissemination of personally identifiable information about individuals retained in the system of records by federal agencies.

One of the main focuses of the Health Insurance Portability and Accountability Act (HIPAA), is to protect the Patient-Protected Health Information (PHI), which is similar to PII. The US Senate proposed the Privacy Act of 2005, which sought to strictly limit the appearance, purchase or sale of PII without the consent of the person. Similarly, the Anti-Phishing Act (proposed) of 2005 attempted to prevent PII's withdrawal through phishing.

US lawmakers have paid special attention to social security numbers because it can be easily used to commit identity theft. The 2005 Social Security Number Protection Act and (proposed) 2005 Identity Theft Prevention Act respectively sought to limit the distribution of individual social security numbers.

Significant state laws and court decisions

  • California
    • The California state constitution states privacy as an irrevocable right in Article 1, Section 1.
    • California Online Privacy Protection Act (OPPA) of 2003
    • SB 1386 requires organizations to notify individuals when PII is known or believed to be acquired by unauthorized persons.
    • In 2011, the California State Supreme Court ruled that one's zip code is PII.
  • Nevada
    • Nevada Budget Revision 603A-Personal Information Security
  • Massachusetts
    • 201 CMR 17.00: Standards for the Protection of Commonwealth Citizens' Personal Information
    • In 2013, the Supreme Court of Massachusetts ruled that the ZIP code is PII.
    • federal law
    • Title 18 of the United States Code, section 1028d (7)
    • The Privacy Act of 1974, codified on 5 U.S.C. Ã,§ 552a et seq.
    • US "Privacy Shield" Rules (EU Harmonization)

    What Is Personally Identifiable Information? | Shred Nations
    src: www.shrednations.com


    Forensics

    In forensics, particularly criminal identification and prosecution, identifiable personal information is essential in establishing evidence in criminal procedure. Criminals may experience major problems to avoid leaving PII, such as by:

    • wear masks, sunglasses, or clothes to hide or hide differentiating features, such as eyes, skin, and hair color, facial features, and personal marks such as tattoos, birthmarks, moles and scars.
    • wear gloves to hide fingerprints, which are PII. However, gloves can also leave prints that are as unique as human fingerprints. After collecting fingerprints, law enforcement can then match them with the gloves they collect as evidence. In many jurisdictions, the act of wearing the glove itself when committing a crime can be prosecuted as a secret violation.
    • avoid writing anything in their own handwriting.
    • hide their internet presence by methods such as using a proxy server seemingly connected from an IP address not related to oneself.

    Learning Security with Mayur: February 2018
    src: 3.bp.blogspot.com


    Personal security

    In some professions, it is dangerous for one's identity to be known, because this information can be exploited roughly by their enemies; for example, their enemies may hunt them or kidnap their loved ones to force them to cooperate. For this reason, the US Department of Defense (DoD) has a strict policy that controls the release of PII Department of Defense personnel. Many intelligence agencies have similar policies, sometimes to the point where employees do not disclose to their friends that they work for the agency.

    Similar identity protection concerns exist for witness protection programs, women shelters, and victims of domestic violence and other threats.

    Unified Governance and Integration Use Case Video: A Personally ...
    src: i.ytimg.com


    See also

    • Anonymity
    • Bundesdatenschutzgesetz
    • Identify
    • Personal identifier
    • Personal identity
    • Personal Information Agent
    • Protected health information
    • Pseudonym
    • Privacy
    • Privacy law
    • United States privacy law
    • Obfuscation
    • Supervision
    • General Data Protection Rules

    What is PII? • The Security Awareness Company
    src: i0.wp.com


    References


    What Is Personally Identifiable Information? | Shred Nations
    src: www.shrednations.com


    External links

    • Six things you need to know about the new EU privacy framework Legal analysis of the new European regulatory framework on data privacy
    • NAI: Network Advertising Initiative An internet advertising group that defines guidelines for protecting privacy, the PII definition.
    • Personal and professional information management
    • Power to the People! Give Citizens the Right of Their Personal Data Back - A Cromack
    • Rethinking Personal Data New Lens Report - World Economic Forum
    • Why Approvals Are Different from Marketing Preferences - K Dewar

    Source of the article : Wikipedia

Comments
0 Comments
Langganan: Posting Komentar (Atom)