The difficulty of defining "personal information"

One of the pressing problems of the times, in the digital identity and privacy world, is that of defining what counts as personal information.

It’s important from the individual’s point of view, of course, because the individual is the one with most at stake should that information be abused.

It’s important from the legislator’s point of view, because without a clear definition of what is ‘in’ and what is ‘out’, they can’t frame meaningful and enforceable legislation.

It’s important from the data custodian’s point of view too, because they are the entities stuck with the twin problems of demonstrating compliance to the applicable law and of keeping their data subjects happy.

This recent example from the Commonwealth of Massachusetts neatly illustrates some of the difficulties. It will come into force on Jan 1st, 2009. As you will see, it adopts a simple definition of Personal Information:

“a Massachusetts resident’s first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver’s license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident’s financial account; provided, however, that “Personal information” shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.”

Interestingly, given the specification of Massachusetts residency and personal names, it precedes this with a broad definition of “person”, to include natural and legal persons but excluding any part of the public bodies of the Commonwealth.

You’ll notice, too, that the Massachusetts definition includes public sector credentials (social security number, driver’s license number, state-issued ID card number) and those commercial sector credentials to do with bank accounts. On the other hand, it does not refer to healthcare or health status information, which might seem to be another class of personal data meriting protection.

“Aha”, some of you may object… “but there’s no need to legislate here for healthcare data, because that’s covered by HIPAA…”. Good point – but in that case, why legislate for banking data, which is covered by Gramm Leach Bliley?

I’m not saying either approach is right or wrong, mind you – I’m just using this as an example of why the apparently simple question of “what is personal information?” can rapidly spiral into complexity.

Corporations dealing with the personal information of Massachusetts residents will probably be fairly happy with this Commonwealth statute: its relatively narrow definition of Personal Information means that their regulatory compliance burden should be comparatively light. Contrast that, for instance, with the current European debate over whether anonymous or pseudonymous identifiers (such as IP addresses or Liberty-style ‘opaque handles’) should, in their own right, be classed as personal data.

In parts of Europe (for instance, at the Independent Data Protection Centre of Schleswig Holstein and on the Primelife project) they are considering an alternative approach, based on
the principle of “linkability”. Their argument is that, whatever the scope of your definition of ‘personal information’, what’s at issue is the extent to which the individual’s privacy can be compromised if the right (or wrong) links can be made between one piece of data and another. To take a simple example: your blood type might not, on its own, be personal information (in the sense that it doesn’t uniquely identify you) – but if and when it can be linked with your name (or with other factors which allow you to be uniquely identified) then it almost certainly should benefit from protection as personal information.

It’s not a simple approach, I grant you – but given the huge disparity between different legislations’ definitions of personal information, it may turn out to be the only workable way of achieving any useful level of consistency in our frontierless digital world.