This week I want to look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such…
Last week the news of the Seattle judge ruling that IP addresses were not considered to be personally identifiable information (PII) hit numerous blogs and filled the twitterverse.
According to the judge
“”In order for ‘personally identifiable information’ to be personally identifiable, it must identify a person. But an IP address identifies a computer,” U.S. District Court Judge Richard Jones said in a written decision.”
Using this logic, then, a cell phone number would not be considered as PII either, because it really identifies a phone, not a person. But, this is generally not the case.
However, this is just one ruling, and it goes against multiple laws that clearly list IP addresses as being PII. For example, the U.S. Health Insurance Portability and Accountability Act (HIPAA) explicitly lists “IP address” as one of the PII items, referenced as “Protected Health Information,” that must be protected under the law.
This ruling also goes against other court decisions. And this is nothing new. For example, in June 2005, the Swedish Data Inspection Board ruled that an IP address was PII under the Personal Data Act.
In my next blog post I’ll discuss how you PII is created by the ways in which pieces of information are used, even though each on their own are not considered as PII.
Tags: awareness and training, HIPAA, Information Security, IT compliance, IT training, personally identifiable information, PII, policies and procedures, privacy training, security training