Personal Identity Information (PII) (sometimes called “notice-triggering data) refers to information that can be used to uniquely identify, contact, or locate a single person or can be used with other sources to uniquely identify a single individual. It has been defined as information: (i) that directly identifies an individual (e.g., name, address, or other identifying number or code, telephone number, email address, drivers license, debit/credit card number, medical information, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.Generally, it is data or information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered PII.
Non-personally identifiable information (non-PII) is data that cannot be used on its own to trace, or identify a person, so basically the opposite of PII. Examples of non-PII include, but are not limited to things such as Device IDs; IP addresses, and Cookies.
PII can be sensitive or non-sensitive. Sensitive PII is information which, when disclosed, could result in harm to the individual whose privacy has been breached. Such information includes biometric information, medical information, personally identifiable financial information and unique identifiers such as passport or Social Security numbers.
Non-sensitive PII is information that can be transmitted in an unencrypted form without resulting in harm to the individual. Non-sensitive PII can be easily gathered from public records, phone books, corporate directories and websites.
The loss of PII can result in substantial harm to individuals, including identity theft or other fraudulent use of the information.
The concept of PII is not new; it has been with us since the days of the great philosophers. One great philosopher, René Descartes who is often called the father of modern science is well known for his statement Cogito ergo sum — “I think, therefore I am.” His philosophy gave rise to the question about personal identity which was popularized by his successors John Locke and David Hume.
Today, the advent of the Internet has made it easier to collect PII. Information technologies have made it possible to collect, process and exchange detailed personal profiles on people and systems. Personal information on individuals is increasingly shared between companies that do not belong to the same industry. Such exchanges may normally occur for purposes of risk assessment, identity verification or cross-marketing.
Most countries require the protection of Personal Identity Information (PII) and that affected individuals must be notified of any reasonable suspicion of a compromise of that protection.
The advent of various Independent Identity Management (IDM) initiatives and the transition to open computing environment based on web 2:0 tools and Cloud Computing makes it easier for resources to be shared across different organizations. Some examples of the IDM’s currently taking place are: the implementation of a biometrics-based national identification system by the National Identification Authority (NIA), the National Health Insurance Scheme (NHIS), data to process a biometric passport, the introduction of a biometrics-based driver’s licence by the Drivers and Vehicle Licensing Agency (DVLA), the biometric voter registration by the Electoral Commission, and the recently introduced Ghana Card.
Birth, death, marriage, business registrations, and social security are other forms of registrations performed by various government agencies in different formats and databases. Many of the Independent Identity Management projects are initiated by government agencies with little private sector participation.
The issue then is, how do we protect personal identity information so that it doesn’t get into the wrong hands; how do we protect this data so that it is not abused and misused; how do we employ effective data management practices to secure PII; what systems, policies, and regulatory framework have been put in place to govern the use and commercialization of secondary data?
In most developed countries, rigid regulations exist for the usage and monitoring of personal information. In the United Kingdom, for example, the Data Protection Act of 1998 exist to ensure that personal data collected is handled in the most responsible manner.
Africa and for that matter Ghana, legislation is yet to emerge to govern the
usage and dissemination of personal data collected. In August 2010, Ghana took the first step in
this direction when it initiated a stakeholder consultation for the passage of
the Data Protection Bill (DPB) and the Electronic Communications Regulations
Bill (ECRB) to serve as legal instruments for the safeguarding of personal data
and privacy. The Bill provides for the protection of privacy through the
regulation of information processing relating to individuals including the
method by which data is obtained, held, used or disclosed.
The scope of the Electronic Communications Regulations as outlined in the document includes voice telephony, broadcasting and radar frequency, and standardisation of communications equipment and systems. Also, it focuses on licensing and frequency authorization and dispute resolutions, critical matters affecting the communication industry generally and for the enforcement of the provisions of Act 775 – Electronic Communications Act.
In December 2008 and January 2009, the government enacted the Electronic Transaction Act (Act 772) and the Electronic Communications Act (Act 775) to provide for and facilitate the electronic communications and related transactions in the public interest. These initiatives will go a long way to lay the legal framework for the safe guarding of personal data and privacy.
Nana Prof. Osei Darkwa,
African Virtual Campus