Personally identifiable information (PII) gathering
   HOME

TheInfoList



OR:

The gathering of personally identifiable information (PII) is the practice of collecting public and private personal data that can be used to identify an individual for both legal and illegal applications. PII owners often view PII gathering as a threat and violation of their privacy. Meanwhile, entities such as information technology companies, governments, and organizations use PII for data analysis of consumer shopping behaviors, political preference, and personal interests. With the development of new information technology, PII is easier to access and share than before. The use of smartphones and social media has contributed to the widespread usage of PII gathering. PII is collected anywhere and anytime. The dissemination of personal data makes PII gathering a hotly debated social issue. Recent illegal PII gathering by data collection companies, such as
Cambridge Analytica Cambridge Analytica Ltd (CA), previously known as SCL USA, was a British political consulting firm that came to prominence through the Facebook–Cambridge Analytica data scandal. It was started in 2013, as a subsidiary of the private intelli ...
on Facebook of over 87 million users, has caused increasing concern over
privacy violation The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 150 national constitutions mention the right to privacy. On 10 December 194 ...
and has renewed call for more comprehensive
data protection Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...
laws. Major security breaches at
Equifax Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion (together known as the "Big Thr ...
,
Target Target may refer to: Physical items * Shooting target, used in marksmanship training and various shooting sports ** Bullseye (target), the goal one for which one aims in many of these sports ** Aiming point, in field artillery, fi ...
,
Yahoo Yahoo! (, styled yahoo''!'' in its logo) is an American web services provider. It is headquartered in Sunnyvale, California and operated by the namesake company Yahoo! Inc. (2017–present), Yahoo Inc., which is 90% owned by investment funds ma ...
,
Home Depot The Home Depot, Inc., is an American multinational corporation, multinational home improvement retail corporation that sells tools, construction products, appliances, and services, including fuel and transportation rentals. Home Depot is the l ...
, and the
United States Office of Personnel Management The United States Office of Personnel Management (OPM) is an independent agency of the United States Federal Government that manages the US civilian service. The agency provides federal human resources policy, oversight and support, and tends t ...
impacted personal and financial information of millions of American, with calls for increasing information technology security and protection of PII data by businesses and governmental agencies.


Definition

There is no precise definition for PII gathering. According to the U.S.
National Institute of Standards and Technology The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness. NIST's activities are organized into physical sci ...
(NIST), PII is defined as:
(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial and employment information.
PII gathering is any activity that collects, organizes, manipulates, analyzes, exchanges, or shares this data.


Collectors


Governments

Governments publicly collect PII to extend social and legal benefits, such as improving social services and when fulfilling legal obligations. Depending on a country's governmental archetype, such as democratic or authoritarian, PII gathering is conducted using different methods. Regardless, countries share similar goals with PII gathering, as demonstrated by the example below.


United States

In the United States, PII is gathered through application for assistance, registration of property, tax filing, registration for selective services, application for driver's license, government employment, professional licensure, and other voluntary and mandatory information submission. PII is stored, accessed, and shared between different levels of government, departments, agencies, non-governmental entities, and the public. For example, a potential home buyer can look up if a real estate agent is licensed or not. The Government also gathers PII for crime prevention and national security purposes. Many of the programs are highly controversial among the US public. For example, the
National Security Agency The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence (DNI). The NSA is responsible for global monitoring, collecti ...
(NSA) collects and analyzes PII, including phone calls, emails, and social media interactions, from large numbers of people to uncover potential threats.


China

The Chinese government has made big data part of the governance strategy. The goal is a more efficient and transparent government through the use of digital technology. The government has implemented one of the most technologically advanced surveillance networks on the planet called the “Skynet(天网监控系统)”. The system adopts artificial intelligence including facial recognition. 20 million cameras were installed to cover nearly every single public space in the country. PII protection in China deals with collection by private companies and organizations. There has been no discussion or proposal about limiting government involvement in collecting, gathering, and analyzing PII.


Finland

Even in western democratic systems, there are different constraints on PII gathering. Nations in the European Union adopt stricter regulation on PII collecting than the United States. Similarly, personal data processing in Finland has been protected under comprehensive regulations and laws. The Personal Data Act in 1999 was the main national privacy regulation alongside the 1995 European Union Data Protection Directive. Other data regulations enacted in Finland include the Act on the Protection of Privacy in Electronic Communication, the Act on the Protection of Privacy in Working Life, and the Act on the Openness of Governmental Activities. The Personal Data Act was replaced by European Union General Data Protection Regulation (GDPR) which will take effect in May 2018. Enforcement of privacy regulations have gotten stricter in recent years after a ruling by the European Court of Human Rights which found that a Finnish hospital failed to safeguard personal data.


