Information security is a primary concern of information technology department of all organizations and entities. Similarly, common people are also now becoming familiar with information security. In this post types of information, especially types of personal information are introduced in a question-and-answer format.
What is personal information?
Any attribute that is associated with you the person and that identifies you is your personal information. For examples, your given name and you family name are personal information.
Many people have my given name. How can it be personal?
Personal does not mean unique. Your given name is just one of the many personal information attributes to identify you. For example, many people have given name Mike and driver’s licenses of all Mikes bear their names, but deriver’s license has more information. When all those information attributes are linked together, each Mike’s identity on the driver’s license will be unique. Moreover, assigned number is unique.
Okay, what if Mike change his name to Tom?
Good question. Personal information can be divided into two categories, static and dynamic. Given name falls into the dynamic category of personal information. So, given name may change dynamically with time and intention.
What is static personal information?
Personal information that cannot change with time fall into the static category of personal information. For example, date of birth, parents, and place of birth, etc.
Is my family or last name static personal information?
Yes and no. The family name or last name is usually inherited. But, when a girl get married her family name may be changed to her husbands family name. Also, if a child is adopted, her/his family name may be changed to the adopted family’s family name.
What is dynamic personal information?
Any personal information that change with time. Most of the physical attributes of a person fall into the category of dynamic personal information. For example, many physical attributes such as age, weight, height, and facial appearance are considered dynamic personal information. Also, address of the person, and employer etc. are dynamic personal information.
What is private personal information?
Any personal information that is not required to be made available to others. The list of attributes that are associated with a person that are personal varies from country to country. For example, in USA medical records and academic records are private records and information in them are private personal information.
What is public personal information?
Any personal information that are available to others, such as government, are public personal information. For example, real property owner’s name is available to everyone and hence, is a public information. In USA, criminal records of a person is public personal information.
What is personally identifiable information (PII)?
Any information that can establish identity of a person uniquely is personally identifiable information (PII). For example in USA social security number is a PII. Similarly, passport of a person is considered to be a PII. However, it is important to understand that a PII is valid only in a given context. For example, ID number of a college student is a PII in the college s/he is enrolled.
How is PII is created?
Good question. A PII is created from a set of personal attributes or personal information. To get a social security number one must provide a minimum of 9 items: (a) First name (to be shown on card), (b) Last name (to be shown on card), (c) place of birth, (d) date of birth (e) citizenship, (f) ethnicity, (g) race, (h) sex, (i) parent/mother’s name at her birth. Other three optional items are: (j) parent/mother’s social security number, (k) parent/father’s name, (l) parent/father’s social security number.
Don’t some attributes used to create PII may change?
Yes, but change of attributes are very infrequent and any change to any attribute should be reported to the PII issuing authority. For example, change of address of a person should be changed to his driver’s license.
What is personally sensitive information (PSI)?
Any information of a person that can be exploited by a malicious actor to cause harm to the person, or to cause financial loss is personally sensitive information (PSI). For example, credit card information, banking information, education records, and health information are examples of PSI.
Many colleges have many of my PIIs and PSIs, because to complete my college application, I had to submit my high school transcripts, my SAT (Scholastic Aptitude Test) scores, and also FAFSA (Free Application for Federal Student Aid) to them. Will the colleges keep them out of reach of cyber-criminals?
Very interesting question. In your college application you have your (a) full name, (b) date of birth, (c) your social security number (a PII), (d) name of high school(s) you attended and attending, (e) SAT scores (a PSI), and (f) grade point average (a PSI). Also, you may have used a credit card to pay for the application fees and SAT score reporting fees. These colleges are expected to try to keep them safe. Institutions follow CIA triad for protecting PII and PSI.
What triad? CIA?
Yes, that is right. CIA triad. It stands for Confidentiality, Integrity, and Availability — not Central Intelligence Agency (of the United States of America).
That sounds complicated. Why managing PII and PSI are that complicated?
Managing PII and PSI are complicated, because the institutions want to keep your PII and PSI confidential to the outside world. But the colleges need your application folder available to the evaluators in the admission office. Moreover, they have to ensure that no one can change your applications and supporting documents, that is, their integrity must be preserved. You can see that they have three contradictory requirements. Meeting these contradictory requirements is a challenge.
How long will the colleges keep my PII and PSI?
A good question. There is no rule and it will depend on the college to decide.
Do all organizations follow CIA triad?
Yes, most organizations collect some PII and PSI for people within the organization, and people with whom they do business, and CIA triad is part of cybersecurity policy of information technology department of all major organization. Moreover, a set of protocols are put in place to ensure each component of the triad.
How information technology department (of an organization) know that their CIA triad policy is working?
Most organizations hire outside auditors to evaluate their CIA triads. Also, periodically internal cybersecurity committee evaluates the security protocols, including CIA triads.