What Is Personally Identifiable Information (PII)?
Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual.
PIImay contain direct identifiers (e.g., passport information) that can identify a person uniquely, or quasi-identifiers (e.g., race) that can be combined with other quasi-identifiers (e.g., date of birth) to successfully recognize an individual.
Key Takeaways
- Personally identifiable information (PII) uses data to confirm an individual's identity.
- Sensitive personally identifiable information can include your full name, Social Security Number, driver’s license, financial information, and medical records.
- Non-sensitive personally identifiable information is easily accessible from public sources and can include your zip code, race, gender, and date of birth.
- Passports contain personally identifiable information.
- Social media sites may be considered non-sensitive personally identifiable information.
Understanding Personally Identifiable Information
Advancing technology platforms have changed the way businesses operate, governments legislate,and individuals relate. With digital tools like cell phones, the Internet, e-commerce, and social media, there has been an explosion in the supply of all kinds of data.
Big data, as it is called, is being collected, analyzed, and processed by businesses and shared with other companies. The wealth of information provided by big data has enabled companies to gain insight into how to better interact with customers.
However, the emergence of big data has also increased the number of data breaches and cyberattacks by entities who realize the value of this information. As a result, concerns have been raised over how companies handle the sensitive information of their consumers. Regulatory bodies are seeking new laws to protect the data of consumers, while users are looking for more anonymous ways to stay digital.
Sensitive vs. Non-Sensitive Personally Identifiable Information
Sensitive PII
Personally identifiable information (PII) can be sensitive or non-sensitive. Sensitive personal information includes legal statistics such as:
- Full name
- Social Security Number (SSN)
- Driver’s license
- Mailing address
- Credit card information
- Passport information
- Financial information
- Medical records
The above list isby no meansexhaustive. Companies that share data about their clients normally use anonymization techniques to encrypt and obfuscate the PII, so it is received in a non-personally identifiable form. An insurance company that shares its clients’ information with a marketing company will mask the sensitive PII included in the data and leave only information related to the marketing company’s goal.
Non-Sensitive PII
Non-sensitive or indirect PII is easily accessible from public sources like phonebooks, the Internet,and corporate directories. Examples of non-sensitive or indirect PII include:
- Zip code
- Race
- Gender
- Date of birth
- Place of birth
- Religion
The above list contains quasi-identifiers and examples of non-sensitive information that can be released to the public. This type of information cannot be used alone to determine an individual’s identity.
However, non-sensitive information, although not delicate, is linkable. This means that non-sensitive data, when used with other personal linkable information, can reveal the identity of an individual. De-anonymization and re-identification techniques tend to be successful when multiple sets of quasi-identifiers are pieced together and can be used to distinguish one person from another.
Regulating and safeguarding personally identifiable information (PII) will likely be a dominant issue for individuals, corporations, and governments in the years to come.
Safeguarding Personally Identifiable Information (PII)
Multiple data protection laws have been adopted by variouscountries to create guidelines for companies that gather, store, and share the personal information of clients. Some of the basic principles outlined by these laws state that some sensitive information should not be collected unless for extreme situations.
Also, regulatory guidelines stipulate that data should be deleted if no longer needed for its stated purpose, and personal information should not be shared with sources that cannot guarantee its protection.
Cybercriminals breach data systems to access PII, which is then sold to willing buyers in underground digital marketplaces. For example, in 2015, the IRS suffered a data breach leading to the theft of more thana hundred thousand taxpayers’ PII.
Using quasi-information stolen from multiple sources, the perpetrators were able to access an IRS website application by answering personal verification questions that should have been privy to the taxpayers only.
Safeguarding PII may not always be the sole responsibility of a service provider. In some cases, it may be shared with the individual.
How PII Is Stolen
Many thieves find PII of unsuspecting victims by digging through their trash for unopened mail. This can provide them with a person's name and address. In some cases, it can also reveal information about their employment, banking relationships, or even their social security numbers.
Nowadays, the Internet has become a major vector for identity theft. Phishing and social engineering attacks use a deceptive-looking website or email to trick someone into revealing key information, such as their name, bank account numbers, passwords, or social security number. It is also possible to steal this information through deceptive phone calls or SMS messages.
Tips on Protecting PII
While it is not possible to fully protect yourself, you can make yourself a smaller target by reducing the opportunities to steal your PII. Experian, one of the top three credit agencies, lists several steps that you can take to reduce your surface area.
For example, a locked mailbox or PO box makes it harder for thieves to steal your mail and removing personal identification from junk mail and other documents makes it harder for identity thieves to associate a name with an address. Also, avoid carrying more PII than you need—there's no reason to keep your social security card in your wallet.
