PII in Australia and personal information
Terminology around privacy and security often will use the term “PII” – to refer to “Personally Identifiable Information”. However, PII in Australia is not a valid term – the definition by the OAIC is “personal information”, and it differs from the US term (from NIST) and the legal obligations around it.
PII in Australia vs personal information
Most IT and security professionals will know and understand what PII means. Many people may even use PII in documentation and their own policies and standards. However, PII is a more restrictive term than the Australian “personal information’ definition. It is easy to identify PII, but “personal information” according to the Office of the Australian Information Commissioner and the Privacy Act (1988, Commonwealth of Australia) is much more broad and can be more tricky to interpret.
Definition of PII
The term PII is a US term that centres around personally identifiable information that is specifically linked to an individual – such as date of birth, mother’s maiden name, social security number, medical records, financial records, and education records. It is easy to understand the use of PII, as it is mostly obvious and clear as to what can constitute as a PII record. It can be a simple process of protecting PII, as it is information that is specifically about an individual, and it does not take an expert to identify if information is PII, and that it therefore needs to be protected.
Definition of “personal information” under the Australian Privacy Act
Unfortunately for information security professionals, the definition in Australia is much wider than just PII. According to the OAIC, personal information can also include an opinion (whether true/correct or not), or anything that could infer an individual. So, “personal information” can include payment transactions (because they imply the location or habits of an individual), photographs of a person, an image of someone’s signature, IP address records of connections to a website or app (because they can be linked to an individual), and even a categorisation of customer types.
It can be difficult to clearly understand what is “personal information”, because it does not need to contain the obvious details of a name, email address, Tax File Number etc. – it can be a wide range of information. This means more information needs to be secured and handled as “personal information” than would be under just the definition of PII.
Definition of “sensitive information”
Going further than just personal information, there is another categorisation within the Privacy Act – that of “sensitive information”. This makes it slightly easier to determine if information is “sensitive” – because it is information that most people would categorise as “sensitive”. This includes race, religion, politics, sexual orientation and practices, criminal records, health records, trade union membership, and biometric information. These types of information (or, again, opinions and even incorrect information) must be secured and handled at a higher level than “personal information”.
The implications
The implications of PII in Australia and personal information can lead to errors. If a security professional or business only focuses on “PII” in Australia, they run the risk of not complying with the law.
A further implication is around “test” and legacy data. Many organisations want to use test records, such as false names and addresses, but this falls foul of the Privacy Act – because the Act covers personal information even if it is not correct or up to date.
The risks
It is common shorthand to use the term “PII” to refer to personal information, as most people will either understand what you mean, or be able to work it out. Unfortunately, there is a risk that this will be taken too literally and that people will assume that the only information that needs appropriate handling is information that identifies a person, not also information that is about a person. For example, an IP address and timestamp is not PII, but it is ‘personal information’ if it can be linked to a person’s activities.
Information Security professionals and anyone with responsibility for Cybersecurity must be aware of the differences for Australian laws and regulations. If the term PII is used, people must be aware that, in Australia, it is more than just “personally identifiable information”.
