What Is Personal Information Gathered?
Many numbers mark people as individuals, from customer identification to Social Security numbers. But defining what counts as personal information varies widely across data privacy laws and regulations.
Personal information, or PII, is any information that can identify an individual, either alone or in combination with other information. This includes everything from names to credit card numbers to biometric information.
1. To provide a service
Personal information is any information that can identify a person. This includes basic details like first name and last name, as well as more specific data like date of birth, mother’s maiden name, or biometric records. The key is to understand that data alone doesn’t constitute personal information; it’s only when you can distinguish or trace an individual that they become personally identifiable, or ‘PII’.
To be considered PII, it needs to be collected and used fairly, transparently, and for a purpose that you have explained to the person at the time of collection. This ensures that the amount of data gathered is appropriate to the purposes for which it will be used and reduces the risk of function creep and other privacy risks.
4. To perform a legal obligation
A company can rely on this lawful basis when processing personal information is necessary to comply with a legal obligation that has a clear basis in common law or statute. This includes statutory duties such as tax compliance or reporting to the police. It also includes regulatory obligations such as those imposed by the CMA or HMRC.
When you use this lawful basis you must document your decision to do so and explain the reasoning behind it. You must also be able to identify the specific legal provision or appropriate source of advice or guidance that clearly sets out your obligation.
If you rely on this lawful basis to process information you must provide people with privacy information at the latest within one month of obtaining their data or, where you envisage disclosing it to another company, at the time that disclosure is first considered.
5. To protect your interests
Personal information gathered is data that can be used to trace or distinguish an individual over time and across different contexts. This is the core of what was previously known as PII (Personal Identifiable Information).
PII can be tied to the things you buy with your credit card, check out at your library, or use to unlock your smartphone. It builds a dossier of your interests and activities that can be used to track you.
When it comes to PII, the principle of lawfulness should guide your decisions about how you collect and use it. You should also limit the information you collect to what’s necessary for the purposes you specify, and ensure that transaction metadata isn’t kept longer than it’s needed. And you should always provide transparent, easy-to-understand privacy information.