Likewise, there are some steps you can take to prevent online identity theft. Data leaks are a major source of identity theft, so it is important to use a different, complex password for each online account. Always encrypt your important data, and use a password for each phone or device. It is also a good idea to reformat your hard drive whenever you sell or donate a computer.
Personally Identifiable Information Around the World
The definition of what comprises PII differs depending on where you live in the world. The following are the privacy regimes in specific jurisdictions:
United States
In the United States, the government defined"personally identifiable" in 2020 as anything that can "be used to distinguish or tracean individual's identity" such as name, SSN, and biometrics information; either alone or with other identifiers such as date of birth or place of birth.
Europe
In theEuropean Union (EU), the definition expands to include quasi-identifiers as outlined in the General Data Protection Regulation (GDPR) that went into effect in May 2018.The GDPR is a legal framework that sets rules for collecting and processing personal information for those residing in the EU.
Australia
Personal information is protected by the Privacy Act 1988. This law regulates the collection, storage, use, and disclosure of personal information, whether by the federal government or private entities. Later amendments regulate the use of healthcare identifiers and establish the obligations of entities that suffer from a data breach.
Canada
The Personal Information Protection and Electronic Documents Act regulates the use of personal information for commercial use. This is defined as information that on its own or combined with other data, can identify you as an individual.
Personally Identifiable Information vs. Personal Data
Personal data encompasses a broader range of contexts than PII. For instance, your IP address, device ID numbers, browser cookies, online aliases, or genetic data. Certain attributes such as religion, ethnicity, sexual orientation, or medical history may be classified as personal data but not personally identifiable information.
Example of Personally Identifiable Information
In early 2018, Facebook Inc. (META), now Meta, was embroiled in a major data breach. The profiles of 30 million Facebook users were collected without their consent by an outside company called Cambridge Analytica. Cambridge Analytica got its data from Facebook through a researcher who worked at the University of Cambridge. The researcher built a Facebook app that was a personality quiz. An app is a software application used on mobile devices and websites.
The app was designed to take the information from those who volunteered to give access to their data for the quiz. Unfortunately, the app collected not only the quiz takers' data but, because of a loophole in Facebook's system, was able also to collect data from the friends and family members of the quiz takers.
As a result, over 50 million Facebook users had their data exposed to Cambridge Analytica without their consent.Although Facebook banned the sale of their data, Cambridge Analytica turned around and sold the data to be used for political consulting. Mark Zuckerberg, Facebook founder and CEO, released a statement within the company's Q1-2019 earnings release:
We are focused on building out our privacy-focused vision for the future of social networking and working collaboratively to address important issues around the Internet.
The data breach not only affected Facebook users but investors as well. Facebook's profits decreased by 50% in Q1-2019 versus the same period a year earlier. The company accrued $3 billion in legal expenses and would have had an earnings per share of $1.04 higher without the expenses, stating:
We estimate that the range of loss in this matter is $3.0 billion to $5.0 billion. The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.
The following day, on April 25, 2019, Meta announced it was banning personality quizzes from its platform.
Companies will undoubtedly invest in ways to harvest data, such as personally identifiable information (PII), to offer products to consumers and maximize profits. Still, they will be met with more stringent regulations in the years to come.
What Qualifies as PII?
Personally identifiable information is defined by the U.S. government as:
“Information which can be used todistinguish or trace an individual’s identity, such as theirname, social security number, biometric records, etc.alone,or whencombined with other personal or identifying informationwhich islinked or linkable toa specific individual, such as date and place of birth, mother’s maiden name, etc.”
What Is Not PII?
Personal data is not classified as PII and non-personal data such as the company you work for, shared data, or anonymized data.
What Is a PII Violation?
PII violations are illegal, and often involve frauds such as identity theft. Violations may also stem from unauthorized access, use, or disclosure of PII. Failure to report a PII breach can also be a violation.
What Must You Do When Emailing PII?
Because email is not always secure, try to avoid emailing PII. If you must, use encryption or secure verification techniques.
What Laws Protect PII?
Various federal and state consumer protection laws protect PII and sanction its unauthorized use; for instance, the Federal Trade Commission Actand the Privacy Act of 1974.
The Bottom Line
Personal Identifying Information (PII) is any type of data that can be used to identify someone, from their name and address to their phone number, passport information, and social security numbers. This information is frequently a target for identity thieves, especially over the Internet. For that reason, it is essential for companies and government agencies to keep their databases secure.
FAQs
What is PII and give examples? ›
“(1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and ...
What are some types of personally identifiable information or PII? ›Sensitive PII includes but is not limited to the information pictured here, which includes Social Security Numbers, driver's license numbers, Alien Registration numbers, financial or medical records, biometrics, or a criminal history.
