Personally identifiable information (PII) is any data that could identify a specific person, such as a name, government-issued ID number, date of birth, occupation, or address.
After reading this article you will be able to:
Copy article link
Personally identifiable information (PII) is any data that can be used to identify someone. All information that directly or indirectly links to a person is considered PII. One's name, email address, phone number, bank account number, and government-issued ID number are all examples of PII.
Many organizations today collect, store, and process PII. When these collections of data are breached or leaked, people may become victims of identity theft or other attacks. In addition, the collection of PII sometimes undermines privacy as people lose control and visibility of what happens to their personal information. For these reasons, it is important to protect PII and limit its collection when possible.
There is no single definition of PII, even though it is referenced by many official sources. The National Institute of Security Technology (NIST) has one of the most widely referenced definitions of PII:
"Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."
The two main types of PII are information that directly identifies someone and information that indirectly identifies someone.
Here is how the NIST definition of PII distinguishes between these types of information.
This concept, with slightly different terminology, also appears in other definitions of PII. For instance, the US Department of Labor lists the following definition for PII:
"Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification [emphasis added]."
The important point here is that all information that can be used to directly or indirectly identify an individual should be protected.
(A similar concept applies to pseudonymization: pseudonymized data can be combined with other data to directly identify an individual. See What is pseudonymization? to learn more.)
The general concept behind all these terms is similar: any information that relates to a specific person can be considered "personal."
However, different data privacy regulations use different terms for data that can be used to identify someone. The term "PII" is largely used in the US, while the General Data Protection Regulation (GDPR), an EU privacy framework, instead refers to "personal data," and the California Consumer Privacy Act (CCPA) refers to "personal information."
Additionally, each piece of privacy legislation has its own definitions for personal information, personal data, or PII; organizations should carefully review the descriptions in the legislation that applies to them.
Privacy generally refers to the ability of a person to determine for themselves when, how, and to what extent personal information about them (such as PII) is shared with others. In order to protect their privacy, people need to know who is collecting their PII and what is done with it.
To protect PII and user privacy, organizations need to know what PII they have and how that PII is kept secure. Many sources also recommend limiting PII collection and usage. Doing so is considered a Fair Information Practice (learn more).