What is personally identifiable information (PII)? A guide to protecting sensitive data

What is PII?

Simply put, PII is any detail about a person that can help point them out in the crowd or de-anonymize them. PII can be kept on paper, digitally, or via other media.

While personal information is necessary to tailor products and services, it can attract cybercriminals’ attention. If not protected properly, PII can lead to identity theft or fraud. Keeping it safe is the responsibility of both the individual and the contractors or organizations with access to the data.

What information is considered PII?

PII includes many types of information that can be used to identify, contact, or locate an individual. However, not all personal information is PII. For example, it would be hard to identify a person based only on what they are watching on a streaming platform. So your streaming history isn’t PII. Here are some examples of PII:

• Full name (first, middle, and last names)
• Home address (street, city, state, and zip code)
• Personal and work email addresses
• Mobile, home, and work phone numbers
• Social Security number (SSN), personal identification number (PIN), or another identifying number assigned to an individual
• Driver’s license number
• Passport information (number)
• Financial information (debit or credit card number, bank account details or logins)
• Date of birth
• Biometric records (fingerprints, facial recognition data, retinal scans)
• Medical information (health records, insurance information, prescriptions)
• Employment information (job titles, employment history, salary details, and performance evaluations)
• Education information (school records, grades, transcripts)
• IP address
• Login credentials (usernames, passwords, and answers to security questions)
• Geolocation data (GPS data, location history)
• Photographs and videos that can identify a person
• Vehicle registration information (license plate numbers and vehicle identification numbers)
• Marital status and family information (details about family members, such as names and relationships)
• Legal information (criminal records, court orders)
• Emergency contact information
• Citizenship or immigration status

While pieces of this information alone may not be enough to identify a person, information that can be combined with other data elements to identify a person may also be considered PII.

Why does PII need to be protected?

Stolen PII can cause significant harm. Imagine you’re signing up for a new online service, entering your name, address, email address, and credit card details. This is a lot of sensitive information that cybercriminals can potentially exploit.

Once in the wrong hands, your personal information can fuel further cyberattacks, such as phishing schemes, identity theft, or social engineering attacks. Thieves can also use this personal data for further exploits and potentially open fraudulent accounts, rack up debt, create fake passports, or even sell your identity to criminals.

Sensitive vs. non-sensitive PII

Some information is more sensitive than others when it comes to PII. While these distinctions are more based on common practice than specific regulations, it’s important to understand them in order to apply the right security measures.

Whether information is considered sensitive or non-sensitive PII can depend on the context in which it is used or combined with other data. For example, a person’s name alone may not compromise their privacy, but if it appears in a list of individuals who visited a specific doctor, it could reveal private medical information and therefore become highly sensitive.

Sensitive PII

Sensitive PII includes information that, if revealed, could lead to serious harm, such as identity theft, financial fraud, or even threats to personal safety, and can include:

• Social Security number or another personal identification number
• Driver’s license number
• Passport number
• Financial information (credit card numbers, bank account details)
• Medical records
• Biometric data (fingerprints, facial recognition data)
• Login credentials (usernames and passwords)
• Personal identification numbers (PINs)

Sensitive PII requires strict protection measures because its exposure can significantly impact an individual’s privacy and security.

Non-sensitive PII

Non-sensitive PII includes information that may be publicly available and, if disclosed, is less likely to cause harm. However, even non-sensitive PII can become sensitive depending on the context. Here are details that can be considered non-sensitive PII:

• Full name
• Email address
• Telephone number
• General location data (city, state)
• Gender
• Birth date (excluding the year)
• Publicly available social media handles
• Professional titles and business contact information
• Public records (court records, real estate transactions)

While some regulations don’t require extra protection for non-sensitive PII, companies should still take steps to protect it. Protection measures should be strong, especially when the data is combined or used in ways that make it more sensitive.

The difference between direct and indirect identifiers

When talking about PII, it’s equally as important to make a distinction between direct and indirect identifiers. Direct identifiers are specific to a particular person, and just one of them is usually enough to pinpoint an individual’s identity. Indirect identifiers, on the other hand, are more general. Let’s explore them in more detail.

Direct identifiers

Direct identifiers are details that can clearly identify an individual on their own. These identifiers are explicit and unique, so you can easily identify someone without needing extra information:

• Full name (first and last names)
• Social Security number or another personal identification number
• Driver’s license or passport number
• Email address (when unique to the individual)
• Telephone number (if it is personal and not shared)

Indirect identifiers

Indirect identifiers do not identify an individual on their own but can potentially reveal an individual’s identity when combined with other sensitive data. These identifiers are less specific but can still be traced back to a person:

• General location data (city or state)
• Date of birth (without the year)
• Gender
• Occupation or job title
• General demographic information (age range, ethnic background)

PII data privacy laws and regulations

Various laws and regulations have been established around the world to protect PII. These laws differ by region and industry, but all focus on keeping personal data safe and giving individuals control over their information.

