What constitutes as PII Data in India?
The Digital Personal Data Protection Act 2023, ‘Digital’ being the operative word goes in depth explaining about the roles of Data Fiduciaries, Data Processors and Data Principal in protecting digital personal data. But what exactly is Personal Data? Is it just the details printed on the Government ID cards such as Aadhaar, PAN, Voter ID and the Driving License? Does it include your phone or Laptop’s IP addresses also? Does it include data collected by your smartwatch? What about your medical records such as CT scans, X-ray reports or any other diagnostic report? In this article, let us deep dive into understanding what constitutes as Personally identifiable information(PII) and what should we - as Data Principal do in order to protect our personal data.
What is Personal data mean in India?
The word ‘Personal Data’ as defined in the DPDP Act describes it as “any data about an individual who is identifiable by or in relation to such data”. In other words, Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual. For example - your Aadhaar number, PAN, fingerprints, retina scans and residential address are all examples of PII data. These examples represent Direct Identifiers, meaning each piece of PII data can independently identify an individual without the need for additional identifiers.These kind of personal data are also known as Sensitive Personal Data. More examples of Sensitive Personal data are listed below:
Is it important to safeguard Non-sensitive data?
Not all personal data is considered personally identifiable information. For example, data about a person's buying habits on Amazon isn't PII because it would be hard, if not impossible, to specifically point out who someone is based solely on what they've bought on Amazon.
Non-sensitive data , also known as quasi-identifiers are those identifiers that need one or more such data points to identify an individual. Examples of non-sensitive personal data are gender, age, first name, date of birth, place of birth, religion etc. Does it mean that non-sensitive data will cause no harm to Data Principal? Well, absolutely not. Imagine this scenario : A fraudster could easily hack into someone's bank account with their phone number, email address, and mother's maiden name. The email could giveaway your username, spoofing your phone number could give them your verification code, and the mother's maiden name answers your security question. It is near impossible to identify an individual solely using any one of these identifiers but if used in combination could easily point to an individual. Hence, it is extremely important for a Data Principal to not share any personal data with unknown individuals or sites.
Personal Data vs PII Data
Is the definition of Personal data or PII Data similar all around the globe? Not really! Definitions and scope of both these words change from country to country. In fact, different countries use different words in the Data privacy laws laid out. For example, Personally Identifiable Information - PII is a term often used in the context of U.S. data protection Acts whereas the GDPR relies on the term "personal data" to convey a similar concept but with a broader and more globally recognised scope. In essence, all PII is personal data, but not all personal data rises to the level of being considered PII, especially in more stringent legal contexts. The definitions and categorisations may vary based on the specific laws and regulations applicable in different jurisdictions. Below are the definitions across CCPA and GDPR:
- Personal Data: The GDPR defines personal data as any information relating to an identified or identifiable natural person (data subject). This includes not only common identifiers like names, addresses, and identification numbers but also factors specific to the person's physical, physiological, genetic, mental, economic, cultural, or social identity.
- Personally Identifiable Information (PII): The California Consumer Privacy Act (CCPA) defines PII as "Information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Context also determines whether something is considered PII at all. For example, aggregated anonymous geolocation data is often seen as generic personal data because the identity of any single user can't be isolated. However, individual records of anonymous geolocation data can become PII. Consider this example where a Data Processor or a Data Fiduciary’s customized data feeds allow purchasers to identify and track specific mobile device users. For example, the location of a mobile device at night is likely the user's home address and could be combined with property records to uncover their identity.
With these examples, it is very evident that it is very hard to whitelist personal data as sensitivity of information can vary based on context and local regulations.
How do GDPR and CCPA compare in PII or personal Data?
Are medical records and diagnostic reports considered PII ?
Yes, medical records and diagnostic reports are considered PII. In fact, they are categorised as Protected Health Information (PHI). PHI is a specific subset of PII and refers to individually identifiable health information that is created, received, stored, or transmitted by healthcare providers. PHI is primarily governed by the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Indian has been planning to implement a HIPAA equivalent, named DISHA - Digital Information Security in Healthcare Act. Until then, the DPDP Act’s provisions shall help in the protection of PHI Data. DPDP clearly states that any offline data collected made digital is bound to fall under the jurisdictions of the Act and hence any medical record in digital form shall in all likelihood be bound under the DPDP Act, 2023.
