Personally Identifiable Information

What is personally identifiable information? 

Personally identifiable information (PII) is a characteristic or set of characteristics that can confirm a specific individual’s identity. PII alone may be used to verify an individual directly, as with a social security number, or multiple quasi-identifiers, like date of birth, gender, or postal code, may be employed to successfully recognize an individual’s identity. Not all personal information is considered PII. 

Companies use data de-identification tools to extract valuable insights from their data without the risk of using PII. Data de-identification software removes personally identifying data to work with datasets that do not include this information. 

Data de-identification is critical for companies working with sensitive data. It is necessary to ensure compliance with privacy and data protection laws like the Health Insurance Portability and Accountability Act (HIPAA), California Consumer Privacy Act (CCPA), and General Data Protection Regulation (GDPR). 

Types of personally identifiable information

PII generally falls into one of two categories: sensitive and non-sensitive information. The types are defined as follows, along with examples.

Sensitive PII

Sensitive PII directly identifies specific individuals; it could cause significant damage if it’s ever leaked, stolen, or shared inappropriately. 

Some examples of sensitive PII include:

• Unique identification numbers and other government-issued identifiers
• Driver’s license numbers
• Passport numbers 
• Biometric data (e.g., fingerprints) 
• Financial information, including credit card and bank account numbers
• Medical records 

Non-sensitive PII

Non-sensitive PII comprises quasi-identifiers that won’t necessarily do any harm if leaked, stolen, or shared inappropriately. However, they are linkable and can reveal an identity when grouped together. Non-sensitive PII is typically included in public records and identifies individuals, but can’t be used alone to commit identity theft in the same way sensitive PII can. 

Examples of non-sensitive PII include:

• Full name 
• Telephone number 
• Date of birth 
• Place of birth 
• IP address 
• Email address 
• Ethnicity, race, or nationality 
• Religion 
• Zip code or other geographical details 

Why must organizations protect personally identifiable information?

The primary reasons organizations must prioritize protecting PII include the items discussed here.

• Legal compliance: Many countries have adopted data protection laws and regulations, such as HIPAA, CCPA, and GDPR, that companies have to follow if they collect PII or other sensitive data. Companies that don’t comply face severe penalties and fines. 

• Identity theft prevention: Companies collect PII for various reasons: employment verification and payroll purposes, e-commerce purchases, or client partnerships, for example. However, unauthorized access to this information can lead to privacy breaches. Leaked PII is often used to commit fraud, which leaves the victim of identity theft at risk of facing criminal charges. 

• Financial consequences and repercussions: Data breaches have severe financial implications for organizations. On top of hefty legal fines, companies may have to pay additional costs to investigate breaches, notify the individuals involved, and implement new systems to stop future incidents.
• Trust and reputation: Employees, clients, and vendors expect organizations to keep their personal information protected. Leaked PII erodes trust and damages reputations. Rebuilding consumer confidence after a data breach requires time, and despite an organization’s best efforts, a data breach may still occur and cause irreparable brand damage.

Best practices for personally identifiable information

Protecting PII is crucial for maintaining customer faith and complying with privacy regulations to prevent legal fines and consequences. Companies should follow these best practices to safeguard PII.

• Understand and recognize sources of PII: To effectively protect PII, businesses need to know where it is so they can train employees about data sources accordingly. Identify PII within the organization and inform employees of their level of access to reduce confusion about what is or isn’t PII.

• Collect only necessary: Businesses can reduce risks associated with leaked PII by collecting only the data required for operations. Request additional PII as needed rather than gathering too much information upfront. 

• Encrypt data: Team members should always encrypt PII when it’s in transit to protect it. Comprehensive data encryption measures help stop unauthorized access and ensure data travels safely. 

• Train employees on PII and data protection: Provide ongoing training to teach staff about evolving security threats and new additions or changes to existing PII. 

• Develop an effective incident response plan: Organizations should equip their team members with the necessary skills to handle a security breach. Spend time establishing a thorough incident response plan and communicate roles and responsibilities in the event of a security breach accordingly. 

Personally identifiable information (PII) vs. protected health information (PHI)

Personally identifiable information (PII) and protected health information (PHI) are two distinct categories of sensitive information. 

PII refers to information used to identify an individual. PII is also subject to data protection and privacy laws in many areas. 

PHI is a subset of PII about an individual’s health information, such as medical history. PII has a broader scope, as PHI is primarily concerned with the healthcare industry. 

Learn more about pseudonymization, which helps process personal data to ensure privacy.