Zip Codes & PII: Are They Personal Data?

TL;DR

Generally, a single zip code on its own isn’t usually considered directly personal identifying information (PII). However, when combined with other data – even seemingly harmless things like names or dates of birth – it can quickly become PII. It depends heavily on context and how easily someone could use the combination to identify an individual.

Understanding PII

Personal Identifying Information (PII) is any information that can be used, alone or with other data, to identify a specific person. This includes obvious things like names, addresses, social security numbers, and driver’s license details. But it also extends to less obvious pieces of information.

Why Zip Codes Are Tricky

A zip code itself doesn’t reveal who you are. Millions of people share the same zip code. However, its value increases dramatically when combined with other data points. Here’s a breakdown:

Steps to Assess if a Zip Code is PII

1. Consider the Data Context: What other information are you holding alongside the zip code?
2. Assess Re-Identification Risk: Could someone use this combination of data to uniquely identify an individual? For example:
   • Zip Code + Name = Potentially PII.
   • Zip Code + Date of Birth + Gender = Highly likely PII.
   • Zip Code alone in a large public dataset = Unlikely PII.
3. Check Data Minimisation: Do you need to store the zip code? If not, remove it. The less data you hold, the lower your risk.
4. Anonymisation/Pseudonymisation: If you need location information but don’t require precise zip codes:
   • Generalise the Zip Code: Store only the first three digits (e.g., instead of SW1A 0AA, store SW1).
   • Use broader geographic areas: Store city or county information instead.
5. Legal and Regulatory Compliance: Be aware of relevant data protection laws like GDPR (in the UK/EU) and other privacy regulations. These often have specific guidance on what constitutes PII.

Practical Examples

Let’s look at some scenarios:

• Marketing List: A marketing list containing names, email addresses, and zip codes is almost certainly considered PII. You can identify individuals from this data.
• Public Health Data (Aggregated): A dataset showing the average age in each zip code is unlikely to be PII because it doesn’t relate to specific people.
• Delivery Address: An online shop storing full addresses, including zip codes, for delivery purposes is handling PII and must comply with data protection rules.

Technical Considerations

If you’re dealing with large datasets, consider these points:

• Data Masking: Replace real zip codes with fake ones for testing or development environments.

  # Example Python code (using Faker library)

  from faker import Faker
  faker = Faker()
  zip_code = faker.postcode()
  print(zip_code)

• Tokenisation: Replace sensitive data with non-sensitive tokens.
• Database Security: Ensure your database is properly secured to prevent unauthorised access to PII (encryption, access controls).

Final Thoughts

The question of whether a zip code is PII isn’t black and white. It’s about assessing the risk in your specific situation. Always err on the side of caution and treat data as potentially sensitive unless you can definitively prove otherwise. Regularly review your data handling practices to ensure compliance with cyber security best practice and relevant regulations.