Companies

With the rapid growth and development of Internet and mobile technologies, private companies are able to collect personal data more quickly and effectively than before. Companies gather PII by storing of profile information when users register a new account, tracking user's location, tracking user's local storage, and using cookies and other anonymous identifiers.
Data brokers A data broker is an individual or company that specializes in collecting personal data (such as income, ethnicity, political beliefs, or geolocation data) or data about companies, mostly from public records but sometimes sourced privately, and s ...
, also known as information brokers, are the major dealers of gathering, transforming, packaging, and selling of personal data. They gather PII from these resources: 1) Government documents and records, e.g. registration information, crime records. 2) Publicly available sources: including social media, blogs, and Internet websites. For example, Facebook users frequently post their personal information online and share their preferred links. As the site requires users to register with their real identities as required, it offers the opportunity for data broker to store and analyze the individual's personality and preference. 3) Approved companies, businesses, or services that are authorized by users willingly or sometime unknowingly to access their personal profiles. Similarly, online users are often asked to provide PII in order to register an account on a website. The website will then inform users about data gathering and benefits of storing the data, such as no need to enter the password every time and more effective on personal advertisements. However, these approved companies would sell PII collected and stored to data broker and mostly without users’ knowledge or consent. The
Facebook–Cambridge Analytica data scandal In the 2010s, personal data belonging to millions of Facebook users was collected without their consent by British consulting firm Cambridge Analytica, predominantly to be used for political advertising. The data was collected through an app ca ...
is an example. Cambridge Analytica traced personality traits from potential voters’ activities on Facebook, such as their “likes” and locations, and used this personal information to predict voting behaviors. Cambridge Analytica acquired over 87 million users’ PII. Only about 270,000 consented for their data for academic uses, while all other users’ PII is collected illegally by Cambridge Analytica.


Hackers

Hackers A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
are individuals or organizations that collect PII data illegally. They are driven mostly by financial interests, but sometimes political, such as the hacking of Sony by North Korean hackers. Hackers from North Korea targeted
Sony Pictures Sony Pictures Entertainment Inc. (commonly known as Sony Pictures or SPE, and formerly known as Columbia Pictures Entertainment, Inc.) is an American diversified multinational mass media and entertainment studio Conglomerate (company), conglom ...
in retaliation for the planned release of “
The Interview ''The Interview'' is a 2014 satirical alternate history action-comedy film co-produced and directed by Seth Rogen and Evan Goldberg in their second directorial work, following ''This Is the End'' (2013). The screenplay was written by Dan Ste ...
,” a movie about the fictional assassination of North Korean leader Kim Jong-Un. The incident resulted in the release of Social Security numbers, salary information, and medical records of Sony employees. Hackers use
spyware Spyware (a portmanteau for spying software) is software with malicious behaviour that aims to gather information about a person or organization and send it to another entity in a way that harms the user—for example, by violating their privac ...
, viruses, backdoors, social engineering or other methods to steal and collect PII data from individuals, companies, governments, and other organization. For example,
Equifax Equifax Inc. is an American multinational consumer credit reporting agency headquartered in Atlanta, Georgia and is one of the three largest consumer credit reporting agencies, along with Experian and TransUnion (together known as the "Big Thr ...
, one of the largest credit company in the world, its security was compromised by hackers and PII for millions of Americans was stolen.


Related laws

PII gathering is often associated with violation of privacy and is often opposed by privacy advocates. Democratic countries, such as the United States and those in the European Union have more developed privacy laws against PII gathering. Laws in the European Union offer more comprehensive and uniform protection of personal data. In the United States, federal data protection laws are approached by sectors. Authoritarian countries often lack PII gathering protection for citizens. For example, Chinese citizens enjoy legislative protection against private companies, but have no protection from government violation.


European Union

* The
General Data Protection Regulation The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...
(GDPR) - Regulation (EU) 2016/679 The GDPR will take effect on May 25, 2018 and offers comprehensive privacy protection consistent across all sectors and industries. The regulation applies to all businesses and government agencies in the European Union countries. It also regulates all foreign companies and organizations offering services in Europe. Violation and non-compliance of the GDPR may result in penalties up 4 percent of the business’ worldwide annual revenue. GDPR requires businesses and government agencies to get consent for data processing, make anonymous of collected data, provide quick notifications for data breach, safe handling of data transfer across borders, and appointment of data protection officer.


