Is a standalone phone number considered Personally Identifiable Information?

It depends. Could this number linked to a single person? (e.g. it is your cell number and if I know this number is in a database and know it's yours, then I know you are in that DB)

Then yes.

If this is not possible (e.g. it is the central call in number of a big corporation that is connected to any available agent) then no.

If you only have phone numbers without further information about them, you have to assume it is PII, because you don't know if a number belongs to an individual or not.


I don't use WA, so don't know specifically what practice the question refers to, but let's assume that the question refers to a practice where an app on a user's phone gets access to contacts and text history on the phone and uploads all phone numbers to the server without also uploading the names associated with those numbers (despite having access to them.)

Are these uploaded bare numbers, without names, considered PII?

Yes, absolutely.

The server isn't collecting number sequences at random, using them to populate a model of some kind, and then discarding them.

It is building a durable data structure that has entities that are intended ultimately to map to humans, and storing those numbers as metadata with those entities. (Key test- when a contact on the phone has 2 numbers, are those 2 numbers somehow associated with the same durable entity server-side?)

The fact that at a particular zoomed in point in the overall architecture at a particular point in time there isn't a name directly stored with the number in a relational db row is irrelevant.

In the big picture architecture, comprising both client apps and the server, and both the data flows currently in place as well as the data flows that could reasonably easily be put in place without user action- eg an app update that collected names as well could be trivially rolled out without user knowledge or additional permission- big picture, this is an architectural graph that has PII.

PII is a forest-level concern, not a tree-level concern.


PII is anything that directly or indirectly can be associated to a person based on Regulation 2016/679 of the European Parliament.

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

From the definitions section of the aforementioned regulation

Because you can correlate a phone number with a person (owner of the contract) and that number might be unique to that person you should consider it as PII information.

I am saying this as precaution as you never know if it is a public phone number, shared phone or any other use case.

In many cases even if shared number it is still possible to correlate it to a person.

The only one that is not possible is the public phones.

Because we do not know this we cannot take the risk of relaxed security in all other phone numbers that might be uniquely associated to a specific person.

IP address can be also be PII, because we do not know if is a proxy or a router at some home we should treat them as equal.

A more simplistic explanation can be found in the bellow link from the European parliament with examples.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data.Personal data that has been de-identified, encrypted or pseudonymised but can be used to re-identify a person remains personal data and falls within the scope of the law. Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymised, the anonymisation must be irreversible.The law protects personal data regardless of the technology used for processing that data – it’s technology neutral and applies to both automated and manual processing, provided the data is organised in accordance with pre-defined criteria (for example alphabetical order). It also doesn’t matter how the data is stored – in an IT system, through video surveillance, or on paper; in all cases, personal data is subject to the protection requirements set out in the GDPR.

Tags:

Privacy

Pii

Related

What are the security risks of logging the hash of rejected passwords? How to strike a balance between security policies and practical implementation challenges? Are there any objective reasons to use dedicated user/password instead of identity providers within a large organization? Does WPA3 OWE mean the return of Evil Twins? Is there value in changing your password after failed (malicious) login attempts? How many rounds of hashing is enough for a password manager? Why are the gitlab SSH host key fingerprints not matching? Do I need to encrypt connections inside a corporate network? How to limit the impact of and reduce the risk of SQL injection for existing website? What does ENV (“_”) do for anti-debugging? Why would taking my laptop home be encouraged for security reasons? What's safest way to run WhatsApp?

Recent Posts