What is PII in security examples? ›Personally identifiable information (PII) is any data that could be used to identify a specific individual. Examples include driver's license numbers, social security numbers, addresses, full names etc. PII doesn't only include obvious links to a person's identity, such as a driver's license.
What is the meaning of PII? ›Personal Identifiable Information (PII) is defined as: Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.
What is PII information? ›What is personally identifiable information (PII)? Personally identifiable information (PII) is any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used to deanonymize previously anonymous data is considered PII.
What is not an example of PII? ›Info such as business phone numbers and race, religion, gender, workplace, and job titles are typically not considered PII.
Is first and last name PII? ›This type of in- formation is considered to be Public PII and includes, for example, first and last name, address, work telephone number, email address, home telephone number, and general educational cre- dentials. The definition of PII is not anchored to any single category of in- formation or technology.
Is a name PII? ›Personally identifiable information (PII) is any data that can be used to identify someone. All information that directly or indirectly links to a person is considered PII. One's name, email address, phone number, bank account number, and government-issued ID number are all examples of PII.
Which of the following are examples of personally identifiable information PII Hipaa? ›What Kinds of Information Constitute HIPAA PII? Personally identifiable information is data relating directly or indirectly to an individual, from which the identity of the individual can be determined. Examples of PII include patient names, addresses, phone numbers, Social Security numbers, and bank account numbers.
Is name and email PII? ›Yes, email addresses are personal data. According to data protection laws such as the GDPR and CCPA, email addresses are personally identifiable information (PII). PII is any information that can be used by itself or with other data to identify a physical person.
Is PII confidential information? ›
Sensitive PII (SPII) is Personally Identifiable Information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual.
Is a password PII? ›Personally Identifiable Information (PII) is any piece of information meant to identify a specific individual. This often includes data such as a Social Security number, driver's license number, financial accounts, email addresses, login credentials and passwords, addresses, phone numbers, and birth date.
How is PII protected? ›Protecting your files with encryption is a core concept in data and information security, and thus it's a powerful way to protect your PII. It involves transforming data or information into code that requires a digital key to access it in its original, unencrypted format.
Is a credit card number PII? ›Some key examples of PII fields include name (first and last), birthdate, home address, social security number, bank account number, passport number, and mother's maiden name. Health insurance ID number, health insurance claims, policy numbers, credit card numbers and more can also be considered PII.
What are the 3 types of personal information? ›Below are the types of the types of personal information generally covered: Private information. Sensitive personal data information. Health information.
What's another word for personal information? ›Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.
What is the difference between PII and personal data? ›In a nutshell, PII refers to any information that can be used to distinguish one individual from another. The GDPR definition of personal data is – deliberately – a very broad one. In principle, it covers any information that relates to an identifiable, living individual.
What is personally identifiable information PII quizlet? ›Personally Identifiable information (PII) is any information about an individual maintained by an organization, including information that can be used to distinguish or trace an individual's identity like name, social security number, date and place of birth, mother's maiden name, or biometric records.
Is a photo considered PII? ›It has been established that identifiable photos of individuals are Personally identifiable information. They MAY even be Special Category Data.
What is sensitive PII? ›Sensitive personally identifiable information can include your full name, Social Security Number, driver's license, financial information, and medical records. Non-sensitive personally identifiable information is easily accessible from public sources and can include your zip code, race, gender, and date of birth.
Is PII a signature? ›
I would agree, Yes; Signatures are PII.
Is PII protected by law? ›The CCPA provides various protections to the data of California residents, including mandating that consumers have the right to opt out of their PII being sold.
Is cell phone number PII? ›PII might be a phone number, national ID number, email address, or any data that can be used, either on its own or with any other information, to contact, identify, or locate a person.
Is last name only PII? ›Personally identifiable information (PII), also known as P4 data, is a specific category of particularly sensitive data defined as: Unencrypted electronic information that includes an individual's first name or initial, and last name, in combination with any one or more of the following: Social Security number (SSN).
Is a passport number PII? ›Examples of personally identifiable information (PII) include : Social security number (SSN), passport number, driver's license number, taxpayer identification number, patient identification number, and financial account or credit card number. Personal address and phone number.
Is PII a age? ›PII data consists of “linkable” and “unlinkable” data. Generalized data that describes a person's identity, such as gender, age, date of birth, geolocation, income, or anything else that cannot be used to directly identify a specific individual is called "unlinkable data".
What is considered PII in healthcare? ›Personally identifiable information (PII) or individually identifiable health information (IIHI) is any health information that allows the patient to be identified.
What is PHI data examples? ›Examples of PHI include: Name. Address (including subdivisions smaller than state such as street address, city, county, or zip code) Any dates (except years) that are directly related to an individual, including birthday, date of admission or discharge, date of death, or the exact age of individuals older than 89.
