Ethical Problem of Personally Identifiable

Ethical Problem of Personally Identifiable Information (PII)

Personally Identifiable Information (PII) refers to any information that can be used to identify the person. According to the U.S. Office of Management and Budget, it consists of the following criteria:

National identification number

IP address (in some cases)

Vehicle registration plate number

Driver's license number

Face, fingerprints, or handwriting

Credit card numbers

Digital identity

Date of birth

Birthplace

Genetic information

The Office of Management and Budget (OMB) defines PII in the following way:

Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc. ( Johnson III, 2007).

The directive 95/46/EC meanwhile describes it as:

Article 2a: 'personal data' shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data)

Collecting PII is necessary for both private and domestic safety and use. In the first place, it helps the federal government and place of employment, medical institution, and so forth connects with the individual, employee, or patient. In the second place, it helps the government better protect the country from terrorists. On the other hand, because PII involves breaching privacy, the effect is that some may be disturbed by the ramifications feeling that the government has encroached too much on their personal lives. Consequences are aggravated when PII of certain very public figures are released.

Ethics is defined as "the discipline dealing with what is good and bad and with moral duty and obligation" (Merriam-Webster). In other words, it is the system of values / principles that the individual uses in order to decide how to act in any given challenging moral situation. It is the person's guiding philosophy in determining how to act. Releasing PII may well result in an ethical conundrum. The following essay elaborates on the ethical issues involved and suggests some solutions.

The issues

Although intended for domestic and utilitarian reasons, PII can sometimes by used criminals as means of stalking, kidnapping, robbing a person, or even plotting his murder. Sometimes, it may be used to kidnap a close relative of a particular individual in order to force the individual to collaborate. Releasing and publicizing PII, in this way, can be dangerous. Advances in internet technology has not only made it easier to collect PII but, at the same time, has made it easier for unscrupulous individuals to breach internet security and web browser security gaining access to this information and, sometimes, selling it to others. This practice is called "doxing" (Sweeney, n.d)

Various policies and interventions have been passed to protect the person's identity. One of the best known is the Health Insurance Portability and Accountability Act (HIPAA) which aims to protect a patient's identity. The Privacy Act of 2005 likewise forbade the display, sale, or purchase of another's PII without his consent, whilst the Anti-Phishing Act passed in that same year protected acquisition of PII through phishing. In a similar way, and given the seriousness of the social security number that can lead to identity theft, the proposed Social Security Number Protection Act (2005) and Identity Theft Prevention Act (2005) sought to regulate distribution of an individual's social security ID.

These policies -- and proposed policies -- have, however, been insufficient. Certain people in certain positions are especially vulnerable to danger were their PII to be exploited. Force may be used that they, or their beloved ones, may be kidnapped or harm threatened to them in order that they cooperate. At the moment, the United States Department of Defense (DoD), and many other intelligence agencies, strictly control release of PII of DoD personnel (United States Department of Defense). Similar steps of protection are also assumed by institutions set up to protect victims (or potential victims) such as witness protection programs, women's shelters, and victims of domestic violence. Nonetheless, internet breach occurs routinely; further steps need to be taken.

Options for resolving these issues

Part of the issue revolves around ambivalent ways of defining PII as well as the fact that the constructs of identity are still in flux. PII, at one moment, can become non-PII during the next, and the reverse is the case, too. Moreover, computer science has shown that, in many instance, data that is consider non-PII and, therefore, not regulated, has been used to identify a person and that this data should, theorem, be called PII. The definition of PII, accordingly, transcends boundaries, and may be difficult to pin down. Given its malleability, some observers have even suggested altogether rejecting PII as the tool for defining privacy law.

The first issue, therefore (it seems to me) is to start off with a clear definition of PII and here we may adopt the approach of Schwartz and Solove (2011) who recommend that rather than PII being dropped, we adopt a new standard (not a rule) called "PII 2.0," that measures constructs of identity along a continuum. This would also, incidentally, work towards safeguarding more vulnerable individuals since data can be included / omitted at one's discretion. Moreover, this new construct, PII 2.0, would be divided into two categories. One category would be information that identifies the individual, whilst the other category would be information that could be traced back to the individual. Government and departments (as well as institutions) would know how to protect the individual depending on which of these two categories the information falls into.

The suggestion of Schwartz and Solove (2011) agrees with the findings of the OMB which decided that sensitivity of the case hinges on context. Not every case is sensitive (an HIV case for instance may be more sensitive than another). More so, the accumulation of data increases the sensitivity of the case. It may be, therefore, that in sensitive cases data can be retained to the essential minimum that, whilst helping the government and institution (such as medical institution, would also better protect the individual in question (Johnson III, 2007). or, one can use the proposal of Schwartz and Solove (2011) of dividing into two categories.

Conclusion

Personally Identifiable Information (PII) is any sort of information that identifies a person and that institutions and the government use for private and domestic concerns. The ethical problem inherent in PII is that unscrupulous individuals can abuse the concept robbing a person of their personal identity or, in other ways, using the PII to force the person to cooperate. It is extremely important, therefore, to safeguard the person's PII and the more vulnerable the individual the more important protection of PII becomes.