What is PII? How About Groups Of Otherwise Non-PII?

I want to continue my look at the concept of personally identifiable information (PII), and what types of items, in particular, are considered as such…

A topic that is important and interesting to think about is how non-PII items, when combined with certain other non-PII items, can actually become PII. In other words, aggregating non-PII to form PII. In case that sounds fuzzy, think about it, very simplistically, this way…
Consider a zip code, first name, and birth year.
If you look at each of these separately, it would be hard to say you can link each of them to a specific individual. However, if you look at the three items in combination, you could very well be able to identify a specific individual. Especially in more sparsely populated geographic locations. So, does this combination of three items, as a group, represent PII?
It often takes just two pieces of information to be able to identify a specific individual. Once identified, finding out more information about that individual is trivial, and the stuff that criminals’ dreams are made of.
In fact, the bits and pieces of fairly non-valuable information, when gathered and considered as a whole, are much more valuable than the sum of each of the individual items. This data composition, or aggregation if you prefer, can provide very revealing insights to peoples’ lives, activities, purchases, likes, dislikes. Or, they could create such revalations that actually turn out to be incorrect!
The privacy concerns with putting together pieces of non-PII to determine different aspects about individuals is that those determinations may be right, but often are wrong. Often decisions are made based upon those pieces of aggregated data. Often bad decisions related to providing insurance, credit, hiring, and even legal investigations.
We are more than just the strict sum of a few pieces of information that may point to us.
And often mistakes in the non-PII data get propagated to lead to even more bad decisions about individuals. These types of situations have happened many times.
So, does de-identifying information, in ways such as required by HIPAA, truly protect privacy within aggregated data? Those 18 types of information specified by HIPAA are fairly effective of removing almost all pointers. But, few, if any, other types of U.S. laws have such strict de-identification requirements. Laws in other countries do. How de-identification occurs will determine if it truly is effective in protecting privacy.
And the pieces of information gathered are usually assumed to be accurate, but it is likely that many are not. Consider all those online offers to receive “free” stuff in return for filling out a short survey. How many of you provide accurate information in those surveys? A large portion of people do not put their real birthdates, middle names, and so on. However, that survey information will likely become part of your digital shadow.
And certainly even your search terms can become associated with your digital biography. Just look at the current concerns with how Google uses all it’s aggregated data to form conclusions about the people using their tools.
So, is there anything that can be done? Or, are the horses out of the barn and way past the back forty, never to be corralled again?
The data aggregation will likely continue. However…

  • What is actually done with the aggregated information can be addressed.
  • And providing some required safeguards for aggregated data used as PII is also a possibility.

Okay, here’s a radical idea…don’t throw shoes yet, but at least think about it…
Should we impose fines on organizations who mis-use aggregations of information? Or, use PII for other types of information that is not actually PII, but when aggregated reveals PII?
For example, when businesses use SSNs for customer IDs or passwords or other purposes other than which it was originally created? And then all those other pieces of information get propagated and used for other purposes as well.
I know, there are already way too many laws, but should something like this be included in an all-compassing federal regulation to replace all those jigsaw pieces of other laws?
All food for thought.
There has also been much debate about what specific types of items should be considered as PII. If information can be found publicly does that mean it is not PII? I’m going to hit upon this in my next blog post.

Tags: , , , , , , , , , ,

Leave a Reply