Explaining PII’s and its usage.
Most software systems stores data about their users i.e. real people. The data about a user can be of two types:
Provided by the user itself.
Aggregated from user’s transaction/activities.
User-provided data includes name, age, and social security number. The aggregated data on the other hand could be web searches, buying history or places visited. An Identity consists of all the information/data that we have on any user.
Identity and its types.
Identity can be simply defined as data about people. A few examples of identity could be name, location, date of birth, and biometrics. Identity can be further classified into three categories:-
PII — Personal Identifying Information
An identity that can be directly linked to an individual. A person can be easily identified with this type of information which makes this the strongest form of identity. Most of the privacy laws and regulations are focussed on this category of data.
Pseudonyms
A relatively weaker link, cannot identify a person directly e.g. name, or date of birth. Pseudonyms provide an advantage from the software point of view as they de-link the data from an individual. However, multiple pseudonyms clubbed together can act as PII and identify an individual.
e.g. name and date of birth.
Anonymity
The weakest link in the series is truly anonymous data cannot link an individual to the data. With anonymity, even multiple data sets related to the same person cannot be linked together.
Why PII’s are needed in Software Systems?
Multiple use cases are present in software systems that demand to know and sometimes even verify the identity of the user. A few generic ones are listed below:-
Access Control
The most generic use case. It can be summarised with a question: Should a given individual see a data set? Subscriptions to an OTT platform or a proprietary knowledge system are the cases where access control checks are in place. The use of roles instead of individual authentication can significantly improve the security and privacy of a system.
Authorization
Generally used as attribution to any transaction. Credit card transactions are a good example here where a PIN is required to complete the transaction.
Personalization
Identity-related information is also used by the software systems to enhance the user experience. The most applicable use cases here include web search history or the shopping history of a person. Patterns extracted from these data can significantly hamper the privacy of a person.
Summary
PII comes as a double-edged sword. On one hand, it can enhance the user experience, and provide better security concerning access control and authorization but on the same line, misuse or improper handling of such details can significantly hamper one’s privacy and too much intelligence can restrict the freedom of persons.
With great power comes great responsibility.
See: https://medium.com/@rahul.v_76256/explaining-piis-and-its-usage-7e292f7c4ad7