What kind of personally identifiable information is protected by HIPAA quizlet? ›What kind of personally identifiable health information is protected by HIPAA's privacy rule? treatment, but also information such as address, age, Social Security number, and phone number.
Is your work phone number personal information? ›For example, personal information may include: an individual's name, signature, address, phone number or date of birth. sensitive information.
Is job title a personal data? ›
It can be as obviously identifiable data as name, but it can also be a combination of "innocent" data such as age, height/weight, wealth, job position, company, city, etc. as when combined can allow for idenitifcation of a person.
Is a voice recording PII? ›Voice is indeed a unique, permanent, and deeply intimate piece of information that can characterize an individual. While a password can be changed, biometric attributes generally cannot.
Why is PII important? ›Keeping PII private is important to ensure the integrity of your identity. With just a few bits of your personal information, thieves can create false accounts in your name, start racking up debt, or even create a falsified passport and sell your identity to a criminal.
What classification is PII? ›What Qualifies as PII? PII includes names, addresses, emails, birthdates, medical records, credit card numbers, financial statements, passport numbers, social security numbers, driver's licenses', and vehicle plate numbers.
Is PII sensitive or confidential? ›Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person, such as an employee, student, or donor. PII should be accessed only on a strictly need-to-know basis and handled and stored with care.
What is not an example of PII? ›Info such as business phone numbers and race, religion, gender, workplace, and job titles are typically not considered PII.
What is considered PII under GDPR? ›PII can typically include obvious contact data and identifiable data such as the person's full name, phone number, passport number, home address, social security number, driver's license number, email address and other digital data like IP address, geolocation.
Is first name and last name PII? ›Personally identifiable information (PII), also known as P4 data, is a specific category of particularly sensitive data defined as: Unencrypted electronic information that includes an individual's first name or initial, and last name, in combination with any one or more of the following: Social Security number (SSN).
What is PII quizlet? ›Personally Identifiable information (PII) is any information about an individual maintained by an organization, including information that can be used to distinguish or trace an individual's identity like name, social security number, date and place of birth, mother's maiden name, or biometric records.
Is a name PII? ›Personally identifiable information (PII) is any data that can be used to identify someone. All information that directly or indirectly links to a person is considered PII. One's name, email address, phone number, bank account number, and government-issued ID number are all examples of PII.
Who is responsible for protecting PII? ›
Security: DHS should protect PII (in all media) through appropriate security safeguards against risks such as loss, unauthorized access or use, destruction, modification, or unintended or inappropriate disclosure. 8.
Is a name personal data? ›A name and a corporate email address clearly relates to a particular individual and is therefore personal data.
Is PII a customer number? ›Personally Identifiable Information (PII) is any piece of information meant to identify a specific individual. This often includes data such as a Social Security number, driver's license number, financial accounts, email addresses, login credentials and passwords, addresses, phone numbers, and birth date.
Is name and email PII? ›Yes, email addresses are personal data. According to data protection laws such as the GDPR and CCPA, email addresses are personally identifiable information (PII). PII is any information that can be used by itself or with other data to identify a physical person.
How does PII protect data? ›Secure Sensitive PII in a locked desk drawer, file cabinet, or similar locked enclosure when not in use. When using Sensitive PII, keep it in an area where access is controlled and limited to persons with an official need to know. Avoid faxing Sensitive PII, if at all possible.
Is a credit card number PII? ›Some key examples of PII fields include name (first and last), birthdate, home address, social security number, bank account number, passport number, and mother's maiden name. Health insurance ID number, health insurance claims, policy numbers, credit card numbers and more can also be considered PII.
Is PII a signature? ›I would agree, Yes; Signatures are PII.
What is protected PII? ›Protected PII means an individual's first name or first initial and last name in combination with any one or more of types of information, including, but not limited to, social security number, passport number, credit card numbers, clearances, bank numbers, biometrics, date and place of birth, mother's maid- en name, ...
Which of these is not an example of PII quizlet? ›Explanation: A trade secret is not PII. PII is information that you can use to uniquely identify an individual. PII includes names, addresses, Social Security and driver's license numbers, financial account information, health records, and credentials.
How do I mark an email in PII? ›Emails Containing PII (in the body or in an attachment):
The SUBJECT line must state: "CUI ." The attachment file name must state: "CUI . " The top and bottom of the email and the top and bottom of the attachment must state: "CUI" and include a CUI indicator block. Must be digitally signed and encrypted.
What is the purpose of a Privacy Impact Assessment PII quizlet? ›
A privacy impact assessment is used to identify and mitigate privacy risks.