Knowledge Base

What is Personally Identifiable Information (PII)?

Overview

Personally Identifiable Information (PII) is a concept that has been used to define data that alone can be used to identify an individual.  The idea has become prevalent as data collection has become more common via digital technologies.  

The National Institute of Standards and Technology defines PII as:

Information which can be used to distinguish or trace the identity of an individual (e.g., name, social security number, biometric records, etc.) alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.).

Examples

No comprehensive list of personally identifiable attributes exists, but some are universally agreed on as PII:

  • First & last name
  • Physical address
  • Email address
  • Social Security number
  • Passport number
  • Phone number

Regulations

In recent years several jurisdictions have begun to regulate the collection and usage of PII. Each law has its nuances, but generally, they have similar definitions for PII.

The laws governing PII are continually evolving and leave some room for interpretation as to what constitutes PII and what is non-PII data. Each organization's counsel and compliance organizations should set their internal policy as to the definition of PII and how it is handled internally.

General Data Protection Regulation (GDPR)

GDPR is a regulation that was enacted in 2016 and put into effect in 2018 that is focused on data collection and privacy in the European Union.  The law is broadly seen as the most comprehensive privacy regulation, and it deals specifically with a quickly evolving digital landscape.

GDPR defines personal data as:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

California Consumer Protection Act (CCPA)

CCPA is a law that was put into effect on January 1st, 2020, by the state of California. It is regarded as the most comprehensive privacy law by any state government within the United States. It has been a model for how other states have thought about their privacy regulation.

CCPA defines personal information as:

“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Others

Other laws and regulations exist that define PII, including:

  • Australia's Privacy Act of 1988
  • The UK Data Protection Act
  • Switzerland's Federal Act on Data Protection

Pseudonymizing PII

Organizations frequently would like to collect data without its associated PII. For many use cases, the PII itself doesn't provide any value and it only acts as a unique identifier for the data. In these use cases, companies often use pseudonymization techniques which allow them to collect the data without housing PII and while also not destroying the underlying value of the data. An example pseudonymization technique is the hashing of PII identifiers like email addresses.

Additional Resources

< Back
Rosetta

Hi! I’m Rosetta, your big data assistant. Ask me anything! If you want to talk to one of our wonderful human team members, let me know! I can schedule a call for you.