Guide to Personally Identifiable Information (PII)

These days, it seems like there are hundreds of high-profile data breaches in the news. One of the most common causes cited for these breaches is the theft or loss of Personally Identifiable Information (PII). What is PII? And what can you do to protect yourself?

When you hear about PII, you might automatically associate it with companies like Facebook or health care providers. But the truth is, your small business is at risk of identity theft or fraud — and neither of these is good for your business. 

National Institute of Standards and Technology (NIST), US defines PII as:

“any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.”

Therefore, PII is any information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context. In most cases, PII is information you provide online when you create an account, make a purchase with a merchant, register for a service, complete a survey, respond to a survey or a request for information, communicate with a government agency, or visit a website. It could also refer to information about you that others provide.

Breaking down NIST’s definition, we can categorize PII into several types.

“to distinguish” means information that can be used to identify a person. For example, passport number, government-issued identification number or biometric data. 

“to trace” means information that can be used to trace a person’s activities. For example, a log of internet search history could be used to track someone’s online activities.

“Linked” information is any data concerning an individual that doesn’t require any additional information to identify the individual. For example, full name, address, license plate number, passport number, email address, etc.

“Linkable” information on its own may not be able to identify an individual, but when combined with additional information could identify, trace or locate an individual. For example, age, first or last name, gender, zip code, etc.

Some PII are sensitive, i.e. they are vital to the concerned individual, and mishandling them will result in harmful consequences. Department of Homeland Security (DHS), US defines Sensitive PII or SPII as:

“Sensitive PII (SPII) is Personally Identifiable Information, which if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. “

Sometimes a PII can become sensitive PII when combine with other PII. DHS shows a few examples of PII that are sensitive as standalone and in combination:

Following are some examples of PII that can identify an individual, with and without additional information linked to them:

• Name: full name, maiden name or alias
• Address: street address or email address
• Online identifiers: Internet Protocol (IP) address, Media Access Control (MAC) address or cookie identifiers
•  Telephone numbers: home, mobile, work, and personal numbers
• Personal identification number: social security number (SSN), passport number, driver‘s license number, or any other government-issued identification number, etc.
• Personal characteristics: photographs (especially of the face), x-rays, fingerprints, or other biometric data, such as retina scan, voice signature, facial geometry)
• Personally owned property: vehicle registration number, house registration number, purchase records, etc.
• Other information that is linked or linkable to any information mentioned above: date of birth, place of birth, ethnicity, race, religion, weight, activities, geographical information, employment information, education information, medical or health information, financial information).

Information such as race, sexual orientation, religion, medical information, financial information, biometric data, or information related to minors is considered as sensitive PII.

Many data privacy and protection laws around the world have their own definitions for PII. However, almost all of them cover the same type of information under PII. The EU’s GDPR since its enforcement has become the blueprint for many other laws in the world. GDPR along with the US’ CCPA are the two most important and popular wide-reaching data privacy laws. Let’s see how these laws define PII.

GDPR

In Europe, there are mainly two laws that govern the use of PII: ePrivacy Directive and General Data Protection Regulation ( GDPR). Both of them are implemented to protect “personal data,” which is equivalent to the PII, of EU individuals. 

The GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); […] such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

The personal data under both the laws mean information that directly or indirectly links to EU individuals and can be used to identify them. ePrivacy, however, protects “publicly available” electronic communication services or networks. The GDPR personal data does not cover any publicly available information.

CalOPPA and CCPA, US

In the US, the PII varies by different laws. 

The California Online Privacy Protection Act of 2003 (CalOPPA) defines PII as “individually identifiable information about an individual consumer collected online by the (website) operator from that individual and maintained by the (website) operator in an accessible form.” For example, first name and last name, telephone number, address, email address, etc.

The California Consumer Privacy Act (CCPA) defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” 

This includes personal identifiers, commercial information, internet or other electronic network activity information, biometric information, Geolocation data, audio, electronic, visual, thermal, olfactory or similar information or education information. However, it excludes publicly available information from state, federal or local government and aggregated or de-identified information. 

The CCPA’s definition for PII is probably broader than GDPR’s. However, they are similar. The US laws have more comprehensive descriptions and rules for PII varied by many laws. The meaning of PII aligns more with the definitions and examples in US laws.

Protecting PII comes with a lot of responsibilities since a simple misstep could result in harmful consequences. At the outset, you might need to conduct data mapping to understand the PII your business collects and then assess it further.

Here are the best practices to protect the PII:

• Identify the PII your business collects.
• Classify the PII, i.e. if they are linked, linkable or sensitive. 
• Assess the purpose of using the PII to confirm if it is reasonable and lawful.
• Get consent before collecting PII and allow them to opt out of it any time.
• Limit the collection, use and sharing of PII to what is necessary for fulfilling the purpose.
• Identify where you store or share PII and ensure they are secured and privacy compliant.
• Update privacy policy to let users know how you use their PII and how they can control it.
• Delete old or any PII when they are no longer necessary for the intended purpose. 
• Implement security measures to prevent unauthorized access or theft of PII.
• Conduct privacy impact assessments to understand if any of your business operations puts the PII at risk and that you are aligning with legal requirements.
• De-identify (replacing parts of PII with unidentifiable information or attributes such as codes, algorithms) or anonymize PII (converting PII into non-PII) to protect against unauthorized access or breach.
• Train your employees or team members about protecting PII.
• Document your data processing practices and review it periodically.

 

What does PII stand for?

PII stands for “Personally Identifiable Information,” which is any information that can identify a specific individual. 

What does PII mean?

Personally identifiable information (PII) is any information that can identify an individual, with or without the use of additional information. For example, name, address, email address, telephone number, bank details, health information, online identifiers, etc.

What qualifies as PII?

Information that qualifies as PII are those that are linked or linkable to a specific individual and can be used to identify or trace them. For example, full name, maiden name, street address, IP address, purchase records, license number, house name, fingerprint, retina scan, x-ray report, health insurance number, religion, race, creed, sexual orientation, etc.

Loss or theft of PII will cause adverse effects to the rights and interests of individuals linked to them.

What does Personally Identifiable Information (PII) include?

PII includes all types of information, except publicly available or anonymized (in most cases), that can be used to distinguish or track an individual and businesses breaching or losing them will result in a violation.