What is Personally Identifiable Information (PII)?

Published On - April 4, 2024

Personally identifiable information (PII) encompasses any data that can identify an individual, either on its own or when combined with other data sources. This includes direct identifiers, such as passport information, and quasi-identifiers like race, which can be combined to pinpoint an individual. PII can be categorized as either sensitive or non-sensitive. Sensitive PII (e.g., full name, SSN, medical records) requires secure transmission and storage to minimize harm, while non-sensitive PII (e.g., zip code, gender) is less critical but still requires robust security measures to prevent potential risks. Organizations leverage the concept of PII to define their data-handling responsibilities and fulfill security and compliance obligations.

Learn How Lepide Helps in Data Security

Over the last decade we’ve witnessed an unprecedented surge in the amount of highly sensitive Personally Identifiable Information (PII) being collected by organizations worldwide. Businesses are using this PII to unlock a wealth of insights into their customers’ preferences and behaviors. However, the handling of PII has become a growing concern in light of recent data breaches and cyberattacks, raising questions about the adequacy of safeguards and the potential for misuse of this sensitive information.

What Qualifies as PII?

According to the National Institute of Standards and Technology (NIST) the following identifiers are considered PII:

  • Full name (if not common)
  • Face
  • Home address
  • Email
  • ID number
  • Passport number
  • Vehicle plate number
  • Driver’s license
  • Fingerprints or handwriting
  • Credit card number
  • Digital identity
  • Date of birth
  • Birthplace
  • Genetic information
  • Phone number
  • Login name or screen name 

Sensitive PII Versus Non-Sensitive PII

Sensitive PII includes highly confidential data such as full name, Social Security Number (SSN), driver’s license number, mailing address, credit card information, passport details, financial details, and medical records. Disclosure of this information can pose significant risks, as it can be exploited for identity theft, fraud, and other malicious purposes. On the other hand, non-sensitive PII encompasses information that is less sensitive and generally does not pose immediate security concerns. Examples include zip code, race, gender, date of birth, place of birth, and religion. While this data may not be as vulnerable to identity theft, it can still be valuable for marketing and targeted advertising campaigns.  

Data Privacy Laws and PII

United States

In the United States, data privacy laws are overseen by the National Institute of Standards and Technology (NIST). NIST defines personally identifiable information (PII) as any data that can be used to uniquely identify an individual, such as:

  • Name
  • Social security number
  • Biometric records

European Union

The European Union has a comprehensive data protection framework known as Directive 95/46/EC. This directive defines PII as any information related to an identified or identifiable natural person. It includes:

  • Identification number
  • Physical, physiological, mental, economic, cultural, or social identity factors

Australia

The Australian Privacy Act 1988 defines PII as any information or opinion that can be reasonably used to ascertain the identity of an individual. This includes:

  • Information or opinion that can reasonably ascertain identity

New Zealand

The New Zealand Privacy Act defines PII as any information about an individual that can be used to identify them, including:

  • Name
  • Contact details
  • Financial health
  • Purchase records

Canada

Canada has two primary data privacy laws: the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act. PIPEDA defines PII as any data that can be used to identify an individual alone or when combined with other information. The Privacy Act has a similar definition, but it also exempts certain types of information, such as personal information collected for journalistic, artistic, or literary purposes.  

How to Protect PII

Protecting PII is crucial to prevent its misuse and safeguard individuals’ privacy. Businesses and individuals share responsibility for protecting PII. Cybercriminals target PII for sale on underground marketplaces, highlighting the importance of its security.

  • Collection and Retention: PII should only be collected and retained when absolutely necessary to minimize the risk of unauthorized access.
  • Disposal: Once PII is no longer required, it should be deleted to minimize the risk of unauthorized access.
  • Untrustworthy Sources: PII should not be provided to untrustworthy sources to prevent its potential misuse or exposure.
  • Physical Security: Physical security measures can help protect PII. Mailboxes should be locked or post office boxes used to reduce mail theft. Discarded documents containing personal information should be shredded or otherwise disposed of securely.
  • Identity Theft Prevention: To safeguard against identity theft, it is crucial to implement various protective measures. Firstly, employ robust passwords that use a combination of letters, numbers, and special characters, and avoid using the same password for multiple accounts. Additionally, consider encrypting sensitive data, such as financial records and personal information, to prevent unauthorized access. It is also advisable to refrain from carrying sensitive documents or devices that contain personal information, as they could be lost or stolen. To further enhance security, use separate passwords for each online account, and protect all electronic devices with password protection. Finally, when discarding computers, ensure the hard drives are reformatted to remove any traces of personal information.