International regulations on PII

Around the world, each region has its own data privacy and protection laws. No single international law applies everywhere. Instead, local regulations guide organizations on how to handle PII and ensure individuals’ data rights are respected:

• The General Data Protection Regulation (GDPR). It’s a set of data protection laws in the European Union (EU) that defines how personal information should be collected and processed. The GDPR outlines strict rules for protecting data and gives people strong rights over their information. It also includes heavy fines for those who do not follow these rules. The GDPR applies not only within the EU but also to organizations outside the EU that handle the personal data of EU residents.
• The California Consumer Privacy Act (CCPA). This law provides California residents with the right to know what personal data is being collected about them, to access that data, and to request that it be deleted. The CCPA is considered one of the most stringent privacy laws in the United States and has influenced similar legislation in other states. In 2023, the act was succeeded by the California Privacy Rights Act (CPRA), which expands and strengthens many of the CCPA’s provisions.
• Australia’s Privacy Act 1988. It regulates how personal information is handled by Australian government agencies and certain private-sector organizations. It covers rules for collecting, using, and sharing personal information and lets people access and correct their data.
• Other privacy laws around the world. Various other countries also have their own data protection regulations, such as Brazil’s Lei Geral de Proteção de Dados (LGPD), Japan’s Act on the Protection of Personal Information (APPI), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). While these laws share common principles, they differ in scope, requirements, and enforcement, which shows the complexity of the topic and how it is understood worldwide.

Sector-specific regulations on PII

Along with general data protection laws, some specific sectors have their own rules to address their unique privacy needs. These sector-specific regulations make sure that sensitive information is handled appropriately within that particular field:

• The Health Insurance Portability and Accountability Act (HIPAA). In the United States, this law sets standards for protecting health information. It requires healthcare providers and related organizations to take measures to keep health records private and secure and gives patients rights over their medical information. HIPAA also addresses issues like data mining in healthcare to ensure personal data is handled properly.
• The Family Educational Rights and Privacy Act (FERPA). It keeps student education records private. FERPA gives parents and students access and the right to change these records. It also limits who can see them without permission.
• The Gramm-Leach-Bliley Act (GLBA). It controls how financial institutions handle personal financial information. The GLBA requires them to have privacy policies to protect consumers’ financial data and disclose their practices regarding the use and sharing of this information.

How can PII be used?

By stealing personal information, a thief can carry out various harmful activities that put your security and privacy at risk. They might use methods like phishing, hacking, data breaches, or tricking you to get this information. Here are some of the main ways they might use stolen PII:

• Identity theft. Using someone’s personal information to pretend to be them, open new accounts, or make fraudulent purchases – all of which can damage their finances and credit score.
• Financial fraud. Accessing bank accounts, applying for loans, or making unauthorized transactions using stolen financial details like credit card numbers.
• Account takeover. Using stolen login details to access online accounts, which can lead to more personal data theft or further fraud.
• Social engineering and phishing. Using stolen information to create fake messages and manipulate people into sharing more data or doing things that put their security at risk.
• Blackmail or extortion. Threatening to release private information to force someone to pay money or provide more confidential details.
• Unauthorized access to services. Using stolen data to bypass security and access online services or platforms without permission.

How to protect PII: Data privacy tips

Protecting personally identifiable information (PII) is essential to safeguard your privacy and prevent misuse of your sensitive data. Strong cybersecurity and physical security measures help prevent data theft and keep your personal information safe:

• Be careful with personal information. Only share your full name, address, or Social Security number when absolutely necessary and only with trusted recipients or organizations. Using ways to stay anonymous online can also help protect your PII.
• Safely dispose of sensitive data. Shred documents containing personal information before throwing them away to ensure they cannot be reconstructed or misused.
• Use strong and unique passwords. Create a different password for each online account and make sure they’re difficult to guess.
• Enable two-factor authentication. This measure will add an extra layer of security because it requires a code or biometric authentication in addition to your password.
• Keep your software up to date. Make sure that you are using the latest version of your operating system, browser, and other software and that all security updates have been installed.
• Be cautious of unknown emails. Avoid emails that ask for personal information or contain suspicious links.
• Avoid using public Wi-Fi networks. Public Wi-Fi networks can be risky, so steer clear of them when accessing sensitive information.
• Monitor your accounts. Regularly check your bank and credit card accounts for any unusual activity.
• Use a VPN. A virtual private network, such as NordVPN, encrypts your internet traffic and masks your IP address for added security and privacy.

FAQ

What is an example of PII?

An example of personally identifiable information (PII) would be your Social Security or another personal identification number. This unique number can directly identify you and is used for various documents, like tax records, credit applications, and government documentation. Other examples of PII include your full name, home address, and email address, all of which can be used to uniquely identify or contact you.

What is the difference between personal data and PII?

The terms personal data and PII are often used interchangeably, but there is a subtle difference. Personal data is any information related to an individual that could reveal their identity. An example of personal information is a person’s email address. While it may not always directly identify someone on its own, it can be used along with other details to reveal the individual’s identity. PII, however, is specific information that directly identifies or can be used to identify a person, such as a Social Security number or full name.

Essentially, all PII is personal data, but not all personal data is classified as PII. It’s important to mention that what counts as personal data versus PII can vary depending on the legal framework or jurisdiction.

What is not considered PII?

Information that is not considered PII is information that, on its own or with other relevant data, can’t be used to identify a person. For example, general information such as a person’s job title or the name of a city does not qualify as PII. However, what counts as PII can vary depending on the laws or regulations in different places.