Is phone number PII?
Personally Identifiable Information (PII) is defined (the example below is from NIST) as (emphasis mine)
Information that can be used to distinguish or trace an individual's identity, such as name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information that is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. How should this be interpreted in the case of a single phone number, not associated with a name?
In other words, if an application is sending bare phone numbers to a server (I am looking at you WhatsApp) without the name of the number owner, is that number still PII?
You asked - Is phone number PII
The answer is PII is anything that directly or indirectly can be associated with a person based on Regulation 2016/679 of the European Parliament. ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; From the definitions section of the aforementioned regulation
- Because you can correlate a phone number with a person (owner of the contract) and that number might be unique to that person you should consider it as PII information.
- I am saying this as precaution as you never know if it is a public phone number, shared phone or any other use case.
- In many cases even with a shared number it is still possible to correlate it to a person.
- The only one that is not possible is the public phones.
- Because we do not know this we cannot take the risk of relaxed security in all other phone numbers that might be uniquely associated to a specific person.
- IP addresses can also be PII, because we do not know if it is a proxy or a router at some home. We should treat them as equal.
- A more simplistic explanation can be found in the below link from the European parliament with examples.
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.The law protects personal data regardless of the technology used for processing that data – is technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR