Nonetheless, internet breach occurs routinely; further steps need to be taken.
Options for resolving these issues
Part of the issue revolves around ambivalent ways of defining PII as well as the fact that the constructs of identity are still in flux. PII, at one moment, can become non-PII during the next, and the reverse is the case, too. Moreover, computer science has shown that, in many instance, data that is consider non-PII and, therefore, not regulated, has been used to identify a person and that this data should, theorem, be called PII. The definition of PII, accordingly, transcends boundaries, and may be difficult to pin down. Given its malleability, some observers have even suggested altogether rejecting PII as the tool for defining privacy law.
The first issue, therefore (it seems to me) is to start off with a clear definition of PII and here we may adopt the approach of Schwartz and Solove (2011) who recommend that rather than PII being dropped, we adopt a new standard (not a rule) called "PII 2.0," that measures constructs of identity along a continuum. This would also, incidentally, work towards safeguarding more vulnerable individuals since data can be included / omitted at one's discretion. Moreover, this new construct, PII 2.0, would be divided into two categories. One category would be information that identifies the individual, whilst the other category would be information that could be traced back to the individual. Government and departments (as well as institutions) would know how to protect the individual depending on which of these two categories the information falls into.
The suggestion of Schwartz and Solove (2011) agrees with the findings of the OMB which decided that sensitivity of the case hinges on context. Not every case is sensitive (an HIV case for instance may be more sensitive than another). More so, the accumulation of data increases the sensitivity of the case. It may be, therefore, that in sensitive cases data can be retained to the essential minimum that, whilst helping the government and institution (such as medical institution, would also better protect the individual in question (Johnson III, 2007). or, one can use the proposal of Schwartz and Solove (2011) of dividing into two categories.
Personally Identifiable Information (PII) is any sort of information that identifies a person and that institutions and the government use for private and domestic concerns. The ethical problem inherent in PII is that unscrupulous individuals can abuse the concept robbing a person of their personal identity or, in other ways, using the PII to force the person to cooperate. It is extremely important, therefore, to safeguard the person's PII and the more vulnerable the individual the more important protection of PII becomes.
Laws have been passed for PII protection but breaches persist. Recommendations, therefore, include passage of a new category of PII (PII 2.0) that more strictly defines PII and divides it into two categories enabling relevant institutions to beater identify the individual and to choose which data to include and which to exclude. These bits of data can also be placed along a spectrum.
National and logistical matters necessitate that we be uniquely identified. Doing this can, however, be occasionally, harmful. Steps have been, and can continue to be taken, to guarantee a person's safety.
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:EN:HTML
Johnson III, Deputy Director for Management (2007/05/22) M-07-16 SUBJECT:Safeguarding Against and Responding to the Breach of Personally Identifiable Information http://www.whitehouse.gov/omb/memoranda/fy2007/m07-16.pdf
Schwartz, PM & Solove, DJ (2011) the PII Problem: Privacy and a New Concept of Personally Identifiable Information New York University Law Review, Vol. 86, p. 1814,
Sweeney, L (n.d.) Standards of Privacy of Individually Identifiable Health Information. Carnegie Mellon University. http://privacy.cs.cmu.edu/dataprivacy/HIPAA/HIPAAcomments.html
United States Department of Defense. "MEMORANDUM for DOD FOIA OFFICES." http://www.dod.mil/pubs/foi/withhold.pdf)