Personal Information in Data Privacy

What is personal information in data privacy

Personal information – also referred to as personal data (in the EU) or personal identifiable information (PII) – is any information that can be used to identify a person (data subject).

It’s important to note that while similar, the definition of personal information differs significantly across jurisdictions, with the GDPR being the broadest with the fewest exclusions to what counts as personal data. If you’re making a privacy policy or managing your business’s privacy compliance, you’ll need to understand the definition in accordance with the privacy law that applies to you and your users. To help you with this, at the end of this article, we’ve provided the official definitions of personal information directly from the text of the largest data privacy laws and regulations around the world.

What are the different types of personal information?

There are two categories of personal data:

1. General Personal Data
2. Sensitive Personal Data.

These categories are recognized under several international data privacy laws, including the GDPR (EU), LGPD (Brazil), APPI (Japan), the Privacy Act (Australia), and the POPI Act (South Africa).

What is General Personal Data?

General Personal Data is any information that can identify an individual, for example, names, addresses, dates of birth, IP addresses, and economic information.

What is Sensitive Personal Data?

Sensitive Personal Data, sometimes referred to as special personal information or “special care-required” personal information, is any personal information that requires additional protection. Examples of sensitive personal data include health information, racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, and sexual orientation.

What is not considered personal information?

For information to be considered non-personal information, it must have been anonymized (irreversibly unlinked) with all identifiers removed (de-identified information), or it must be information that has never been linked to an individual in the first place (non-identifiable information).

Is publicly available information still personal information?

Yes, for example, under the GDPR, any information that can be used to identify a person is personal information with no exception, even if it is publicly available.

However, in some jurisdictions, information that is publicly available, such as government records or data that individuals have made available to the general public may be excluded from some protections. For example, the California Consumer Privacy Act (CCPA) doesn’t consider publicly available information from federal, state, or local government records as personal information, meaning additional consent may not be required if it is being used for its original public purpose.

Examples of Personal information

• Identifiable information: Names, addresses, phone numbers, and social security numbers.
• Financial information: Bank account numbers and credit records.
• Health information: Information about an individual’s physical or mental health, including medical conditions and treatments.
• Racial or ethnic origin: Data revealing a person’s racial or ethnic background.
• Political opinions: Information about a person’s political beliefs or affiliations.
• Religious or philosophical beliefs: Information about an individual’s religious beliefs or philosophical convictions.
• Trade union membership: Information indicating membership in a trade union.
• Genetic data: Data obtained from a person’s genetic material.
• Biometric data: Information used for identification purposes, such as fingerprints or facial recognition.
• Sexual orientation: Information that reveals an individual’s sex life or sexual orientation.
• Internet or other electronic network activity information: Information that reveals an individual’s browsing history and search history.
• Device information: IP addresses, device types, or operating systems.
• Geolocation data: Precise geographic location information.
• Audio, electronic, visual, thermal, olfactory, or similar information: Images and audio recordings that can identify a person.
• Professional or employment-related information: Job history or historical job performance.
• Education information: School reports, certifications, diplomas, and degrees.
• Inferences drawn from personal information: Information that reflects an individual’s preferences or behavior.

Why is it important to understand what personal information is?

Whether you understand them or not, countries around the world have introduced laws that protect the personal information of their citizens, and that may include information you personally might not consider valuable or sensitive. In most cases, you’ll be required to obtain user consent before processing personal information. Misunderstanding what qualifies could mean fines for mishandling data you didn’t realize was protected.

You’ll need to know what types of data count as personal information in your jurisdiction before:

• Making a privacy policy
• Installing analytics or tracking software on your website
• Collecting personal information from customers
• Responding to “delete my data” requests
• Handling and reporting a data breach
• Disposing of old client records
• Working with third parties
• Training staff on data handling
• Marketing your business

Why is personal information protected by data privacy laws?

While it’s fairly common to hear people say things like “my data isn’t important” or “why would anyone want to waste their time spying on me?”, the truth is, personal data is valuable and vulnerable to misuse. Without protection, personal information can easily fall into the wrong hands and be used for things like identity theft, financial fraud, and other forms of exploitation.

The digital world we live in has enabled businesses to collect excessive amounts of personal information from their customers in the name of increasing profits. This modern problem raises new concerns around the security of this personal data and the privacy rights of the data subjects from whom it was collected. Data privacy laws protect these rights and make organizations accountable for handling personal information responsibly and securely, protecting it from misuse or exploitation.

Definitions of personal information according to different jurisdictions

All data privacy laws have nuances in how they define personal information. Here are the definitions straight from the official texts of the biggest data privacy laws and regulations around the world.

What is personal information under the GDPR (EU)?

The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”

What is personal information under the CCPA (California)?

The CCPA defines personal information as “information that identifies, relates to, or could reasonably be linked with you or your household. For example, it could include your name, social security number, email address, records of products purchased, internet browsing history, geolocation data, fingerprints, and inferences from other personal information that could create a profile about your preferences and characteristics.”

What is personal information under the PIPEDA (Canada)?

PIPEDA defines Personal information as any “information about an identifiable individual (renseignement personnel)”

What is personal information under The Privacy Act (Australia)?

The Privacy Act defines personal information as “information or an opinion about an identified individual, or an individual who is reasonably identifiable:

• whether the information or opinion is true or not; and
• whether the information or opinion is recorded in a material form or not.”

What is personal information under the POPI Act (South Africa)?

The PoPI Act defines personal information as “information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person, including, but not limited to:

• Information relating to the race, gender, sex, pregnancy, marital status, national, ethnic or social origin, color, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth of the person.
• Information relating to the education or the medical, financial, criminal, or employment history of the person.
• Any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment to the person.
• The biometric information of the person.
• The personal opinions, views, or preferences of the person.
• Correspondence sent by the person that is implicitly or explicitly of a private or confidential nature, or further correspondence that would reveal the contents of the original correspondence.
• The views or opinions of another individual about the person.
• The name of the person if it appears with other personal information relating to the person, or if the disclosure of the name itself would reveal information about the person.”