Personal vs Sensitive Personal Information (SPI): What’s the Difference

What is there to know about a person? Certainly, their name, but how about their affiliations, philosophical beliefs, or sexual orientation? The nuanced information about a person—including those elements listed above and more—falls into a data category called “personal information” or “personally identifying information” (PII). When this information concerns particularly vulnerable elements about a person, it is considered “sensitive information” or “sensitive personal information” (SPI). 

In the cybersecurity world, PII and SPI are necessary to protect. The information is valuable for cybercriminals, allowing them to further their objectives—whether impersonation or fraud. Consequently, no matter who the information belongs to, including consumers, affiliates, partners, vendors, stakeholders, or administrators, it is vital to protect. Not only because its exposure can cause harm to those victimized but also because data leaks (and breaches) can kindle irreparable reputational damage to attacked consumers and organizations.

So, what is there to know about these informational elements? It’s tempting to lump PII and SPI together (along with other classifications of personal data), but there are distinct differences between the categories; these differences are recognized in judicial systems globally, which means their protections and intricacies are unique. 

At the same time, understanding how PII and SPI differ can contribute to how an organization’s network defenses, built by cyber experts, can add more resources (and defenses) to the most valuable information within their network environment. These extra defenses make a significant difference when an organization is threatened by a cybercriminal’s assault—mainly if their attack is successful. 

The importance of understanding the privacy and protection obligations for PII and SPI cannot be overstated; organizations have a necessary obligation to protect this data from threat actors, while consumers have the option to protect this information. This content aims to comprehensively understand the distinct categories of data we generate as consumers. By understanding these informative elements, the public and the individual become better protected from cyber threats.

What is Personal Information

As stated above, personal information is broader than sensitive personal information; the personal elements that compose this classification can be considered “less valuable” than those considered SPI. However, the elements can still identify a specific individual, even if they aren’t as high a priority for auxiliary network protections. In addition, many of these personal identifiers are public records—those elements that are not could be SPI or another lawfully protected data category. Examples of personal information incluade:

• Monikers and sobriquets: otherwise called names, nicknames, aliases, or any other title exclusive information used to refer to a specific person
• Contact identifiers: residential addresses, email addresses, phone numbers, and all other methods of communicative accounts like direct messengers 
• Personal preferences or habits: hobbies, interests, shopping, posting, and any other information that reveals a person’s preferences or specific behaviors

Legal Frameworks and Compliance

Despite digital information privacy being relatively new to legislation, there are some governing regulations that organizations must comply with to maintain this data (and running foul of these guidelines has severe punishments). Currently, there are no federal blanket laws regarding PII privacy; however, there are localized regulations in some states and countries and an overarching regulatory statement called the GDPR. 

• The General Data Protection Regulation (GDPR) regards information about a person’s ethnic origin, religious beliefs, political opinions, union membership, genetic/biometric data, health details, and sex life.
• The California Privacy Rights Act (CPRA) protects information about a person’s government-issued IDs, account login credentials, card payment details, geolocation, philosophical beliefs, union membership, the content of a person’s communications, genetic/biometric data, health details, and sexual orientation.
• The Virginia Consumer Data Protection Act (VCDPA) protects information about a person’s racial origin, religious beliefs, health diagnosis, sexual orientation, citizenship, genetic/biometric data, geolocation, and data from children. 

Risks and Challenges

Beyond those regulations listed above (and those of Colorado, Connecticut, and Utah), compliance issues remain. No federal blanket means states must discern what they consider PII and SPI—which varies from state to state, as above—and how they deal with cybercriminals who misuse the information after gaining unauthorized access. If a criminal breaches an organization, and the threat actor obtains access to the PII within a network environment, it is often considered a “mishandling” of personal data. There are numerous risks associated with the mishandling of personal information.

• National and Personal Security Risks: if the accessed data relates to a government or military, its exposure could be a national risk, while the exposure of personal details may insight online aggression, including cyberstalking or bullying.
• Reputational Damage: if a threat actor breaches an organization’s security, it may lose more than its stock worth—it may lose its niche clients altogether. Meanwhile, individuals can also suffer from reputational issues when their accounts are taken over or malicious actors begin to impersonate them.
• Financial Losses: although financial data is usually not considered PII or SPI, the exposure of personal data can cause significant losses through damage to intellectual property, legal fees, remediation efforts, and other costs.

