What is PII (personally identifiable information)?

Personally identifiable information (PII) is any data that could identify a specific person, such as a name, government-issued ID number, date of birth, occupation, or address.

学習目的

この記事を読み終えると、以下のことができるようになります。

  • Explain what 'PII' means
  • Identify the two main types of PII
  • Contrast PII with other legal definitions of personal data

記事のリンクをコピーする

What is PII (personally identifiable information)?

Personally identifiable information (PII) is any data that can be used to identify someone. All information that directly or indirectly links to a person is considered PII. One's name, email address, phone number, bank account number, and government-issued ID number are all examples of PII.

Many organizations today collect, store, and process PII. When these collections of data are breached or leaked, people may become victims of identity theft or other attacks. In addition, the collection of PII sometimes undermines privacy as people lose control and visibility of what happens to their personal information. For these reasons, it is important to protect PII and limit its collection when possible.

How does the National Institute of Security Technology define PII?

There is no single definition of PII, even though it is referenced by many official sources. The National Institute of Security Technology (NIST) has one of the most widely referenced definitions of PII:

"Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual's identity, such as name, social security number, date and place of birth, mother's maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information."

What are the two main types of PII?

The two main types of PII are information that directly identifies someone and information that indirectly identifies someone.

Here is how the NIST definition of PII distinguishes between these types of information.

  • Some information directly identifies a person. A full name, a Social Security number, or a physical address are all examples of this type of information.
  • Linked or linkable information does not directly identify a person but can identify them indirectly: in other words, when combined with another piece of information.
    • Suppose Jake lives at 1060 West Addison Street. The first name "Jake" alone is likely not enough to identify him, because Jake is a common first name shared by many people in the US. But when combined with the address 1060 West Addison Street, it could be possible to identify the specific person in question.

This concept, with slightly different terminology, also appears in other definitions of PII. For instance, the US Department of Labor lists the following definition for PII:

"Any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means. Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification [emphasis added]."

The important point here is that all information that can be used to directly or indirectly identify an individual should be protected.

(A similar concept applies to pseudonymization: pseudonymized data can be combined with other data to directly identify an individual. See What is pseudonymization? to learn more.)

Is PII the same as 'personal information' or 'personal data'?

The general concept behind all these terms is similar: any information that relates to a specific person can be considered "personal."

However, different data privacy regulations use different terms for data that can be used to identify someone. The term "PII" is largely used in the US, while the General Data Protection Regulation (GDPR), an EU privacy framework, instead refers to "personal data," and the California Consumer Privacy Act (CCPA) refers to "personal information."

Additionally, each piece of privacy legislation has its own definitions for personal information, personal data, or PII; organizations should carefully review the descriptions in the legislation that applies to them.

Why is PII an important concept for privacy?

Privacy generally refers to the ability of a person to determine for themselves when, how, and to what extent personal information about them (such as PII) is shared with others. In order to protect their privacy, people need to know who is collecting their PII and what is done with it.

To protect PII and user privacy, organizations need to know what PII they have and how that PII is kept secure. Many sources also recommend limiting PII collection and usage. Doing so is considered a Fair Information Practice (learn more).