DAOstar One (Internal)
DAOstar One (Internal)
/
🚀
Attestations for DAOs [DEPRECATED]
/
PII

PII

PII and describe how it is different from generic membership data, define workflow for dealing with it and/or rationale for not defining a workflow.
What’s PII:
Personally identifiable information (PII) and personal data are two classifications of data that often cause confusion for organizations that collect, store and analyze such data.
The most common definition for PII (in the US) provided by the National Institute of Standards and Technology (NIST):
It says that:
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. However, the line between PII and other kinds of information is blurry. As stressed by the US General Services Administration, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.
 
According to NIST, PII can be divided into two categories: linked and linkable information.
Linked information is more direct. It could include any personal detail that can be used to identify an individual, for instance:
  • Full name
  • Home address
  • Email address
  • Social security number
  • Passport number
  • Driver’s license number
  • Credit card numbers
  • Date of birth
  • Telephone number
  • Owned properties e.g. vehicle identification number (VIN)
  • Login details
  • Processor or device serial number*
  • Media access control (MAC)*
  • Internet Protocol (IP) address*
  • Device IDs*
  • Cookies*
 
* note!
NIST states that linked information can be “Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people”. That means cookies and device ID fall under the definition of PII.
 
Linkable information is indirect and on its own may not be able to identify a person, but when combined with another piece of information could identify, trace or locate a person.
Here are some examples of linkable information:
  • First or last name (if common)
  • Country, state, city, zip code
  • Gender
  • Race
  • Non-specific age (e.g. 30-40 instead of 30)
  • Job position and workplace
Personal data is a legal term that the GDPR defines as the following:
Article 4(1):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
 
This definition applies not only to a person’s name and surname, but to details that could identify that person. That’s the case when, for instance, you’re able to identify a visitor returning to your website with the help of a cookie or login information.
Under the GDPR you can consider cookies as personal data because according to
Recital 30:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
And the definition of personal data covers various pieces of information such as:
  • transaction history
  • IP addresses
  • posts on social media
Basically, it’s any information relating to an individual or identifiable person, directly or indirectly.
 
 
Following the GDPR provisions, non-personal data is data that won’t let you identify an individual. The best example is anonymous data. According to
Recital 26:
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Other examples of non-personal data include, but are not limited to:
  • Generalized data, e.i. age range e.g. 20-40
  • Information gathered by government bodies or municipalities such as census data or tax receipts collected for publicly funded works
  • Aggregated statistics on the use of a product or service
  • Partially or fully masked IP addresses
DAOstar One (Internal)
DAOstar One (Internal)
/
🚀
Attestations for DAOs [DEPRECATED]
/
PII

PII

PII and describe how it is different from generic membership data, define workflow for dealing with it and/or rationale for not defining a workflow.
What’s PII:
Personally identifiable information (PII) and personal data are two classifications of data that often cause confusion for organizations that collect, store and analyze such data.
The most common definition for PII (in the US) provided by the National Institute of Standards and Technology (NIST):
It says that:
PII is any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. However, the line between PII and other kinds of information is blurry. As stressed by the US General Services Administration, the “definition of PII is not anchored to any single category of information or technology. Rather, it requires a case-by-case assessment of the specific risk that an individual can be identified”.
 
According to NIST, PII can be divided into two categories: linked and linkable information.
Linked information is more direct. It could include any personal detail that can be used to identify an individual, for instance:
  • Full name
  • Home address
  • Email address
  • Social security number
  • Passport number
  • Driver’s license number
  • Credit card numbers
  • Date of birth
  • Telephone number
  • Owned properties e.g. vehicle identification number (VIN)
  • Login details
  • Processor or device serial number*
  • Media access control (MAC)*
  • Internet Protocol (IP) address*
  • Device IDs*
  • Cookies*
 
* note!
NIST states that linked information can be “Asset information, such as Internet Protocol (IP) or Media Access Control (MAC) address or other host-specific persistent static identifier that consistently links to a particular person or small, well-defined group of people”. That means cookies and device ID fall under the definition of PII.
 
Linkable information is indirect and on its own may not be able to identify a person, but when combined with another piece of information could identify, trace or locate a person.
Here are some examples of linkable information:
  • First or last name (if common)
  • Country, state, city, zip code
  • Gender
  • Race
  • Non-specific age (e.g. 30-40 instead of 30)
  • Job position and workplace
Personal data is a legal term that the GDPR defines as the following:
Article 4(1):
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
 
This definition applies not only to a person’s name and surname, but to details that could identify that person. That’s the case when, for instance, you’re able to identify a visitor returning to your website with the help of a cookie or login information.
Under the GDPR you can consider cookies as personal data because according to
Recital 30:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
And the definition of personal data covers various pieces of information such as:
  • transaction history
  • IP addresses
  • posts on social media
Basically, it’s any information relating to an individual or identifiable person, directly or indirectly.
 
 
Following the GDPR provisions, non-personal data is data that won’t let you identify an individual. The best example is anonymous data. According to
Recital 26:
The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.
Other examples of non-personal data include, but are not limited to:
  • Generalized data, e.i. age range e.g. 20-40
  • Information gathered by government bodies or municipalities such as census data or tax receipts collected for publicly funded works
  • Aggregated statistics on the use of a product or service
  • Partially or fully masked IP addresses