What is Sensitive Personal Information (SPI)

SPI differs from PII in that it is precious data that a malicious agent can misuse beyond normal circumstances. As mentioned above, PII is data associated with a person but not necessarily vital to their continued thriving. So, what is sensitive information? As the presented legal frameworks indicate, SPI data is specific, intimate details about a person, including those listed above for the GDPR, CPRA/CPPA, and VCDPA. More specifically, SPI refers to data like health records, genetic and biometric details, sexual orientation, religious beliefs, criminal history, union affiliations, and government-issued IDs.

Legal and Ethical Considerations

Data governance concerning SPI is primarily overseen by those laws listed above. In the judicial system, each state may make specific regulations determined by multiple aspects of the victimized information. For example, California’s CPRA/CCPA regulations distinguish SPI from PII, whereas the California Online Privacy Protection Act (CalOPPA) does not make these distinctions—rolling SPI and PII regulations together. 

In addition to the distinguishing nuances, states must define the difference between data and information. These are vital aspects of PII and SPI because a person’s information may qualify for more robust legal protection if it is in one form over another; such is the case of exposures in Canada—where data has more protection than information. 

Protection Measures for SPI 

• Consider taking the time to opt out of collecting and sharing data from information brokers. Although they legally have ownership over the details they “share or sell,” most individuals can request a stoppage of the service. 

• On websites you frequent, use the “Do not sell or share my personal information” option (typically located at the bottom of a main page). These requests are similar to opt outs, with an opt out being the more legally significant. 

• Check what information an organization has about you by requesting a Data Subject Access Request; these itemize an organization’s specific data regarding a particular person. Consequently, these are vital for double-checking the status of opted-out data and “do not share” requests. 

Comparing Personal Information and SPI

Consider the cases below if the difference between personal and sensitive personal information remains unclear. 

• In 2019, investigators discovered that some affiliated applications would share private information with Facebook. The shared data included consumers’ weight, blood pressure, menstrual cycles, and pregnancy statuses—all SPI. In comparison, a user’s name, email, photos, and geolocation would be PII. 
• In 2001, the William Mitchell Law Review published a paper presenting hypothetical (future) privacy issues surrounding SPI. One of their thought experiments involved the status of “chemical dependency” and its potential impacts on obtaining a home loan. Today, the status of someone’s drug use is considered SPI (and confidential). 
• In 2015, the Department of Commerce published a paper about de-identifying personal information as a necessary way to reduce privacy risks. The author uses “personal information” (for us, PII) to denote data associated with a person generally and “identifying information” (for us, SPI) to reference data “that identifies individuals.” According to this structure, “identifying information is personal information, but personal information is not necessarily identifying information.”

The Impact of Emerging Technologies and Regulations

Technology is advancing every day, and in a world where data privacy dynamics are constantly challenged, legislature struggles to keep up. Moreover, as technology develops, additional issues appear, such as AI tools with cybersecurity circumventing properties and new devices entering the Internet of Things, opening additional gateways for criminals to abuse (if not protected). 

Nevertheless, judicial officials continue to push for more extensive, better data privacy laws. Future developments will likely come from more states before they reach federal levels—but in the interim, much of the protection of an individual’s information is dictated by the owner of that data. 

In other words, until there is more widespread, aggressively protective regulation surrounding SPI, consumers should take the defense of their data into their own hands. Proactive learning and adaption to the evolving digital landscape are necessary to keep SPI and PII data as safe as possible. Simultaneously, business owners and software developers must consider their obligations regarding their consumers’ data—after all, if there is a data breach, the company’s reputation will crumble, too. 

Interested in learning more about the digital world and the threats we all face within it? Check out more of our insightful articles on Sentinel. You can find news about the most significant events in the cyber community, learn about identifying and preventing identity theft, read about the data breaches that quietly ravage our society, and so much more.