PII Data demystified
The Digital Personal Data Protection (DPDP) Act 2023, ‘digital’ being the operative word, defines the roles of Data Fiduciaries, Data Processors, and Data Principal in protecting digital personal data. But what exactly is Personal Data? Is it just the details printed on Government ID cards such as Aadhaar, PAN, Voter ID, and Driving License? Does it also include your phone or Laptop’s IP addresses? Does it include data collected by your smartwatch? What about your medical records such as CT scans, X-ray reports, or any other diagnostic reports? Personal Data is much more than what most of us intuitively think it is. In this article, we deep dive into what constitutes Personal data.
What does personal data mean in India?
‘Personal Data’ as defined in the DPDP Act is “any data about an individual who is identifiable by or in relation to such data”. Personal data or in other words Personally Identifiable Information(PII) is any information that, when used alone or along with other relevant data, can identify an individual. For example - your Aadhaar number, PAN, fingerprints, retina scans and residential address are all examples of PII data. These examples represent Direct Identifiers, meaning each piece of PII data can independently identify an individual without the need for additional identifiers. This category of personal data is also known as Sensitive Personal Data.
What about Non-sensitive data, you might ask!
Not all personal data is considered personally identifiable information. For example, data about a person's buying habits on Amazon isn't PII because it would be hard, if not impossible, to figure out who someone is based solely on what they've purchased on Amazon.
Non-sensitive data, also known as quasi-identifiers, are those identifiers that need one or more such data points to identify an individual. Examples of non-sensitive personal data are gender, age, first name, date of birth, place of birth, religion, marital status etc.
Does it mean that non-sensitive data will cause no harm to a Data Principal? Well, imagine this scenario: A fraudster could hack into someone's Instagram account with just their phone number, email address, and mother's maiden name. The email could reveal your username, spoofing your phone number could give them your verification code, and the mother's maiden name could answer your security question. It is near impossible to identify an individual solely using any one of these identifiers but if used in combination could easily point to an individual. Hence, it is extremely important for a Data Principal to not share any personal data irrespective of whether it is sensitive or not with unknown individuals or sites.
Hence both Sensitive and Non-sensitive Personal Data elements mustn't be overlooked by any Data Fiduciary in the consent Notice and privacy documents.
Personal Data vs PII Data
Is the definition of Personal data or PII Data similar all around the globe? Not really! Definitions and scope of both these words change from country to country. In fact, different countries use different words in their respective Data privacy laws. For example, Personally Identifiable Information - PII is a term often used in the context of U.S. data protection Acts whereas the GDPR relies on the term "personal data" to convey a similar concept but with a broader and more globally recognised scope.
In essence, all PII is personal data, but not all personal data rises to the level of being considered PII, especially in more stringent legal contexts.
The definitions and categorisations may vary based on the specific laws and regulations applicable in different jurisdictions. Below are the definitions across CCPA and GDPR:
- Personal Data: The GDPR defines personal data as any information relating to an identified or identifiable natural person (data subject). This includes not only common identifiers like names, addresses, and identification numbers but also factors specific to the person's physical, physiological, genetic, mental, economic, cultural, or social identity.
- Personally Identifiable Information (PII): The California Consumer Privacy Act (CCPA) defines PII as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Does PII vary with context?
Context also determines whether something is considered PII at all. For example, aggregated ‘anonymous geolocation’ data is often seen as generic personal data because the identity of any single user can't be isolated. However, individual records of anonymous geolocation data can become PII. Consider a scenario where a Data Fiduciary’s customized data feeds allow us to identify and track specific mobile device users. For example, the location of a mobile device at night is likely the user's home address and could be combined with property records to uncover their identity.
These examples make it clear that it is very hard to create a universal database of personal data as the sensitivity of information can vary based on context and thus care must be taken by individual Data Fiduciaries to evaluate all the data items collected and clearly map the ones that constitutes to Personally Identifiable information.
Are medical records and diagnostic reports considered PII ?
Yes, medical records and diagnostic reports are considered PII. In fact, they are categorized as Protected Health Information (PHI). PHI is a specific subset of PII and refers to individually identifiable health information that is created, received, stored, or transmitted by healthcare providers. PHI is primarily governed by the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Indian has been planning to implement a HIPAA equivalent, named DISHA - Digital Information Security in Healthcare Act. Until then, the DPDP Act’s provisions shall help in the protection of PHI Data. DPDP clearly states that any offline data collected made digital is bound to fall under the jurisdictions of the Act and hence any medical record in digital form shall in all likelihood be bound under the DPDP Act, 2023.
Are cookies considered to be PII?
Cookies, while not inherently PII, can become PII based on their usage and the data they encapsulate. As small text files placed on a user’s device, cookies are designed to enhance the browsing experience by remembering preferences, tracking activities, and facilitating smoother site interactions. Typically, they carry anonymous data like unique identifiers or navigational cues that don’t directly disclose user identity. There are two types of cookies - First party and Third party.
First-party cookies are set directly by the website when a user visits, enabling site-specific preferences and functionalities, such as login status and language settings. In contrast, Third-party cookies are created by domains other than the one being visited. These are often used for tracking and advertising purposes across websites, containing detailed profiles of user behavior and preferences.However, the boundary between anonymous and identifiable data blurs when cookies capture or are linked with identifiable information, such as names, email addresses, or IP addresses. This aggregation of data can potentially pinpoint, contact, or locate an individual, aligning cookies more closely with PII under certain conditions.
With Google's announcement to eliminate third-party cookies by the end of 2024, the focus shifts towards first-party data collection, making it imperative for websites, now acting as Data Fiduciaries, to gather direct user information in the absence of third-party tracking mechanisms. This pivot underscores the necessity of treating cookies with the same caution as PII, given their potential to identify individuals, either in isolation or combined with other data.
