Primers • Personally Identifiable Information (PII)

• What Is Personally Identifiable Information (PII)
• Personally Identifiable Information (PII) in Privacy Law
• What Qualifies as PII?
• Further Reading
• Citation

What Is Personally Identifiable Information (PII)

• Personally Identifiable Information (PII) is a legal term pertaining to information security environments. While PII has several formal definitions, generally speaking, it is information that can be used by organizations on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.

• Non-sensitive PII can be transmitted in unsecure form without causing harm to an individual. Sensitive PII must be transmitted and stored in secure form, for example, using encryption, because it could cause harm to an individual, if disclosed.

• Organizations use the concept of PII to understand which data they store, process and manage that identifies people and may carry additional responsibility, security requirements, and in some cases legal or compliance requirements.

Personally Identifiable Information (PII) in Privacy Law

• PII and similar terms exist in the legislation of many countries and territories:

  • In the United States, the National Institute of Standards and Technology (NIST)’s Guide to Protecting the Confidentiality of Personally Identifiable Information defines “personally identifiable” as information like name, social security - number, and biometric records, which can be used to distinguish or trace an individual’s identity.
  • In the European Union, directive 95/46/EC defines “personal data” as information which can identify a person via an ID number, or factors specific to physical, physiological, mental, economic, cultural or social identity.
  • In Australia, the Privacy Act 1988 defines “personal information” as information or an opinion, whether true or not, about an individual whose identity is apparent, or can reasonably be ascertained—a much broader definition than in most other - countries.
  • In New Zealand, the Privacy Act defines “personal information” as any piece of information that relates to a living, identifiable human being, including names, contact details, financial health, and purchase records.
  • In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) and Privacy Act defines “personal information” as data that on its own, or combined with other pieces of data, can identify an individual.

What Qualifies as PII?

• According to the NIST PII Guide, the following items definitely qualify as PII, because they can unequivocally identify a human being: full name (if not common), face, home address, email, ID number, passport number, vehicle plate number, driver’s license, fingerprints or handwriting, credit card number, digital identity, date of birth, birthplace, genetic information, phone number, login name or screen name.

Further Reading

• Imperva: Personally Identifiable Information (PII)

Citation

If you found our work useful, please cite it as:

@article{Chadha2020DistilledPII,
  title   = {PII},
  author  = {Chadha, Aman},
  journal = {Distilled AI},
  year    = {2020},
  note    = {\url{https://aman.ai}}
}