United States

* The
Federal Trade Commission Act The Federal Trade Commission Act of 1914 was a United States federal law which established the Federal Trade Commission. The Act was signed into law by US President Woodrow Wilson in 1914 and outlaws unfair methods of competition and unfair acts ...
The section 5 of the Federal Trade Commission Act (FTC Act) is used to make companies safeguard collected PII data. A company in the United States is not required to have a privacy policy, but is obliged to comply if the company disclosed a privacy policy. The company also cannot retroactively change its data collection policy without offering an opportunity for users to opt out. The FTC imposed a $100 million penalty on LifeLock for failure to protect customer's PII data, such as social security numbers, credit card numbers, and bank account numbers, and violated the terms of a 2010 federal court order. The FTC also uses the Behavioral Advertising Principe to provide guidelines and suggestions for website operators on data collection practices, activity tracking, and opt-out mechanism. A website operator is requested to obtain express consent before sensitive PII data, such as social security numbers, financial data, health information, and data of minors can collected and used. The Behavioral Advertising Principe also calls for reasonable security to protect the collected personal data and limited length of data retention, but for as long as is necessary to fulfill a legitimate business or law enforcement need. The principle is also self-regulatory and intended to encourage more discussion and further development by all interested parties. * The
Financial Services Modernization Act Finance is the study and discipline of money, currency and capital assets. It is related to, but not synonymous with economics, the study of production, distribution, and consumption of money, assets, goods and services (the discipline of fina ...
* The
Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy– Kassebaum Act) is a United States Act of Congress enacted by the 104th United States Congress and signed into law by President Bill Clinton on August 21, 1 ...
* The
Fair Credit Reporting Act The Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681 ''et seq'', is U.S. Federal Government legislation enacted to promote the accuracy, fairness, and privacy of consumer information contained in the files of consumer reporting agencies. It ...
* The
Controlling the Assault of Non-Solicited Pornography and Marketing Act The Controlling the Assault of Non-Solicited Pornography And Marketing (CAN-SPAM) Act of 2003 is a law passed in 2003 establishing the United States' first national standards for the sending of commercial e-mail. The law requires the Federal Tra ...
* The
Electronic Communications Privacy Act Electronic Communications Privacy Act of 1986 (ECPA) was enacted by the United States Congress to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer ( ''et seq.''), added new pr ...


Concerns

PII gathering is usually viewed by the public as a violation of privacy. A major concern is that PII gathering allows for the classification of individual and groups, which leads to discrimination and loss of individual and collective freedom. Other perceived risks include: “(1) monetary risk is the risk associated with potential financial loss, (2) social risk is the risk associated with threats to an individual’s self-esteem, reputation, and/or the perceptions of others, (3) physical risk is the risk associated with bodily injury, and (4) psychological risk is the risk associated with potential negative emotions such as anxiety, distress, and/or conflicts with self-image.” A 2018 Gallup poll indicated that more people are now concerned with invasion of privacy and data gathering after the revelation that personal data of Facebook users was collected and shared with Cambridge Analytica without consent. The survey showed that 43% of Facebook users are “very concerned” compared to 30% in 2011, with similar responses from Google users. There is also increasing concerns that personal data is being collected even if users are not logged in or not using the services. The data is collected to target users with tailored advertising services. Concerns over unauthorized data collection and use has resulted in many users stopping using Facebook or moving to other social media platforms, with increasing call for broad privacy regulation from the government, including the ability for users opt out of data collection completely.


See also

*
Personally identifiable information Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person. The abbreviation PII is widely accepted in the United States, but the phrase it abbreviates ha ...
*
Data collection Data collection or data gathering is the process of gathering and measuring information on targeted variables in an established system, which then enables one to answer relevant questions and evaluate outcomes. Data collection is a research com ...
*
Information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...
*
Privacy and Electronic Communications Directive 2002 Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation o ...
(also known as ePrivacy Directive) * Data mining *
General Data Protection Regulation The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy in the EU and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and of human rights law, in partic ...
(EU) *
Privacy law Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be Personally identifiable information ...
*
Privacy in education Privacy in education refers to the broad area of ideologies, practices, and legislation that involve the privacy rights of individuals in the education system. Concepts that are commonly associated with privacy in education include the expectation ...
* Privacy and the US government


References

{{Reflist Privacy controversies and disputes