Clear Definition of Non-PII Data in the DPG standard for Indicator #6

[nathanbaleeta]

Non (Personally Identifiable Information) PII Data

Non-PII data, is simply data that is anonymous. This data can not be used to distinguish or trace an individual’s identity such as their name, social security number, date and place of birth, bio-metric records etc. As a result, this data does not require encryption before it is transmitted as there is no scope for misuse that would result in harm to any individual.

Non-PII data typically includes data collected by browsers and servers using cookies. Device type, browser type, plugin details, language preference, time zone, screen size are few examples of non PII data.

Non-PII data is usually collected by businesses to track and understand the digital behavior of their consumers. This in turn can help them improve the consumer’s online experience and engagement.

Observation Perhaps due to some lack of clarity in the standard questions, some project owners assume they collect non-PII data when they actually don't. For example a project assumed because they collect satellite imagery such data is categorized as non-PII data. Hence it to avoid any confusion it's better to provide additional clarification about non-PII data.

[jstclair2019]

Just a note, "non-PII data" can also be explicit in that it "does not contain PII". Depending on locality/industry, PII may be explicitly defined by a collection of data elements, so "non-PII data" specifically means that a none of those elements are included. In some cases, IP addresses are considered PII, as an example.