What is personally identifiable information (PII)? A guide to protecting sensitive data
As we lean more on technology for work and daily life, we share more personal information than ever. Companies gather our details to understand their customers and market trends. We freely give out our phone number and home address when we shop online or sign up for services. But what exactly is personally identifiable information (PII), and why is it so important to keep it safe? In this article, we will dive deep into the types and examples of PII, explore the relevant laws and regulations designed to protect it, and provide practical tips on how you can make sure your sensitive information is safe.
Table of Contents
Table of Contents
What is PII?
Personally identifiable information definition
PII stands for personally identifiable information. It’s any information that can be used to identify an individual, like their name, address, telephone number, and other similar data.
Simply put, PII is any detail about a person that can help point them out in the crowd or de-anonymize them. PII can be kept on paper, digitally, or via other media.
While personal information is necessary to tailor products and services, it can attract cybercriminals’ attention. If not protected properly, PII can lead to identity theft or fraud. Keeping it safe is the responsibility of both the individual and the contractors or organizations with access to the data.
What information is considered PII?
PII includes many types of information that can be used to identify, contact, or locate an individual. However, not all personal information is PII. For example, it would be hard to identify a person based only on what they are watching on a streaming platform. So your streaming history isn’t PII. Here are some examples of PII:
- Full name (first, middle, and last names)
- Home address (street, city, state, and zip code)
- Personal and work email addresses
- Mobile, home, and work phone numbers
- Social Security number (SSN), personal identification number (PIN), or another identifying number assigned to an individual
- Driver’s license number
- Passport information (number)
- Financial information (debit or credit card number, bank account details or logins)
- Date of birth
- Biometric records (fingerprints, facial recognition data, retinal scans)
- Medical information (health records, insurance information, prescriptions)
- Employment information (job titles, employment history, salary details, and performance evaluations)
- Education information (school records, grades, transcripts)
- IP address
- Login credentials (usernames, passwords, and answers to security questions)
- Geolocation data (GPS data, location history)
- Photographs and videos that can identify a person
- Vehicle registration information (license plate numbers and vehicle identification numbers)
- Marital status and family information (details about family members, such as names and relationships)
- Legal information (criminal records, court orders)
- Emergency contact information
- Citizenship or immigration status
While pieces of this information alone may not be enough to identify a person, information that can be combined with other data elements to identify a person may also be considered PII.
Why does PII need to be protected?
Stolen PII can cause significant harm. Imagine you’re signing up for a new online service, entering your name, address, email address, and credit card details. This is a lot of sensitive information that cybercriminals can potentially exploit.
Once in the wrong hands, your personal information can fuel further cyberattacks, such as phishing schemes, identity theft, or social engineering attacks. Thieves can also use this personal data for further exploits and potentially open fraudulent accounts, rack up debt, create fake passports, or even sell your identity to criminals.
Sensitive vs. non-sensitive PII
Some information is more sensitive than others when it comes to PII. While these distinctions are more based on common practice than specific regulations, it’s important to understand them in order to apply the right security measures.
Whether information is considered sensitive or non-sensitive PII can depend on the context in which it is used or combined with other data. For example, a person’s name alone may not compromise their privacy, but if it appears in a list of individuals who visited a specific doctor, it could reveal private medical information and therefore become highly sensitive.
Sensitive PII
Sensitive PII includes information that, if revealed, could lead to serious harm, such as identity theft, financial fraud, or even threats to personal safety, and can include:
- Social Security number or another personal identification number
- Driver’s license number
- Passport number
- Financial information (credit card numbers, bank account details)
- Medical records
- Biometric data (fingerprints, facial recognition data)
- Login credentials (usernames and passwords)
- Personal identification numbers (PINs)
Sensitive PII requires strict protection measures because its exposure can significantly impact an individual’s privacy and security.
Non-sensitive PII
Non-sensitive PII includes information that may be publicly available and, if disclosed, is less likely to cause harm. However, even non-sensitive PII can become sensitive depending on the context. Here are details that can be considered non-sensitive PII:
- Full name
- Email address
- Telephone number
- General location data (city, state)
- Gender
- Birth date (excluding the year)
- Publicly available social media handles
- Professional titles and business contact information
- Public records (court records, real estate transactions)
While some regulations don’t require extra protection for non-sensitive PII, companies should still take steps to protect it. Protection measures should be strong, especially when the data is combined or used in ways that make it more sensitive.
The difference between direct and indirect identifiers
When talking about PII, it’s equally as important to make a distinction between direct and indirect identifiers. Direct identifiers are specific to a particular person, and just one of them is usually enough to pinpoint an individual’s identity. Indirect identifiers, on the other hand, are more general. Let’s explore them in more detail.
