QOTD - PrivacyProf on Data Aggregation

We are more than just the strict sum of a few pieces of information that may point to us.

A topic that is important and interesting to think about is how non-PII items, when combined with certain other non-PII items, can actually become PII. In other words, aggregating non-PII to form PII. In case that sounds fuzzy, think about it, very simplistically, this way...

Consider a zip code, first name, and birth year.

If you look at each of these separately, it would be hard to say you can link each of them to a specific individual. However, if you look at the three items in combination, you could very well be able to identify a specific individual. Especially in more sparsely populated geographic locations. So, does this combination of three items, as a group, represent PII?

It often takes just two pieces of information to be able to identify a specific individual. Once identified, finding out more information about that individual is trivial, and the stuff that criminals' dreams are made of.

Rebecca Herold, The Privacy Prof, blogging about the privacy threats of data aggregation, i.e. when it is possible to aggregate individual pieces that are not private to form a picture that can uniquely identify somebody.

What is PII? How About Groups Of Otherwise Non-PII? | Realtime IT Compliance

No comments: