What is PII? Personally Identifiable Information definition 

Personally Identifiable Information is any information that can be used to identify someone. This can include direct information such as name and Social Security number or indirect information such as race and gender. Any information that can be traced back to an individual is considered PII.

It’s important to note that the definition of PII isn’t regulated by any singular law or regulation, meaning that it can vary depending on your location. However, the US Department of Labor defines Personally Identifiable Information as:

“Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification. (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors). Additionally, information permitting the physical or online contacting of a specific individual is the same as personally identifiable information. This information can be maintained in either paper, electronic or other media.”

What qualifies as PII

There are two types of information that qualify as PII

  1. Information that can be used to identify an individual on its own 
  2. Information that can be used to identify an individual when grouped with other identifiers 

The latter is known as “quasi-identifiers” or “pseudo identifiers” and includes information such as gender, zip code, and age. Individually, they can’t be used to identify someone, but they could when looked at together. This type of information isn’t universally recognized as PII, however. You should check your local legislation to find what qualifies as PII in your area.   

What doesn’t qualify as PII?

Any information that doesn’t fall into one of the two categories described above generally doesn’t qualify as PII. This could be statistics on the use of a product, age range, masked IP address, or information collected by the government for a census. 

In short, if the information can’t be used to positively identify an individual alone or grouped with other quasi-identifiers, it is not considered PII. 

Types of PII

There are two main types of PII: non-sensitive and sensitive.

Non-sensitive PII

Non-sensitive PII is information that is not considered sensitive and can typically be shared without much concern. 

Examples of non-sensitive PII include:

  • Age
  • Gender 
  • Race 
  • Occupation
  • Education level 
  • Religion 
  • IP address
  • Mac address

Sensitive PII

Sensitive PII is information that is considered private and shouldn’t be shared, except under specific, limited circumstances and with great care. In the wrong hands, this kind of information can be used to scam, ransom, stalk, harass, or steal the identity of the person the information belongs to. 

Examples of sensitive PII include, but are not limited to:

  • Full name
  • Social Security number
  • Driver’s license number
  • Passport number
  • Address
  • Email address
  • Phone number
  • Bank account number
  • Credit card number
  • Medical records
  • Fingerprints
  • DNA

Laws protecting PII around the world

Since there is no universal definition for Personally Identifiable Information, it’s important to be familiar with your local data privacy laws and regulation. Here is a brief overview of some of the privacy laws in different countries:

United States

In the United States, there are several laws that protect PII. The most well-known is the Health Insurance Portability and Accountability Act (HIPAA), which protects the PII of individuals in the healthcare industry. The Federal Trade Commission (FTC) also has regulations in place to protect PII, such as the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA)

Additionally, 5 states have comprehensive data privacy laws. These include:

  • California – The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
  • Colorado –  The Colorado Privacy Act (CPA)
  • Connecticut – The Personal Data Privacy and Online Monitoring Act, also known as the Connecticut Data Privacy Act (CTDPA)
  • Utah – The Utah Consumer Privacy Act (UCPA)
  • Virginia – Virginia Consumer Data Protection Act (VCDPA)

If you live in another state and want to know which laws and regulations protect your PII, you can find a detailed state privacy legislation tracker here

Europe

In Europe, PII is protected by the General Data Protection Regulation (GDPR). This regulation applies to all organizations that process the PII of individuals in the European Union (EU). It gives individuals more control over their PII and requires organizations to be more transparent about how they use PII.

Canada

Canada has one centralized law that protects PII called the Personal Information Protection and Electronic Documents Act (PIPEDA). This law regulates how private sector organizations can collect, use, and disclose personal information.

Australia

In Australia, PII is protected by the Privacy Act 1988 (Privacy Act). This law regulates the collection, storage, use, and disclosure of personal information, whether by the federal government or private entities. Later amendments regulate the use of healthcare identifiers and establish the obligations of entities that experience data breaches.

New Zealand 

In New Zealand, PII is protected by the Privacy Act 2020, which governs the handling of personal information in New Zealand. It aims to provide stronger protection for individuals’ personal information and places more obligations on organizations to protect that information. It also gives individuals more rights in relation to their personal information, including the right to access and correct that information.

How to Protect your PII

While it is not possible to completely protect yourself from PII theft, there are steps that you can take to reduce the opportunities for thieves to steal your information.

  • Lock your mailbox or PO box to make it harder for thieves to steal your PII.
  • Remove personal identification from junk mail and other documents.
  • Avoid carrying more PII than you need.
  • Use a unique, complex password for each online account.
  • Encrypt your sensitive data.
  • Use a unique password for the device you own.
  • Reformat your hard drive whenever you sell or donate a computer.
  • Optimize the privacy settings on social media and be cautious about sharing too much.
  • Be extra cautious about revealing too much data on your children.
  • Check for breached passwords on Have I Been Pwned? and similar websites.

It is important to weigh the convenience of certain services against the potential risks to your privacy. While it may be convenient to log in to services with credentials from platforms such as Facebook or Google, it also means more access points for hackers if they gain access to one of your accounts.

PII theft is a serious issue that affects many people. By being aware of the tactics used by thieves and taking steps to protect your information, you can reduce the risk of becoming a victim of identity theft.

Is this article helpful?
YesNo