Direct identifiers
Direct identifiers are details that can clearly identify an individual on their own. These identifiers are explicit and unique, so you can easily identify someone without needing extra information:
- Full name (first and last names)
- Social Security number or another personal identification number
- Driver’s license or passport number
- Email address (when unique to the individual)
- Telephone number (if it is personal and not shared)
Indirect identifiers
Indirect identifiers do not identify an individual on their own but can potentially reveal an individual’s identity when combined with other sensitive data. These identifiers are less specific but can still be traced back to a person:
- General location data (city or state)
- Date of birth (without the year)
- Gender
- Occupation or job title
- General demographic information (age range, ethnic background)
PII data privacy laws and regulations
Various laws and regulations have been established around the world to protect PII. These laws differ by region and industry, but all focus on keeping personal data safe and giving individuals control over their information.
International regulations on PII
Around the world, each region has its own data privacy and protection laws. No single international law applies everywhere. Instead, local regulations guide organizations on how to handle PII and ensure individuals’ data rights are respected:
- The General Data Protection Regulation (GDPR). It’s a set of data protection laws in the European Union (EU) that defines how personal information should be collected and processed. The GDPR outlines strict rules for protecting data and gives people strong rights over their information. It also includes heavy fines for those who do not follow these rules. The GDPR applies not only within the EU but also to organizations outside the EU that handle the personal data of EU residents.
- The California Consumer Privacy Act (CCPA). This law provides California residents with the right to know what personal data is being collected about them, to access that data, and to request that it be deleted. The CCPA is considered one of the most stringent privacy laws in the United States and has influenced similar legislation in other states. In 2023, the act was succeeded by the California Privacy Rights Act (CPRA), which expands and strengthens many of the CCPA’s provisions.
- Australia’s Privacy Act 1988. It regulates how personal information is handled by Australian government agencies and certain private-sector organizations. It covers rules for collecting, using, and sharing personal information and lets people access and correct their data.
- Other privacy laws around the world. Various other countries also have their own data protection regulations, such as Brazil’s Lei Geral de Proteção de Dados (LGPD), Japan’s Act on the Protection of Personal Information (APPI), and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA). While these laws share common principles, they differ in scope, requirements, and enforcement, which shows the complexity of the topic and how it is understood worldwide.
Sector-specific regulations on PII
Along with general data protection laws, some specific sectors have their own rules to address their unique privacy needs. These sector-specific regulations make sure that sensitive information is handled appropriately within that particular field:
- The Health Insurance Portability and Accountability Act (HIPAA). In the United States, this law sets standards for protecting health information. It requires healthcare providers and related organizations to take measures to keep health records private and secure and gives patients rights over their medical information. HIPAA also addresses issues like data mining in healthcare to ensure personal data is handled properly.
- The Family Educational Rights and Privacy Act (FERPA). It keeps student education records private. FERPA gives parents and students access and the right to change these records. It also limits who can see them without permission.
- The Gramm-Leach-Bliley Act (GLBA). It controls how financial institutions handle personal financial information. The GLBA requires them to have privacy policies to protect consumers’ financial data and disclose their practices regarding the use and sharing of this information.
How can PII be used?
By stealing personal information, a thief can carry out various harmful activities that put your security and privacy at risk. They might use methods like phishing, hacking, data breaches, or tricking you to get this information. Here are some of the main ways they might use stolen PII:
- Identity theft. Using someone’s personal information to pretend to be them, open new accounts, or make fraudulent purchases – all of which can damage their finances and credit score.
- Financial fraud. Accessing bank accounts, applying for loans, or making unauthorized transactions using stolen financial details like credit card numbers.
- Account takeover. Using stolen login details to access online accounts, which can lead to more personal data theft or further fraud.
- Social engineering and phishing. Using stolen information to create fake messages and manipulate people into sharing more data or doing things that put their security at risk.
- Blackmail or extortion. Threatening to release private information to force someone to pay money or provide more confidential details.
- Unauthorized access to services. Using stolen data to bypass security and access online services or platforms without permission.
How to protect PII: Data privacy tips
Protecting personally identifiable information (PII) is essential to safeguard your privacy and prevent misuse of your sensitive data. Strong cybersecurity and physical security measures help prevent data theft and keep your personal information safe:
- Be careful with personal information. Only share your full name, address, or Social Security number when absolutely necessary and only with trusted recipients or organizations. Using ways to stay anonymous online can also help protect your PII.
- Safely dispose of sensitive data. Shred documents containing personal information before throwing them away to ensure they cannot be reconstructed or misused.
- Use strong and unique passwords. Create a different password for each online account and make sure they’re difficult to guess.
- Enable two-factor authentication. This measure will add an extra layer of security because it requires a code or biometric authentication in addition to your password.
- Keep your software up to date. Make sure that you are using the latest version of your operating system, browser, and other software and that all security updates have been installed.
- Be cautious of unknown emails. Avoid emails that ask for personal information or contain suspicious links.
- Avoid using public Wi-Fi networks. Public Wi-Fi networks can be risky, so steer clear of them when accessing sensitive information.
- Monitor your accounts. Regularly check your bank and credit card accounts for any unusual activity.
- Use a VPN. A virtual private network, such as NordVPN, encrypts your internet traffic and masks your IP address for added security and privacy.